Privacy Policy

What data we access

Sighub reads the following data from your HubSpot portal through the official HubSpot API:

• Company properties (names, contract dates, custom properties you map during setup)
• Associated deals (close dates, stages, amounts)
• Meetings and notes (dates and counts only, not content)
• Tasks (status and dates)
• Tickets (open/closed status and counts)
• Contact associations (relationship metadata)

Sighub does not read the content of your emails, meeting notes, or ticket conversations. We only access metadata such as dates, counts, and status fields.

A complete overview of shared data between Sighub and HubSpot is available on our HubSpot Marketplace listing page.

What data we store

Sighub stores the following outside of your HubSpot portal:

• OAuth tokens: encrypted at rest using AES-256-GCM, used solely to authenticate API requests to your HubSpot portal
• Property mapping configuration: which HubSpot fields you selected during setup
• Action audit log: records of automatically created tasks, stored as HubSpot object IDs only, no customer names, email addresses, or personal data

What data we do NOT store

• Email content or email addresses of your contacts
• Meeting notes or call recordings
• Ticket conversation content
• Any personally identifiable information about your customers

Data sharing

Sighub does not sell, share, or transfer your data to any third party. Your data is used exclusively to provide the Sighub service to your HubSpot portal.

Data security

• All data in transit is encrypted via HTTPS/TLS
• OAuth tokens are encrypted at rest using AES-256-GCM
• Backend requests are validated using HubSpot's request signature protocol
• Access to stored data is restricted to authenticated portal sessions

Data retention

• OAuth tokens are retained as long as your Sighub installation is active
• Audit logs are retained for 90 days and then automatically purged
• Property mapping configuration is retained until you uninstall Sighub or reconfigure

Data deletion

When you uninstall Sighub from your HubSpot portal, your OAuth tokens and property mapping configuration are deleted. Tasks created in HubSpot by Sighub remain in your HubSpot account as standard HubSpot tasks.

To request manual deletion of your data, contact support@sighub.io.

Your rights under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: request a copy of the data we process about your portal
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your data at any time
• Right to restrict processing: request that we limit how we use your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to our processing of your data

To exercise any of these rights, contact support@sighub.io. We will respond within 30 days.

Legal basis for processing

We process your data based on the following legal grounds under GDPR Article 6:

• Contractual necessity (Art. 6(1)(b)): processing is necessary to provide the Sighub service you installed
• Legitimate interest (Art. 6(1)(f)): audit logging for security and service reliability

International data transfers

Your data may be processed on servers located outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Data controller

Sighub acts as the data processor on behalf of your organisation (the data controller). Your organisation determines which HubSpot data Sighub accesses through the property mapping configuration.

Supervisory authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority in the EEA.

Service providers (sub-processors)

Sighub relies on a small number of trusted infrastructure providers to operate the website and the application. Each provider only processes the data described below and is contractually bound to appropriate data protection terms.

Lovable — frontend hosting and website builder. The marketing website (sighub.io) is built and hosted on Lovable. As part of its hosting platform, Lovable collects aggregated, server-side analytics about published projects, including pageviews, visitors, bounce rate, visit duration, traffic sources and device type. This data is aggregated and is used to operate and improve the hosting platform. Lovable does not require any tracking script in the page to provide this, and Sighub does not place any Lovable-specific cookies on visitors. For full details see Lovable's own privacy policy.

Railway — backend and application hosting. The Sighub backend (the service that talks to your HubSpot portal, runs scans and creates tasks) is hosted on Railway. Railway processes technical operational data on our behalf, including incoming API requests, server logs, error traces and the IP addresses of clients interacting with the backend. This data is used solely to run the service, debug failures and protect against abuse.

GoDaddy — domain registration and DNS. The sighub.io domain and DNS records are managed through GoDaddy. As part of resolving the domain, GoDaddy processes technical data such as IP addresses, DNS lookups and request logs. GoDaddy does not have access to application data inside Sighub.

Google Search Console — aggregated search performance. We use Google Search Console to see aggregated search statistics for sighub.io, such as clicks, impressions, average position and search queries. Search Console does not place tracking cookies on visitors through this website. The data we receive from Google is aggregated and not linked to individual visitors.

HubSpot — your CRM platform. HubSpot is your platform, not ours. Sighub interacts with your HubSpot portal via the official HubSpot API under the OAuth permissions you grant during installation, as described in "What data we access" above.

Cookies and tracking on sighub.io

The sighub.io marketing website uses a strict, opt-in approach to cookies and similar technologies. Nothing non-essential loads until you give consent through the cookie banner.

Strictly necessary (always on): a single browser localStorage entry that records your consent preferences so we do not have to ask again on every page. No personal data, no third party.

Hosting platform analytics (cookieless): our hosting provider Lovable collects aggregated, server-side metrics (pageviews, visitors, bounce rate, traffic sources, device type) at the platform level. To the best of our knowledge this is cookieless and does not write to your browser's localStorage; it is aggregated and not used to identify individual visitors.

Search Console (no cookies on visitors): Google Search Console does not place tracking cookies on visitors through this website. It only reports aggregated search performance data to us from Google's side.

Analytics (off by default): if you opt in, we may load Google Analytics 4 in privacy-friendly mode (anonymised, no cross-site tracking) to understand which pages help visitors. We do not currently load any analytics script unless and until you opt in.

Marketing (off by default): reserved for future advertising or attribution pixels. Not used at this time.

You can change or withdraw your consent at any moment via the Cookie settings link in the footer of every page. Withdrawing consent stops further data collection going forward.

This cookie policy applies to sighub.io only. Data processed inside your HubSpot portal by the Sighub application is governed by the rest of this Privacy Policy.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

Contact

For privacy-related questions: support@sighub.io