Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
HubSpot Forms is the form-building component of the HubSpot CRM and marketing platform. Forms can be embedded on any website via a JavaScript snippet and feed leads, contact requests, newsletter signups, or event registrations directly into HubSpot. Unless explicitly disabled, the form embed loads the broader HubSpot tracking code, which sets cookies and creates a tracked visitor identity tied to subsequent HubSpot interactions.
HubSpot Forms is the form-building module of the HubSpot CRM and growth platform (HubSpot, Inc., Cambridge, Massachusetts). Forms can be designed in the HubSpot interface and embedded on any website via a JavaScript snippet, sending submitted data directly into the HubSpot CRM. Forms can be inline, pop-up, slide-in, or full-screen, and can integrate with Marketing Hub workflows, lead scoring, and Service Hub ticketing.
From the form: the submitted fields (name, email, phone, custom fields) plus metadata (page URL, referrer, timestamp, IP). From the broader HubSpot tracking code: persistent cookies (hubspotutk, __hstc, __hssc, __hssrc) that build a visitor profile, page views, conversion events, and a stitched browsing history before and after the form submission. The tracking code can be disabled while keeping the form embed, but the default integration installs both.
The form submission itself can rely on Art. 6(1)(b) contract performance (for a service request) or Art. 6(1)(f) legitimate interest with documented LIA (for B2B lead capture). The HubSpot tracking cookies are non-essential under ePrivacy and TTDSG and require consent. HubSpot also offers a non-tracking embed mode for cases where you only want to collect the form data without setting cookies; that mode should be preferred when you cannot gate the form behind a consent banner.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
HubSpot processes form data in the United States by default. EU residency on AWS Frankfurt is available for Marketing Hub Professional and Enterprise customers and must be requested at provisioning. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on HubSpot Inc.'s EU-US Data Privacy Framework certification. A Transfer Impact Assessment is recommended.
Sign the HubSpot DPA, request EU residency if available on your subscription, gate the HubSpot tracking script behind a CMP, use the non-tracking form embed where consent has not been collected, document the form lawful basis (contract or LIA), include a clear privacy notice on the form, document the data flow into the HubSpot CRM in your RoPA, and document the cookies in your cookie policy.
Websites using HubSpot Forms must obtain user consent under GDPR regulations.
DPIA considerations
HubSpot Forms collect lead information submitted by visitors (name, email, phone, custom fields) and, in default mode, the broader HubSpot tracking code creates a persistent visitor identity (cookies hubspotutk, __hssc, __hssrc, __hstc) that ties pre- and post-submission behaviour. Key DPIA considerations: (1) the tracking cookies are non-essential and require consent under ePrivacy and TTDSG; (2) the form data may include sensitive information depending on the form purpose (medical inquiries, financial leads); (3) US default residency triggers a transfer assessment; (4) HubSpot AI features (smart fields, lead scoring) constitute automated processing under Art. 22; (5) the integration map is broad (CRM, Marketing Hub, Service Hub, CMS Hub), which propagates form data into multiple HubSpot subsystems.
Sample consent text
Our website uses HubSpot Forms to capture your contact request and feed it into our CRM. The HubSpot tracking code sets cookies (hubspotutk, __hstc, __hssrc, __hssc) to recognise you and tie your form submission to your browsing behaviour on our site. HubSpot processes the data in the United States by default (or in the EU on Frankfurt AWS if available on our contract). Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. You can decline non-essential cookies via the cookie banner.
Third-party domains contacted
hubspot.comwww.hubspot.comjs.hsforms.netforms.hsforms.comjs.hs-analytics.netjs.hs-scripts.comtrack.hubspot.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| hubspotutk | Marketing / Identification | 13 months | Persistent visitor identifier set by the HubSpot tracking code. Passed alongside form submissions to associate the lead with the previously tracked visitor profile. |
| __hstc | Analytics | 13 months | Records visitor sessions, source (utm parameters, referrer), and number of visits. Used by HubSpot reporting to attribute leads to traffic sources. |
| __hssc | Analytics | 30 minutes | Identifies the current session and is updated whenever the visitor views a page. Used to count the number of page views within a session. |
| __hssrc | Functional / Session | Session | Set to indicate whether the visitor has restarted the browser; used by HubSpot session logic. |
| messagesUtk | Functional / Chat | 13 months | Set by HubSpot Conversations chat widget (loaded alongside the form embed on some HubSpot CMS pages) to recognise visitors who chat with the site. |
HubSpot Forms places tracking cookies for advertising — comply with GDPR using FlowConsent.
When the HubSpot tracking code is loaded with the form (default), it sets first-party cookies: hubspotutk (visitor identifier, 13 months), __hstc (session and source attribution, 13 months), __hssc (current session, 30 min), and __hssrc (initial session flag, session). In non-tracking embed mode, no persistent cookies are set.
The form submission alone (without tracking) can be deployed without consent for the form fields themselves (contract performance or LIA basis). The HubSpot tracking cookies and the cross-visit identification require consent under ePrivacy and TTDSG.
Form submission: contract performance (Art. 6(1)(b)) for service requests, or legitimate interest (Art. 6(1)(f)) for B2B lead capture with documented LIA. Tracking cookies: consent (Art. 6(1)(a)).
By default yes: HubSpot stores form and CRM data in the United States. EU residency on AWS Frankfurt is available for Marketing Hub Professional and Enterprise customers. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
Document a DPIA if you process leads at large scale, segment by sensitive attributes, or use HubSpot AI lead scoring. For simple contact forms with limited data, a short LIA and a privacy notice are usually sufficient.
Sign the HubSpot DPA, request EU residency where available, use the non-tracking embed when consent has not been collected, gate the tracking code behind your CMP, display a clear privacy notice on the form, set a checkbox for marketing communications, and document the workflow in your RoPA.
Alternatives include Tally (Belgium), Typeform (Spain, EU residency available), Jotform (US), Formspree, Pageclip, Brevo Forms (France), Mautic Forms (open source), Salesforce Web-to-Lead, and native CMS form modules (WordPress Gravity Forms, Drupal Webform).
Add a section for HubSpot Forms listing each cookie (hubspotutk, __hstc, __hssc, __hssrc) with name, purpose, duration. Specify the controller (HubSpot Inc., US), the EU residency option, the SCCs/DPF mechanism, and the CMP toggle that allows visitors to refuse the tracking part while still using the form.