sighub.io

Privacy Policy

Last updated: June 14, 2026

Sighub.io ("Sighub", "we", "our", "us") is a sole proprietorship based in Rotterdam, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 42083108. We operate the sighub.io website and the Sighub HubSpot marketplace application. This policy describes what data we access, store, and how we handle it.

What data we access

Sighub reads the following data from your HubSpot portal through the official HubSpot API:

  • Company properties (names, contract dates, custom properties you map during setup)
  • Associated deals (close dates, stages, amounts)
  • Meetings and notes (dates and counts only, not content)
  • Tasks (status and dates)
  • Tickets (open/closed status and counts)
  • Contact associations (relationship metadata)

Sighub does not read the content of your emails, meeting notes, or ticket conversations. We only access metadata such as dates, counts, and status fields.

A complete overview of shared data between Sighub and HubSpot is available on our HubSpot Marketplace listing page.

What data we store

Sighub stores the following outside of your HubSpot portal:

  • OAuth tokens: encrypted at rest using AES-256-GCM, used solely to authenticate API requests to your HubSpot portal
  • Property mapping configuration: which HubSpot fields you selected during setup
  • Action audit log: records of automatically created tasks, stored as HubSpot object IDs only, no customer names, email addresses, or personal data
  • Billing state: if you subscribe to a paid plan, we store your Stripe customer ID, subscription ID, plan and subscription status to manage your subscription. We do not store your card number or full payment details — those are handled by Stripe (see sub-processors below).

What data we do NOT store

  • Email content or email addresses of your contacts
  • Meeting notes or call recordings
  • Ticket conversation content
  • Any personally identifiable information about your customers

Data sharing

Sighub does not sell your data or share it for advertising. We share data only with the trusted infrastructure and payment providers listed under "Service providers (sub-processors)" below — for example Stripe for processing subscription payments — and only to the extent needed to operate the service. Your HubSpot data is used exclusively to provide the Sighub service to your portal.

Data security

  • All data in transit is encrypted via HTTPS/TLS
  • OAuth tokens are encrypted at rest using AES-256-GCM
  • Backend requests are validated using HubSpot's request signature protocol
  • Access to stored data is restricted to authenticated portal sessions

Data retention

  • OAuth tokens are retained as long as your Sighub installation is active
  • Audit logs are retained for 90 days and then automatically purged
  • Property mapping configuration is retained until you uninstall Sighub or reconfigure

Data deletion

When you uninstall Sighub from your HubSpot portal, your OAuth tokens and property mapping configuration are deleted. Tasks created in HubSpot by Sighub remain in your HubSpot account as standard HubSpot tasks.

To request manual deletion of your data, contact support@sighub.io.

Your rights under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: request a copy of the data we process about your portal
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: request deletion of your data at any time
  • Right to restrict processing: request that we limit how we use your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to our processing of your data

To exercise any of these rights, contact support@sighub.io. We will respond within 30 days.

Legal basis for processing

We process your data based on the following legal grounds under GDPR Article 6:

  • Contractual necessity (Art. 6(1)(b)): processing is necessary to provide the Sighub service you installed
  • Legitimate interest (Art. 6(1)(f)): audit logging for security and service reliability
  • Consent (Art. 6(1)(a)): optional website analytics and future marketing cookies on sighub.io, only after you opt in via the cookie banner. You can withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before it

International data transfers

Your data may be processed on servers located outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Google (Google Analytics, Search Console) may process data on servers in the United States. Google LLC is certified under the EU–US Data Privacy Framework, and its processing is additionally covered by Standard Contractual Clauses.

Stripe, our payment processor, may process billing data in the United States. Stripe, Inc. is certified under the EU–US Data Privacy Framework, and its processing is additionally covered by Standard Contractual Clauses.

Controller and processor roles

For the data processed inside your HubSpot portal, Sighub acts as the data processor on behalf of your organisation (the data controller). Your organisation determines which HubSpot data Sighub accesses through the property mapping configuration.

For visitor data collected on the sighub.io website itself, your consent choice and, after opt-in, analytics data, Sighub is the data controller. You can reach us via the contact details under "Privacy contact" below.

Supervisory authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority in the EEA.

Service providers (sub-processors)

Sighub relies on a small number of trusted infrastructure providers to operate the website and the application. Each provider only processes the data described below and is contractually bound to appropriate data protection terms.

Lovable, frontend hosting and website builder. The marketing website (sighub.io) is built and hosted on Lovable. As part of its hosting platform, Lovable collects aggregated, server-side analytics about published projects, including pageviews, visitors, bounce rate, visit duration, traffic sources and device type. This data is aggregated and is used to operate and improve the hosting platform. Lovable does not require any tracking script in the page to provide this, and Sighub does not place any Lovable-specific cookies on visitors. For full details see Lovable's own privacy policy.

Railway, backend and application hosting. The Sighub backend (the service that talks to your HubSpot portal, runs scans and creates tasks) is hosted on Railway. Railway processes technical operational data on our behalf, including incoming API requests, server logs, error traces and the IP addresses of clients interacting with the backend. This data is used solely to run the service, debug failures and protect against abuse.

GoDaddy, domain registration and DNS. The sighub.io domain and DNS records are managed through GoDaddy. As part of resolving the domain, GoDaddy processes technical data such as IP addresses, DNS lookups and request logs. GoDaddy does not have access to application data inside Sighub.

Google Search Console, aggregated search performance. We use Google Search Console to see aggregated search statistics for sighub.io, such as clicks, impressions, average position and search queries. Search Console does not place tracking cookies on visitors through this website. The data we receive from Google is aggregated and not linked to individual visitors.

Google Analytics 4, consent-based website analytics. We use Google Analytics 4 on sighub.io to measure website usage. It is strictly opt-in: the Google Analytics script is not loaded and nothing is sent to Google until you accept the Analytics category in the cookie banner. After opt-in it places the measurement cookies described in the cookie section below. Analytics data is not used for advertising.

HubSpot, your CRM platform. HubSpot is your platform, not ours. Sighub interacts with your HubSpot portal via the official HubSpot API under the OAuth permissions you grant during installation, as described in "What data we access" above.

Stripe, payment processing. When you subscribe to a paid Sighub plan, payments are processed by Stripe. Stripe collects and processes your billing and payment data — such as your name, email address, payment method and card details, billing address and transaction history — to take payment and prevent fraud. Sighub never receives or stores your full card details; we store only your Stripe customer ID, subscription ID, plan and subscription status. Stripe acts as an independent controller for the payment data it processes. For details see Stripe's own Privacy Policy.

Cookies and tracking on sighub.io

The sighub.io marketing website uses a strict, opt-in approach to cookies and similar technologies. Nothing non-essential loads until you give consent through the cookie banner.

Strictly necessary (always on): a single browser localStorage entry that records your consent preferences so we do not have to ask again on every page. No personal data, no third party.

Hosting platform analytics (cookieless): our hosting provider Lovable collects aggregated, server-side metrics (pageviews, visitors, bounce rate, traffic sources, device type) at the platform level. To the best of our knowledge this is cookieless and does not write to your browser's localStorage; it is aggregated and not used to identify individual visitors.

Search Console (no cookies on visitors): Google Search Console does not place tracking cookies on visitors through this website. It only reports aggregated search performance data to us from Google's side.

Analytics (off by default): with your consent we use Google Analytics 4 to understand website usage and improve the product experience. The Google Analytics script is only loaded after you accept the Analytics category; until then nothing is loaded from or sent to Google. After opt-in the measurement cookies _ga and _ga_* are placed (first-party cookies that distinguish visitors, valid for up to 2 years). IP anonymization and privacy-friendly settings are enabled where possible. We do not use analytics for advertising or cross-site tracking.

Marketing (off by default): reserved for future advertising or attribution pixels. Not used at this time.

You can change or withdraw your consent at any moment via the Cookie settings link in the footer of every page. Withdrawing consent deletes the analytics cookies and stops Google Analytics from loading from that moment on.

This cookie policy applies to sighub.io only. Data processed inside your HubSpot portal by the Sighub application is governed by the rest of this Privacy Policy.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

Privacy contact

The data controller for sighub.io is Sighub.io, a sole proprietorship based in Rotterdam, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 42083108. For privacy-related questions: support@sighub.io