HubSpot and GDPR: 5 Questions Every EU Business Should Ask Before Signing

HubSpot includes GDPR features. Cookie consent banners, opt-in forms, and communication subscription types are all available. This is a reasonable starting point — but for EU-based businesses handling significant volumes of customer data, GDPR compliance on HubSpot is not automatic. It requires deliberate configuration, ongoing management, and an understanding of where the gaps are.

Here are five questions every EU business should get clear answers to before committing to HubSpot.

1. Where Is My Customer Data Stored?

HubSpot is a US-based company. By default, customer data in HubSpot — including personal data you collect from EU consumers — is processed and stored on US-based infrastructure.

Under GDPR, transferring personal data outside the EU to a third country requires that the destination country provides an adequate level of data protection, or that appropriate safeguards are in place (such as Standard Contractual Clauses). HubSpot uses SCCs and has a Data Processing Agreement available, which provides a legal basis for the transfer.

However: the underlying data still resides in the US. For businesses in sectors with stricter data localisation requirements, or for those whose customers expect EU-based data handling, this is a material consideration — not just a legal technicality.

With Caramel: Data processing architecture is designed for EU compliance. If data residency within Europe is a requirement for your business, this should be a first question in any vendor evaluation.

2. How Is Consent Captured and Documented for Each Channel?

GDPR requires explicit, informed consent for marketing communications — and critically, separate consent for each channel. A customer consenting to receive your email newsletter is not consenting to receive SMS messages or WhatsApp campaigns. Each channel requires its own opt-in, and you must be able to prove it.

HubSpot’s subscription types allow you to manage consent by channel, but the configuration requires deliberate setup. Out of the box, HubSpot does not enforce a strict separation of per-channel consent — it is the responsibility of the business to configure and maintain it correctly.

With Caramel: Per-channel consent is captured and stored natively at every first-party data touchpoint — forms, QR codes, in-store sign-ups — with an automatic audit trail for each.

3. How Do You Handle Data Subject Access Requests?

Under GDPR, individuals have the right to access all personal data held about them, request corrections, and request deletion. Your platform needs to support this operationally — not just legally.

HubSpot includes basic GDPR delete and data access tools, but executing a complete data subject access request (DSAR) — especially if a contact’s data exists across multiple Hubs (Marketing, Sales, Service, CRM) — requires careful coordination across your HubSpot configuration and potentially across integrated third-party tools.

For businesses receiving regular DSARs, this is a meaningful operational consideration.

4. What Happens to Data from Lapsed or Unsubscribed Contacts?

GDPR’s data minimisation principle requires that you do not retain personal data longer than necessary for the purpose it was collected. Unsubscribed contacts, lapsed customers, or contacts who have not engaged in years should have their data reviewed, suppressed, or deleted on a defined schedule.

HubSpot does not automate this process. Retention management requires manual policies, scheduled list reviews, and deliberate deletion workflows. Without active management, personal data accumulates indefinitely.

With Caramel: Data retention policies and automated suppression of inactive or withdrawn-consent contacts are built into the platform’s engagement logic — reducing the compliance burden and the risk of unintended data retention.

5. Are Your Third-Party Integrations Also GDPR Compliant?

HubSpot’s App Marketplace includes hundreds of third-party integrations. Many businesses use these to extend HubSpot’s capabilities — adding SMS via Twilio or Sakari, WhatsApp via third-party connectors, analytics via external tools.

Each of these integrations introduces a new data processor relationship. Under GDPR, you are responsible for ensuring that every third party handling your customer data has appropriate safeguards in place. Managing DPAs (Data Processing Agreements) with multiple vendors, understanding where their data flows, and maintaining a record of processing activities across an integrated stack becomes complex quickly.

The fewer vendors in your customer data chain, the simpler your compliance posture.

---

GDPR compliance is not a HubSpot feature you toggle on. It is an operational posture that your platform either supports or complicates. For EU businesses handling customer data at scale, the right question is not “does HubSpot have GDPR tools?” — it is “how much work does GDPR compliance add to my team’s workload on this platform?”

Looking for a B2C engagement platform designed for GDPR from the ground up?

Book a Demo → Caramel captures first-party data with explicit per-channel consent, manages retention automatically, and reduces the number of data processors in your customer engagement stack.

---

HubSpot Limitations Series:

• 6 Things HubSpot Starter Doesn’t Include
• HubSpot Email Quotas: 5 Things Every Marketer Needs to Understand
• The Real Cost of HubSpot: 6 Line Items That Never Make the Homepage
• 5 Reasons B2C Businesses Are Outgrowing HubSpot in 2026