Logo - Full (Color)
Skip to content

Data Privacy Glossary

Many data privacy features we see in HubSpot were first created to help customers follow the General Data Protection Regulation (GDPR), a European Union data privacy law. Other countries have similar laws to regulate data privacy and consent, and many of these were created with GDPR standards in mind. These regulations were written by lawyers, so it should come as no surprise that there’s some legal jargon involved. We’ve put together a glossary of terms that you might see in HubSpot, and a few others that'll help you to understand common language around data privacy and consent.

Personal data

Any information related to a person or contact, for example: name, national ID number, address, IP address, etc. This type of information is also known as personally identifiable information (PII).

General Data Protection Regulation (GDPR)

A European Union (EU) law that protects the personal data of EU and European Economic Area citizens and residents. It outlines requirements necessary for both EU businesses and any business that collects or processes this personal data. Similar requirements can also be found in many national data privacy laws outside of the EU.


A business or person that decides why and how to process data about a person. One example is a business owner serving as a Controller over its data stored in HubSpot, where the business makes decisions about how to use the data. Note: A business or person can be both a controller and a processor at the same time.


A business or person that processes data. They process the data as instructed, but don't have control over how or why it's processed. For example, HubSpot is a processor for a business owner when HubSpot stores and processes data based on the business owner’s instructions. Note: A business or person can be both a controller and a processor at the same time.

Processing (data processing)

Any action performed on personal data. This can be automated or manual. Examples include: collecting, organizing, recording, storing, or deleting data.

Consent terms

Giving permission to use or share data. This could be done via opting-in or can be implied.

Under the GDPR and similar data privacy laws, consent must be freely given, specific, informed and unambiguous. Consent must be positive and affirmative, and in some cases it must be explicitly given.

When a person communicates clear approval and agreement to process their data. For example, responding "Yes" to receiving text messages from a business.

When consent can reasonably be assumed from a person's action or inaction. For example, when a customer buys a product from a business, their personal data would be processed in order to ship the product, to provide customer support, etc.

When a contact has agreed to the collecting, storing, sending, etc. of their data, also known as processing data. Under the GDPR and other privacy laws, this permission must be "freely given, specific, informed and unambiguous."

When a contact has given permission to be contacted or receive communication. For example, via SMS, email, etc.

A type of consent that requires two separate positive actions. For example, to double-opt-in to receive marketing emails would mean first signing up for the emails, then clicking on a separate email confirmation link.

Permanently delete (a contact)

Permanent removal of a contact from HubSpot's database. This type of deletion is often used to follow data privacy laws, and may be done regardless if data privacy settings are turned on or off in HubSpot. Deleted information includes the contact record, email tracking history, call records, form submissions, and other engagement data and activity.

Legal basis

Reasons that explain why a business uses or processes a contact's personal data. According to GDPR, businesses are required to have at least one legal basis as a reason for processing data. In HubSpot we ask customers to choose from 6 types of legal basis that cover Consent, Performance of a Contract, and Legitimate Interest. There may be more than one legal basis that fits each situation.

Recording the reason for processing contact data is part of data privacy best practices.

Legitimate interest

When businesses have a necessary and lawful business reasona legitimate interestthey can process a contact's personal data in a way the contact would expect. The exception is when these interests go against a contact's best interests or fundamental rights.

Learn more about data privacy and GDPR


Understanding GDPR

Using data privacy features in HubSpot


This page is not an exhaustive summary of privacy language or legal advice for your organization. It’s meant to help HubSpot customers and others understand common language around data privacy and consent. Consult an attorney if you’d like advice on your interpretation of this information or its accuracy.