Under the General Data Protection Regulation (GDPR), contacts in your account have the right to request that you delete all of their personal data. When this happens, the GDPR requires that you permanently remove the contact record from your database, including email tracking history, call records, form submissions, and other engagement data and activity. Typically, these requests should be attended to within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
Please note: while these features live in HubSpot, your legal team is the best resource to give you compliance advice for your specific situation.
In HubSpot, GDPR deletion includes a blocklist functionality, which means that once a contact is GDPR-deleted, you will not be able to add their email (primary or additional) back to your account in the future. This functionality is supported by anonymized data. If a GDPR-deleted contact chooses to fill out a form on your website or if they send an email to a connected inbox, they will be added back to your account.
Please note: while the contact's personal data will be deleted, anonymized analytics data will remain. For example, the contact's sessions will continue to be reflected in your sources report, but you won’t be able to identify the individual contact. Similarly, if you’ve sent emails to the contact or the contact filled out a form, the analytics will still be reflected in the email performance (opens, clicks, etc.) and number of form submissions, but the contact's information will no longer appear.
To perform a GDPR deletion in HubSpot, you must be a super admin. You do not need to have GDPR tools enabled to perform a GDPR delete.
Perform a GDPR delete on a contact GDPR deletions can only be performed on individual contact records. You cannot perform GDPR deletions in bulk using lists of contacts or workflows. To delete a contact in compliance with GDPR:
- In your HubSpot account, navigate to Contacts > Contacts.
- Click the name of the contact.
- In the left panel, click Actions, then select Delete.
- In the dialog box, select the Permanently delete this contact and all its associated content to follow privacy laws and regulations radio button.
- To send confirmation that the contact was deleted, select the Email proof of deletion checkbox and enter the recipient's email.
- Click Delete contact to confirm.
Data that will be purged upon a GDPR delete
Up to 30 days after the GDPR deletion is initiated, a GDPR purge will be performed. The record will be removed from your HubSpot account along with the following information:
- Salesforce connector
- Contacts data
- Analytics data
- Calling data
- Form submissions
- Files uploaded through form submissions
- Feedback data
- Integrations data
In addition, GDPR deleting a contact will remove associations between the contact record and its previous engagements. Learn more about how GDPR deletion affects non-contact associated data.
If you have a Marketing Hub Starter, Professional or Enterprise account and you've created a contact list audience, when you perform a GDPR delete of a contact, they will also be deleted from your syncing audience, ensuring that you no longer send advertisements to this contact. HubSpot will not automatically delete any blog comments the contact left on your blog posts, so you will need to manually delete the blog comments.
Perform a GDPR delete on a previously deleted record
If a record is already deleted and sent to the recycle bin (i.e., a normal delete and not a GDPR delete), you can still perform a GDPR delete by first restoring the contact:
- In your HubSpot account, navigate to your contacts, companies, deals, or tickets.
- In the upper right, click the Actions dropdown menu and select Restore [objects].
- Select the checkbox next to the record you want to restore.
- In the upper right, click Restore.
- In the dialog box, confirm the number of contacts to restore, then click Restore.
After you've restored the contact, follow the instructions above to perform a GDPR delete of the contact.