Does your website use third-party services? Get GDPR compliant in minutes.

HubSpot

Preferences

What does HubSpot do?

HubSpot is a leading US-based CRM, marketing, sales, and customer service platform. It combines contact management, email marketing, website analytics, live chat, landing pages, and marketing automation in a single suite. GDPR compliance for HubSpot is complex because different HubSpot tools require different legal bases: consent for marketing emails and tracking cookies, legitimate interest for CRM contact records, and contract performance for customer service. EU data hosting (Frankfurt) is available on certain plans.

What is HubSpot?

HubSpot is an all-in-one CRM, marketing, sales, and customer service platform. Its product suite includes Marketing Hub (email marketing, landing pages, SEO, social media), Sales Hub (CRM, email sequences, deal pipelines), Service Hub (help desk, live chat, knowledge base), CMS Hub (website management), and Operations Hub (data sync, workflow automation). HubSpot is one of the most comprehensive marketing technology platforms, and its breadth means GDPR compliance spans many different data processing activities.

Multiple legal bases across HubSpot tools

Different HubSpot features require different legal bases. Marketing emails and tracking cookies: consent. CRM contacts from existing customers: legitimate interest. CRM contacts from contracts or service delivery: contract performance. Sales outreach to business prospects: legitimate interest (with opt-out). Live chat initiated by users: legitimate interest for the session, consent for tracking cookies. HubSpot''s built-in legal basis field in contact records helps document this per-contact.

HubSpot cookie tracking and consent

HubSpot''s tracking script sets the __hstc cookie (persistent visitor ID, 13 months) and __hssc (session cookie). These require consent under the ePrivacy Directive. HubSpot provides a built-in cookie consent banner, but many organisations prefer to use their own CMP and configure HubSpot to load conditionally after consent. HubSpot also supports cookie-less tracking for privacy-conscious implementations.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

EU data hosting option

HubSpot offers EU data hosting (Frankfurt) for customers on certain plans. When configured, CRM data, marketing contacts, and most HubSpot data is stored within the EU. This eliminates SCCs for primary data flows and significantly simplifies the transfer compliance picture.

Practical compliance steps

Sign the HubSpot DPA. Enable EU data hosting if available on your plan. Configure cookie consent for HubSpot tracking. Use HubSpot''s GDPR features: legal basis tracking per contact, consent records, subscription management. Implement double opt-in for marketing emails. Configure the legal basis field for each contact. Use HubSpot''s data deletion tools for erasure requests. Add HubSpot to your privacy policy covering CRM, email, and analytics processing.

GDPR consent category

Preferences

Websites using HubSpot must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) required for marketing tracking cookies, email marketing, and behavioural analytics. Legitimate interest (Art. 6(1)(f)) may apply for CRM data of existing customers. Contract performance (Art. 6(1)(b)) for processing contact data as part of the service relationship.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, SCCs for US deployments. HubSpot spans CRM, email, analytics, and chat — each requiring assessment of applicable legal bases.

DPIA considerations

A DPIA is recommended for large-scale HubSpot deployments combining CRM profiling, marketing automation, behavioural tracking, and lead scoring across many EU contacts. The breadth of data processing across the HubSpot suite warrants a comprehensive DPIA covering each Hub.

Sample consent text

By submitting this form, you consent to HubSpot storing your contact information and to [Company] contacting you about relevant products and services. You can withdraw consent at any time. See our privacy policy for details.

Technical details

Tracking methodJavaScript tracking code (HubSpot analytics), CRM, email marketing, live chat, forms, landing pages, first-party cookies, cross-device tracking, marketing automation

Server locationUnited States with EU data hosting option (Frankfurt)

Data transferred outside the EUHubSpot is a US-based CRM and marketing platform. EU data hosting (Frankfurt) is available on certain plans. For standard deployments, EU personal data is transferred to US infrastructure requiring SCCs. HubSpot provides a comprehensive GDPR DPA.

Third-party domains contacted

hubspot.comjs.hs-scripts.comapi.hubspot.com

Cookies placed

Name	Type	Duration	Purpose
__hstc	persistent	13 months	HubSpot persistent visitor ID for cross-session analytics and contact de-duplication
__hssc	session	30 minutes	HubSpot session identifier tracking page views within a single session
hubspotutk	persistent	13 months	HubSpot visitor identity cookie linking form submissions to existing CRM contacts

HubSpot uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

Does HubSpot require GDPR consent?

Yes for marketing emails and tracking cookies. The HubSpot tracking script requires cookie consent. Marketing emails require valid opt-in. CRM contacts may rely on legitimate interest or contract performance. HubSpot has built-in GDPR tools.

What cookies does HubSpot set?

HubSpot sets __hstc (13 months), hubspotutk (13 months), and __hssc (30 minutes session). These require consent under the ePrivacy Directive.

Does HubSpot offer EU data hosting?

Yes, on certain plans (Frankfurt). This eliminates SCCs for primary data flows and simplifies GDPR transfer compliance.

What legal basis applies to HubSpot CRM contacts?

Existing customers: legitimate interest or contract performance. Inbound leads with consent: consent. Outbound prospected contacts: legitimate interest with a documented LIA and opt-out in every communication.

How do I implement cookie consent for HubSpot?

Use HubSpot's built-in banner, your own CMP blocking the HubSpot script conditionally, or HubSpot's cookieless tracking mode.

How do I handle data subject requests in HubSpot?

For access: export the contact record. For erasure: use HubSpot's GDPR Delete feature. Respond within 30 days and document all actions.

Do I need a DPA with HubSpot?

Yes. Sign the HubSpot DPA available in the HubSpot Legal Center or via Account Settings.

Are there EU-based alternatives to HubSpot?

Brevo (France) and ActiveCampaign (EU option) offer EU data residency. HubSpot with EU hosting configured is itself a strong compliant option.

Get compliant — Try FlowConsent free

Free plan · 10-min setup

What does HubSpot do?

What is HubSpot?

Multiple legal bases across HubSpot tools

HubSpot cookie tracking and consent

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

EU data hosting option

Practical compliance steps

GDPR consent category

Preferences

Websites using HubSpot must obtain user consent under GDPR regulations.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, SCCs for US deployments. HubSpot spans CRM, email, analytics, and chat — each requiring assessment of applicable legal bases.

DPIA considerations

Sample consent text

By submitting this form, you consent to HubSpot storing your contact information and to [Company] contacting you about relevant products and services. You can withdraw consent at any time. See our privacy policy for details.

Technical details

Tracking methodJavaScript tracking code (HubSpot analytics), CRM, email marketing, live chat, forms, landing pages, first-party cookies, cross-device tracking, marketing automation

Server locationUnited States with EU data hosting option (Frankfurt)

Third-party domains contacted

hubspot.comjs.hs-scripts.comapi.hubspot.com

Cookies placed

Name	Type	Duration	Purpose
__hstc	persistent	13 months	HubSpot persistent visitor ID for cross-session analytics and contact de-duplication
__hssc	session	30 minutes	HubSpot session identifier tracking page views within a single session
hubspotutk	persistent	13 months	HubSpot visitor identity cookie linking form submissions to existing CRM contacts

HubSpot uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

Does HubSpot require GDPR consent?

What cookies does HubSpot set?

HubSpot sets __hstc (13 months), hubspotutk (13 months), and __hssc (30 minutes session). These require consent under the ePrivacy Directive.

Does HubSpot offer EU data hosting?

Yes, on certain plans (Frankfurt). This eliminates SCCs for primary data flows and simplifies GDPR transfer compliance.

What legal basis applies to HubSpot CRM contacts?

How do I implement cookie consent for HubSpot?

Use HubSpot's built-in banner, your own CMP blocking the HubSpot script conditionally, or HubSpot's cookieless tracking mode.

How do I handle data subject requests in HubSpot?

For access: export the contact record. For erasure: use HubSpot's GDPR Delete feature. Respond within 30 days and document all actions.

Do I need a DPA with HubSpot?

Yes. Sign the HubSpot DPA available in the HubSpot Legal Center or via Account Settings.

Are there EU-based alternatives to HubSpot?

Brevo (France) and ActiveCampaign (EU option) offer EU data residency. HubSpot with EU hosting configured is itself a strong compliant option.