HubSpot is both a website tracking tool and a CRM system, which means privacy policy disclosure must cover both the front-end behavioral tracking and the back-end personal data storage. These are distinct processing activities that require separate descriptions.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Visitor identifier stored in the __hstc and hubspotutk cookies
Page views, session duration, and referral source linked to the visitor identifier
Form submissions including name, email, and custom fields defined in HubSpot forms
Email open and click tracking (tracked email campaigns)
Live chat and chatbot conversation content
Contact data entered into HubSpot CRM by sales and support teams
IP address and approximate geographic location
Custom behavioral events and contact properties passed through the HubSpot tracking API
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with HubSpot.
Lead generation and sales prospecting
Marketing automation and email campaign delivery
Contact lifecycle management in the CRM
Attribution of web visits to marketing campaigns
Customer support and live chat
Personalization of website content based on visitor history
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
HubSpot tracking cookies and the behavioral data associated with contact records constitute personal information under the CCPA and CPRA. If HubSpot data is used for targeted advertising or behavioral profiling shared with third parties, opt-out rights apply. HubSpot forms must present appropriate disclosures at the point of data collection, particularly for California residents.
EU and UK (GDPR)
Under the GDPR, HubSpot requires a legal basis for each processing activity. Website tracking requires consent (the HubSpot tracking code is not strictly necessary). Email marketing requires either consent or legitimate interests depending on context. HubSpot offers Data Processing Agreements and EU data residency options. Your policy must identify HubSpot as a data processor, describe the legal basis for each use case, and cover data transfers to HubSpot Inc. in the United States.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Marketing and analytics tracker table row
HubSpot (HubSpot, Inc.): Tracks website visits, form submissions, and contact interactions for CRM, lead management, and marketing automation. Stores a visitor identifier in the hubspotutk cookie. Contact data is stored in HubSpot's CRM under a data processing agreement. Category: Analytics and marketing.
Full CRM and marketing platform disclosure
We use HubSpot, a CRM and marketing platform provided by HubSpot, Inc., to manage our relationships with website visitors and customers. HubSpot's tracking code collects information about your visits to this website, including pages viewed, time spent, and referral sources, and stores a unique visitor identifier in the hubspotutk cookie. If you submit a form on our website, the information you provide is stored in HubSpot's CRM and may be used by our sales and marketing teams to follow up with you about your inquiry. We may use HubSpot to send marketing emails to contacts who have provided consent or where we have a legitimate business relationship under applicable law. HubSpot may track whether you open our emails or click links within them. HubSpot processes data under a data processing agreement as a data processor acting on our behalf. Data may be transferred to HubSpot Inc. in the United States under Standard Contractual Clauses. Where consent is required by applicable law for website tracking, HubSpot's tracking code will only activate after you have provided consent through our consent management platform.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for HubSpot.
Categorize the HubSpot tracking code under "Marketing" or "Analytics," not "Strictly Necessary."
If you use the HubSpot chat widget, it should also be consent-gated in opt-in markets, as it loads additional HubSpot scripts and collects visitor interaction data before any conversation begins.
HubSpot forms embedded in pages should present a consent checkbox or disclosure at point of collection for GDPR compliance, separate from the cookie consent mechanism.
In California, if HubSpot behavioral data is shared with advertising partners or used for targeted advertising, GPC and opt-out of sale and sharing must be honored at the tag manager level.
Confirm that the HubSpot tracking pixel request to track.hubspot.com is blocked in the reject and no-interaction consent states using Consent Validator.
Policy vs practice
These are common gaps between HubSpot privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Many policies describe HubSpot only as a CRM used to manage contact data submitted via forms.
Policies describe cookie retention in generic terms without specifying that the hubspotutk cookie has a 13-month lifetime.
Policies do not address HubSpot email tracking pixels, treating email and website tracking as separate systems.
Policies list HubSpot as consent-gated under the marketing or analytics category in the CMP.
What Lokker validates
HubSpot's tracking code collects behavioral data from all visitors on every page, not just those who submit forms. Lokker confirms whether the HubSpot tracking beacon fires for anonymous visitors and whether it is blocked prior to consent.
Lokker captures the actual cookie values and expiry dates set by HubSpot during a session and compares them against what the policy states, identifying mismatches in retention periods.
HubSpot email tracking pixels set cookies and trigger behavioral data collection when a contact clicks through to the site. These are separate processing activities with separate consent requirements in GDPR jurisdictions that are often missing from policy disclosures.
Lokker confirms whether the HubSpot tracking request to track.hubspot.com is actually blocked in the reject state, and whether the HubSpot chat widget loads independently of the consent decision when both are deployed on the same site.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether HubSpot loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
California Legislature
Explore further
Same category
Validate technical compliance
Verify that the HubSpot tracking beacon is blocked before consent and does not fire for visitors who decline marketing or analytics cookies.