Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how Hublytix LLP handles personal data when you use Hublytix, our HubSpot portal health auditing service available at hublytix.ai and app.hublytix.ai (the “Service”). We have written it to be readable, and to reflect a deliberately data-minimal design: we analyze your HubSpot portal to produce findings, and we avoid copying your customer records into our systems.
1. Who we are
The data controller / data fiduciary responsible for the Service is Hublytix LLP (“Hublytix”, “we”, “us”), a limited liability partnership registered in India, LLP Identification Number ACY-8903, with its registered office at 12, Thirumagal Nagar 1st, Rajakilpakkam, Tambaram, Kanchipuram - 600073, Tamil Nadu, India.
For any privacy question, or to exercise your rights, contact our Grievance Officer / data protection contact: privacy@hublytix.ai (see Section 13).
2. Two roles: controller and processor
Hublytix handles two different categories of data in two different roles. The distinction matters for your rights and for who is responsible for what.
- Account data — we are the controller / data fiduciary. This is the data about you as a Hublytix user: your name, email, company, login credentials, billing records, and how you use the app. We decide why and how this is processed, and this Policy governs it.
- Your HubSpot portal data — we are a processor. When you connect a HubSpot portal, we access it on your behalf to run audits. Your organization remains the controller / data fiduciary of that CRM data; we process it only on your instructions and only to provide the Service. Our handling of it is governed by this Policy and, where applicable, a Data Processing Agreement (see Terms of Service).
3. What we collect
3.1 Account data
- Identity and contact: name, email address, and (optionally) company name, provided at sign-up or via Google sign-in.
- Authentication data: managed by our authentication provider (Supabase). We do not store your password in plain text.
- Billing data: subscription tier and payment status. Card payments are processed by Stripe; we do not collect or store your full card number.
- Usage and technical data: log data, IP address, browser/device information, and error diagnostics used to operate, secure, and debug the Service.
3.2 HubSpot portal data (findings, not your CRM)
When you connect a HubSpot portal through OAuth, you grant Hublytix a set of read-only scopes. We never request write access and cannot change records in your portal. Critically:
- We read your portal data transiently to compute findings (for example: duplicate records, missing-field counts, workflow and property issues, and a health score).
- We store the findings and metadata — issue counts, scores, property definitions, and record identifiers needed to deep-link you back into HubSpot — not full copies of your contact, company, or deal records.
- We do not use your CRM data to train any machine-learning model, and we do not sell it.
This “findings, not data” design is described in more detail on our Security page.
4. How we use data and our legal bases
We process account data for the purposes below. Where the EU/UK GDPR applies, the relevant legal basis is shown in brackets.
- To provide and operate the Service, run audits, and show your results [performance of a contract].
- To process subscriptions, payments, and invoices [performance of a contract; legal obligation].
- To secure the Service, prevent abuse, and debug errors [legitimate interests].
- To send transactional email (verification, password reset, billing, and security notices) [performance of a contract; legitimate interests].
- To comply with law and respond to lawful requests [legal obligation].
We process HubSpot portal data only to provide the audit functionality you request, on your instructions, as your processor.
5. Sharing and sub-processors
We do not sell personal data. We share data only with vetted service providers that help us run the Service (hosting, database, authentication, email, payments, error monitoring), and only as needed. Our current sub-processors and what each one handles are listed on our Sub-processors page.
We may also disclose data where required by law, to protect our rights or users, or in connection with a merger, acquisition, or sale of assets (with notice where required).
6. International transfers
We are based in India and our infrastructure providers are primarily in the United States (for example, our database and authentication run on Supabase in the US). This means personal data may be transferred to and processed in countries other than your own.
- For transfers of EU/UK personal data, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with our providers’ own transfer mechanisms.
- For data subject to India’s Digital Personal Data Protection Act, 2023, cross-border transfer is permitted subject to conditions the Central Government may specify; we transfer only where permitted.
7. Retention
- Account data is kept while your account is active and for a reasonable period afterward to meet legal, accounting, and security obligations.
- Audit findings are retained so you can track changes and verify fixes over time. You can delete them, and they are removed when you disconnect the relevant portal or close your account.
- HubSpot access tokens are revoked and deleted when you disconnect a portal or close your account.
- Security and transaction logs may be retained for at least the period required by applicable law.
8. Your rights
Depending on where you live, you have some or all of these rights:
8.1 Under the EU/UK GDPR
Access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to withdraw consent. You may also lodge a complaint with your local supervisory authority.
8.2 Under India’s DPDP Act, 2023
The right to access a summary of your personal data and processing, the right to correction and erasure, the right to grievance redressal, the right to nominate another person to exercise your rights, and the right to withdraw consent. You may escalate an unresolved complaint to the Data Protection Board of India.
To exercise any right, contact us using Section 13. We respond within the timeframes required by law. Because much of the HubSpot portal data we touch belongs to your organization (the controller), requests about that data may be directed to your organization, and we will assist them as their processor.
9. Security
We use technical and organizational measures appropriate to the risk, including encryption in transit (TLS), AES-256 encryption of HubSpot access tokens at rest, database row-level isolation between tenants, and modern application-security controls. See our Security page for details. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
If we become aware of a personal data breach, we will notify the relevant authorities and affected individuals as and when required by applicable law.
10. Cookies
The app uses only strictly necessary cookies (for sign-in and security). We do not currently use advertising or tracking cookies. See our Cookie Policy.
11. Children
The Service is a business tool intended for users aged 18 and over. It is not directed to children, and we do not knowingly collect their personal data.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or in the app.
13. Contact and grievance redressal
For privacy questions, requests, or complaints, contact our Grievance Officer:
- Grievance Officer: Gowtham R, Designated Partner, Hublytix LLP
- Email: privacy@hublytix.ai
- Post: Hublytix LLP, 12, Thirumagal Nagar 1st, Rajakilpakkam, Tambaram, Kanchipuram - 600073, Tamil Nadu, India
We aim to acknowledge requests promptly and to resolve grievances within the period required by applicable law. If you are in the EU/UK and remain unsatisfied, you may complain to your local supervisory authority; if you are in India, you may escalate to the Data Protection Board of India.