Legal & Policies

Introduction

Welcome to Hubsflow — your modular CRM platform for modern agencies and teams. We built Hubsflow to be transparent, secure, and user-friendly. That philosophy extends to how we handle legal stuff, too.

This page outlines our terms of service, privacy practices, data handling, security measures, and other important policies. We've done our best to make it readable (no 47-page PDFs in 6pt font), but comprehensive enough to cover what matters.

TL;DR: We respect your data, we don't sell it, and we work hard to keep your information secure. Use Hubsflow responsibly, and we'll do our part to provide a reliable, transparent service.

Terms of Service v2.0

Acceptance of Terms

By accessing or using Hubsflow (the "Platform"), you agree to be bound by these Terms of Service ("Terms"). If you're using Hubsflow on behalf of an organization, you represent that you have authority to bind that organization to these Terms.

Account Registration

• You must provide accurate, complete, and current registration information.
• You are responsible for maintaining the confidentiality of your account credentials.
• You must be at least 18 years old (or the age of majority in your jurisdiction) to create an account.
• One person or legal entity per account. No account sharing across multiple organizations.
• You agree to notify us immediately of any unauthorized use of your account.

Permitted Use

Hubsflow is designed for legitimate business purposes. You may use the Platform to:

• Manage client relationships, projects, and workflows.
• Store and organize business data related to your operations.
• Collaborate with team members and clients.
• Integrate with authorized third-party services via our API.

Prohibited Conduct

You agree not to:

• Use the Platform for any illegal, harmful, or fraudulent purpose.
• Upload or transmit viruses, malware, or malicious code.
• Attempt to gain unauthorized access to our systems, other accounts, or networks.
• Scrape, data mine, or reverse-engineer the Platform without permission.
• Send spam, phishing attempts, or unsolicited bulk communications through Hubsflow.
• Violate any applicable laws, including GDPR, CCPA, CAN-SPAM, or other data protection regulations.
• Impersonate another person or entity, or falsely state your affiliation.
• Interfere with or disrupt the integrity or performance of the Platform.

Subscription & Billing

• Free Tier: Hubsflow offers a free tier with limited features. We may modify or discontinue the free tier at any time with reasonable notice.
• Paid Plans: Subscription fees are billed in advance on a monthly or annual basis, depending on the plan you select.
• Payment Terms: All fees are non-refundable unless otherwise stated or required by law. If payment fails, we may suspend or terminate your account.
• Price Changes: We reserve the right to modify pricing with at least 30 days' notice to existing subscribers.
• Taxes: Fees exclude applicable taxes. You're responsible for all taxes associated with your subscription.

Termination

Either party may terminate this agreement at any time. You can cancel your subscription through your account settings. Upon termination:

• Your access to the Platform will be revoked.
• We will retain your data for 30 days to allow for export or recovery, after which it may be permanently deleted.
• No refunds will be provided for unused subscription time unless required by law.
• We may terminate or suspend accounts that violate these Terms immediately without notice.

Intellectual Property

Hubsflow owns all rights, title, and interest in the Platform, including source code, design, features, branding, and documentation. You retain ownership of any data you upload to the Platform.

You grant Hubsflow a limited, non-exclusive license to host, store, and process your data solely to provide the service. We will not use your data for any other purpose without your consent.

Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW: Hubsflow is provided "as-is" without warranties of any kind. We are not liable for any indirect, incidental, consequential, or punitive damages arising from your use of the Platform. Our total liability for any claim related to Hubsflow will not exceed the amount you paid us in the 12 months preceding the claim.

Indemnification

You agree to indemnify and hold Hubsflow harmless from any claims, damages, or expenses (including legal fees) arising from your use of the Platform, your violation of these Terms, or your violation of any third-party rights.

Changes to Terms

We may update these Terms from time to time. We'll notify you of material changes via email or in-app notification. Continued use of the Platform after changes constitutes acceptance of the updated Terms.

Privacy Policy

Information We Collect

We collect information in three ways:

• Information you provide: Name, email, company name, payment details, profile data, and any content you upload to the Platform.
• Automatically collected data: IP address, browser type, device information, usage patterns, session data, and cookies.
• Third-party data: If you integrate external services (e.g., Google Workspace, Slack), we may receive data from those services in accordance with your settings.

How We Use Your Information

• To provide, maintain, and improve the Platform.
• To communicate with you about your account, updates, and support.
• To process payments and prevent fraud.
• To analyze usage and optimize performance.
• To send marketing communications (you can opt out at any time).
• To comply with legal obligations and enforce our Terms.

Data Sharing & Third Parties

We do not sell your data. Period.

We may share data with:

• Service providers: Hosting (AWS, Google Cloud), payment processing (Stripe), analytics (PostHog), email delivery (Resend), and customer support tools (Intercom).
• Legal requirements: If required by law, court order, or to protect rights and safety.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

Data Retention

• Active accounts: Data is retained for as long as your account is active.
• Deleted accounts: Data is retained for 30 days post-deletion to allow for recovery, then permanently deleted.
• Backups: Data may persist in backups for up to 90 days.
• Legal holds: We may retain data longer if required by law or ongoing investigations.

Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data.
• Correction: Update inaccurate or incomplete data.
• Deletion: Request deletion of your data (subject to legal exceptions).
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain data processing activities.
• Opt-out: Unsubscribe from marketing emails or revoke consent.

To exercise your rights, email us at privacy@hubsflow.com.

International Data Transfers

Hubsflow is based in the United States. If you're accessing the Platform from outside the U.S., your data may be transferred to and processed in the U.S. or other countries. We use Standard Contractual Clauses (SCCs) and other safeguards to protect international data transfers.

Children's Privacy

Hubsflow is not intended for use by anyone under 18. We do not knowingly collect data from children. If we discover we've collected data from a child, we will delete it promptly.

Security & Infrastructure

Our Security Commitment

Security isn't a feature—it's a foundation. We take a defense-in-depth approach to protect your data at every layer.

Infrastructure & Hosting

• Cloud providers: AWS and Google Cloud (SOC 2 certified, ISO 27001 compliant)
• Encryption in transit: TLS 1.3 for all data transmission
• Encryption at rest: AES-256 encryption for all stored data
• Database security: Encrypted databases with restricted access controls
• Network isolation: Private VPCs, firewalls, and intrusion detection systems

Application Security

• Authentication: Industry-standard OAuth 2.0 and JWT tokens
• Password storage: Bcrypt hashing with salt (never stored in plaintext)
• Multi-factor authentication (MFA): Available for all accounts
• Session management: Automatic timeout after 30 days of inactivity
• API security: Rate limiting, API key rotation, and access logging
• Input validation: Protection against SQL injection, XSS, and CSRF attacks

Monitoring & Incident Response

• 24/7 automated monitoring and alerting
• Regular security audits and penetration testing
• Vulnerability scanning and patch management
• Incident response plan with defined escalation procedures
• Data breach notification within 72 hours (as required by GDPR)

Employee Access

• Strict role-based access controls (RBAC)
• Background checks for all team members
• Security training and awareness programs
• Audit logs for all administrative actions
• Zero standing access to production databases

Your Responsibilities

Security is a shared responsibility. Please:

• Use strong, unique passwords (consider a password manager)
• Enable MFA on your account
• Keep your devices and software up to date
• Report suspicious activity immediately
• Never share your credentials with unauthorized parties

Data Processing Agreement (DPA)

Our Role as a Processor

When you use Hubsflow to manage client data, you are the data controller and we are the data processor. This means:

• You determine what data is collected and why.
• We process data solely on your instructions.
• We implement appropriate security measures to protect data.
• We assist you in meeting your compliance obligations (GDPR, CCPA, etc.).

Data Processing Safeguards

• Purpose limitation: We only process data for the purposes you specify.
• Confidentiality: All employees sign NDAs and confidentiality agreements.
• Data minimization: We only collect and retain what's necessary.
• Subprocessors: We maintain a list of all subprocessors (see below).
• Cross-border transfers: Protected by Standard Contractual Clauses (SCCs).

Subprocessors

We use the following subprocessors to deliver our service:

We will notify you of any changes to our subprocessor list with at least 30 days' notice.

Data Subject Requests

If your end users (data subjects) exercise their rights (access, deletion, portability), we will assist you in responding to these requests within the required timeframes. You can manage most requests directly through the Hubsflow admin panel.

Cookie Policy

What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help us remember your preferences, keep you logged in, and understand how you use Hubsflow.

Types of Cookies We Use

Cookies We Set

• hubsflow-session — Authentication token (session)
• hubsflow-dark-mode — Theme preference (365 days)
• hubsflow-cookie-consent — Cookie preferences (365 days)
• hubsflow-onboarding-complete — Onboarding status (365 days)

Managing Cookies

You can manage cookie preferences through our consent banner (appears on first visit) or by adjusting your browser settings. Note that disabling certain cookies may affect platform functionality.

API Usage Terms

API Access

The Hubsflow API allows you to programmatically interact with your data and build custom integrations. API access is available on paid plans.

Rate Limits

API Guidelines

• Use API keys securely—never expose them in client-side code.
• Implement proper error handling and retry logic with exponential backoff.
• Cache responses when appropriate to reduce API calls.
• Monitor your usage to avoid hitting rate limits.
• Report bugs or issues to our developer support team.

API Key Management

• Rotate API keys regularly (at least every 90 days).
• Revoke compromised keys immediately.
• Use separate keys for development, staging, and production environments.
• Restrict key permissions to the minimum necessary scope.

Developer Resources

Full API documentation, code examples, and SDKs are available at docs.hubsflow.com.