# GDPR/DSGVO HubSpot Audit **Last Updated:** 2026-03-02 **Owner:** Hady Elhady **Scope:** HubSpot integration – script loading, forms, data flows, legal basis **Related:** [GDPR_DSGVO_WEBSITE_AUDIT.md](GDPR_DSGVO_WEBSITE_AUDIT.md) – Website tracking and consent audit --- ## Executive Summary This audit assesses GDPR/DSGVO compliance of the HubSpot integration on the Ordio website. HubSpot is used for marketing, analytics, forms, and contact identification. **Compliance Status:** Remediated. **Compliant:** - HubSpot loads only after user accepts "HubSpot (Marketing & Chat)" – consent-based. - HubSpot uses EU region (js-eu1, Germany). - **Contact request forms** (demo, callback, pricing, webinar, event) always send to HubSpot under Art. 6(1)(b) pre-contractual. - **Lead gen forms** (template download, calculator export, gated content) respect `hubspotConsent`; when denied, core delivery works but HubSpot sync is skipped. All lead gen forms include an optional form-specific consent checkbox (`hubspot_form_consent`), providing a separate legal basis under Art. 6(1)(a) when the user declined the cookie banner. - Contact consent notices use minimal styling (above or below button, `.contact-consent-notice`), per ICO/EDPB "not unnecessarily disruptive" guidance. Lead gen checkboxes are placed above the submit button for better visibility. **Implemented (2026-03-02):** Privacy policy – HubSpot section added to `v2/pages/static_privacy.php` (Drittanbieter, after Google Tag Manager). --- ## Form Consent Flow ```mermaid flowchart TB Submit[User submits form] --> Type{What kind of form?} subgraph Contact [Requesting contact] CExamples[Demo, callback, pricing quote, webinar] CAlways[We always send your data] CExamples --> CAlways end subgraph Download [Requesting a download] DExamples[Template download, calculator export, whitepaper] DConsent{Did user give consent?} DYes[Yes - we send data] DNo[No - we do not send data] DAlways[Download always works either way] DExamples --> DConsent DConsent -->|Cookie banner accepted OR form checkbox checked| DYes DConsent -->|Both declined| DNo DYes --> DAlways DNo --> DAlways end Type -->|Wants to be contacted| CExamples Type -->|Wants a file or content| DExamples ``` **Requesting contact** (demo, callback, webinar): The user explicitly asked to be contacted. We always send their data to HubSpot; cookie consent is not required. **Requesting a download** (template, export, whitepaper): The user exchanged data for content. We only send their data to HubSpot if they gave consent. Consent can come from either: 1. **Cookie banner** – User accepted "HubSpot (Marketing & Chat)" when the banner appeared. 2. **Form checkbox** – User checked the optional box on the form: "Ich stimme zu, dass meine Kontaktdaten an Ordio übermittelt und für Marketingzwecke genutzt werden können." **Important:** The form checkbox is separate from the cookie banner. If a user declined cookies but later checks the form checkbox on a download form, we send their data. The checkbox is an explicit, form-specific consent. The download is always delivered regardless. **Reference:** [FORMS_CONSENT_IMPLEMENTATION.md](FORMS_CONSENT_IMPLEMENTATION.md) – Technical details, API contract, affected endpoints. --- ## Where HubSpot Scripts Are Loaded | Location | Consent-Gated? | |----------|----------------| | Website (base footer) | Yes | | footer_free_trial (kostenlos-testen) | Yes | | v2/html/blog/*.html | Yes | | shiftops.php, shiftops-report.php, static_hubspot.php | Yes | | include_form-hubspot-sdr.php, templates_template.php (hsforms.net) | Form embed only; main tracking gated | | **Web app / product** | Out of Scope | --- ## Purpose of Each hs-* Domain | Domain | Purpose | |--------|---------| | **js-eu1.hs-scripts.com** | Analytics, tracking, contact identification, forms, chat (if enabled) | | **js-eu1.hsforms.net** | Embedded form rendering | | **hs-analytics.net** | Analytics (loaded by HubSpot script when active) | | **hs-banner.com** | Chat/banner (loaded by HubSpot script when active) | | **hsadspixel.net** | Ads pixel (loaded by HubSpot script when active) | --- ## Data Collected - Page views, session tracking - Form submissions (demo, template download, tools export, etc.) - UTM parameters, hubspotutk cookie - Contact identification for marketing/CRM --- ## Legal Basis | Context | Basis | Implementation | |---------|-------|----------------| | **Marketing/analytics tracking** | Art. 6(1)(a) consent | HubSpot loads only when user accepts "HubSpot (Marketing & Chat)" | | **Contact request forms** (demo, callback, pricing, webinar, event) | Art. 6(1)(b) pre-contractual | Always send to HubSpot; cookie consent not required | | **Lead gen forms** (download, export, gated content) | Art. 6(1)(a) consent | Respect `hubspotConsent`; when denied, skip HubSpot, deliver content | --- ## Can It Be Scoped? | Option | Feasible? | Notes | |--------|-----------|-------| | **Website-only** | N/A | HubSpot is already website-only in this codebase | | **Limit to admins** | No | Website has no admin vs. visitor distinction for prospects | | **Disable for paying customers** | Out of Scope | App/product not in scope | | **Gate behind consent** | **Done** | HubSpot loads via `loadHubSpot()` only when user accepts "HubSpot (Marketing & Chat)" | --- ## Data Transfers - **Region:** EU (`js-eu1` = EU region) - **Storage:** Germany (AWS EU), per HubSpot EU data centre - **Safeguards:** DPA, Standard Contractual Clauses --- ## User Identification - **hubspotutk** cookie links browser session to HubSpot contact - **Appropriate for:** Website prospects, form submitters - **Not appropriate for:** Logged-in app users (Out of Scope – app not configurable here) --- ## Privacy Policy Update – HubSpot Section (Implemented 2026-03-02) **Placement:** Added as new `

` under "Drittanbieter", after "Google Tag Manager" and before "heyData". **Draft copy (German):** ```markdown #### HubSpot Wir setzen HubSpot zur Analyse, für Marketing und zur Bereitstellung von Formularen und Chat-Funktionen ein. Anbieter ist HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Irland. Der Anbieter verarbeitet Nutzungsdaten (z. B. besuchte Webseiten, Interesse an Inhalten, Zugriffszeiten), Kontaktdaten (z. B. E-Mail-Adressen, Telefonnummern, Namen, Unternehmensdaten aus Formulareingaben) und Meta-/Kommunikationsdaten (z. B. Geräte-Informationen, IP-Adressen, Cookies wie hubspotutk) in der EU. Die Verarbeitung erfolgt ausschließlich über die EU-Region (js-eu1.hs-scripts.com); Daten werden in Deutschland (AWS EU) gehostet. Die Rechtsgrundlage der Verarbeitung ist Art. 6 Abs. 1 S. 1 lit. a DSGVO. Die Verarbeitung erfolgt auf der Basis von Einwilligungen. HubSpot wird erst nach Ihrer Bestätigung im Cookie-Banner („HubSpot (Marketing & Chat)“) geladen. Betroffene können ihre Einwilligung jederzeit widerrufen, z. B. über den Link „Cookie-Einstellungen“ im Footer unserer Website. Weitere Informationen sind in der Datenschutzerklärung des Anbieters unter [https://legal.hubspot.com/privacy-policy](https://legal.hubspot.com/privacy-policy) abrufbar. ``` **Key elements covered:** Anbieter, Datenkategorien, Verarbeitungsort (EU/Deutschland), Rechtsgrundlage (Einwilligung), Einwilligungsmechanismus, Widerruf, Link zur Anbieter-Datenschutzerklärung. --- ## Key Files Reference - `v2/config/hubspot-config.php` – HubSpot Portal ID 145133546, form GUIDs - `html/form-hs.php` – Form POST handler; uses `shouldSendToHubSpotFromPost()` with form category - `v2/helpers/consent-helpers.php` – `shouldSendToHubSpot()`, `shouldSendToHubSpotFromPost()`, `FORM_CATEGORY_*` - `docs/systems/forms/FORM_TO_PAGE_MAPPING.md` – Form category per endpoint - `docs/systems/gdpr/FORMS_CONSENT_IMPLEMENTATION.md` – Form categories, consent architecture, lead gen inventory - `docs/systems/gdpr/LEAD_GEN_FORMS_CHECKLIST.md` – Manual QA checklist for lead gen forms --- ## Recommendations ### Completed (2026-03-02) **Privacy policy** – HubSpot section added to `static_privacy.php` per draft above. ### Low Priority - **HubSpot API verification** – Use existing config to verify portal data hosting location in HubSpot settings.