HubSpot now collects your email engagement data

Stani Mihov
Founder & CEO
·

TL;DR
Vendor: HubSpot
Document: Privacy Policy
Date detected: July 2, 2026
Key change: A new section states HubSpot collects email open, delivery, bounce, and click data from emails sent through its platform, and that data is now listed among the sources that power its commercial dataset
HubSpot added a dedicated section on email engagement data and connected it to the commercial dataset it provides to enrichment customers. The update also broadens how customers may use that dataset and adds email engagement data to the categories disclosed under California privacy law.
The change
On July 1, 2026, HubSpot updated its Privacy Policy. The revision date moved from April 14 to July 1, a new subsection on email engagement data appeared, and the language describing HubSpot's commercial dataset changed. Venpo detected the update automatically and classified each change the same day.
What changed
The core of this update is a new category of data called Email Engagement Data and the connection of that data to HubSpot's commercial dataset. Four changes are worth understanding in detail.
HubSpot now collects email engagement data directly
A new section, titled Information We Collect and Process from Emails Sent through the Subscription Services, states that when customers send emails through HubSpot, HubSpot collects Email Engagement Data such as email open, delivery, bounce, and click statuses via tracking technologies embedded in emails.
Before this update, the policy described email tracking mainly in the context of the customer's own notifications and reporting. The new section frames these signals as information HubSpot collects and processes in its own right, not only on the customer's behalf.
Email engagement data now feeds HubSpot's commercial dataset
HubSpot's commercial dataset is the pool of business contact and professional data it provides to customers who use its enrichment features. The updated policy adds Email Engagement Data to the list of sources that power that dataset, alongside publicly available sources, third party providers, and customers who use enrichment features. The policy also changed its wording from enrichment products to enrichment features.
The practical effect is that engagement signals generated by emails sent through the platform are now named as an input to the dataset HubSpot makes available to other customers.
Commercial dataset use expanded beyond sales and marketing
Previously the policy described customers using commercial-dataset information for their sales and marketing activities. The updated language now says customers may use that information for sales, marketing, and other business activities. This broadens the range of downstream purposes for which shared professional data may be used.
The California notice now lists email engagement data
In the California privacy section, the category covering internet and network information was expanded to include Email Engagement Data, and the stated source was updated to include emails sent through the platform, not only the individual's device. Email engagement data is now formally disclosed as a category of personal information collected under the California framework.
Why this matters
For any company that sends email through HubSpot, the engagement produced by its campaigns is no longer confined to its own reporting. It is data HubSpot collects for itself and connects to a dataset it provides to other customers. Companies that maintain their own privacy notices, cookie disclosures, or records of processing may need to reflect this, because the behavior of their contacts is now processed in a way the previous policy did not spell out.
HubSpot revised several of its legal documents on the same date, so teams reviewing this change will want to read it alongside the current Customer Terms of Service and Data Processing Agreement. This is the kind of shift covered in our analysis of the hidden risk of vendor legal changes.
Potential impact for companies
Companies that run marketing or sales email through HubSpot may need to:
review their own privacy notices and consent language to reflect that engagement data from their emails is processed by HubSpot as described
check how enrichment features are used internally and whether that aligns with their own data commitments
update records of processing or a vendor register to capture the new data category
brief legal or compliance teams before the next audit cycle
For teams that treat their vendors' terms as a baseline, continuous vendor risk monitoring turns this kind of change into a tracked event rather than a surprise.
How Venpo detected it
Venpo continuously monitors vendor legal documents and detects changes as they are published. When HubSpot updated its Privacy Policy, Venpo automatically:
detected the new email engagement data section and the changes to the commercial dataset language
classified the individual changes by impact across data collection, data sharing, and California privacy disclosures
translated the legal wording into plain business impact
The full breakdown is available on the Venpo change page. Teams following this vendor could see exactly what changed and who is affected on the day it was detected, rather than discovering it during a later review. A comparison of this approach with periodic manual checks is in our analysis of manual vs automated vendor monitoring.
Key takeaway
Some of the most consequential vendor changes are additions to a privacy policy rather than headline product news. A single new subsection can turn the engagement data from your own campaigns into an input for a dataset your vendor provides to others. HubSpot's July 1 Privacy Policy update is exactly that kind of change, and catching it early is what lets a team update its own disclosures before an audit or a customer question forces the issue.
The change
On July 1, 2026, HubSpot updated its Privacy Policy. The revision date moved from April 14 to July 1, a new subsection on email engagement data appeared, and the language describing HubSpot's commercial dataset changed. Venpo detected the update automatically and classified each change the same day.
What changed
The core of this update is a new category of data called Email Engagement Data and the connection of that data to HubSpot's commercial dataset. Four changes are worth understanding in detail.
HubSpot now collects email engagement data directly
A new section, titled Information We Collect and Process from Emails Sent through the Subscription Services, states that when customers send emails through HubSpot, HubSpot collects Email Engagement Data such as email open, delivery, bounce, and click statuses via tracking technologies embedded in emails.
Before this update, the policy described email tracking mainly in the context of the customer's own notifications and reporting. The new section frames these signals as information HubSpot collects and processes in its own right, not only on the customer's behalf.
Email engagement data now feeds HubSpot's commercial dataset
HubSpot's commercial dataset is the pool of business contact and professional data it provides to customers who use its enrichment features. The updated policy adds Email Engagement Data to the list of sources that power that dataset, alongside publicly available sources, third party providers, and customers who use enrichment features. The policy also changed its wording from enrichment products to enrichment features.
The practical effect is that engagement signals generated by emails sent through the platform are now named as an input to the dataset HubSpot makes available to other customers.
Commercial dataset use expanded beyond sales and marketing
Previously the policy described customers using commercial-dataset information for their sales and marketing activities. The updated language now says customers may use that information for sales, marketing, and other business activities. This broadens the range of downstream purposes for which shared professional data may be used.
The California notice now lists email engagement data
In the California privacy section, the category covering internet and network information was expanded to include Email Engagement Data, and the stated source was updated to include emails sent through the platform, not only the individual's device. Email engagement data is now formally disclosed as a category of personal information collected under the California framework.
Why this matters
For any company that sends email through HubSpot, the engagement produced by its campaigns is no longer confined to its own reporting. It is data HubSpot collects for itself and connects to a dataset it provides to other customers. Companies that maintain their own privacy notices, cookie disclosures, or records of processing may need to reflect this, because the behavior of their contacts is now processed in a way the previous policy did not spell out.
HubSpot revised several of its legal documents on the same date, so teams reviewing this change will want to read it alongside the current Customer Terms of Service and Data Processing Agreement. This is the kind of shift covered in our analysis of the hidden risk of vendor legal changes.
Potential impact for companies
Companies that run marketing or sales email through HubSpot may need to:
review their own privacy notices and consent language to reflect that engagement data from their emails is processed by HubSpot as described
check how enrichment features are used internally and whether that aligns with their own data commitments
update records of processing or a vendor register to capture the new data category
brief legal or compliance teams before the next audit cycle
For teams that treat their vendors' terms as a baseline, continuous vendor risk monitoring turns this kind of change into a tracked event rather than a surprise.
How Venpo detected it
Venpo continuously monitors vendor legal documents and detects changes as they are published. When HubSpot updated its Privacy Policy, Venpo automatically:
detected the new email engagement data section and the changes to the commercial dataset language
classified the individual changes by impact across data collection, data sharing, and California privacy disclosures
translated the legal wording into plain business impact
The full breakdown is available on the Venpo change page. Teams following this vendor could see exactly what changed and who is affected on the day it was detected, rather than discovering it during a later review. A comparison of this approach with periodic manual checks is in our analysis of manual vs automated vendor monitoring.
Key takeaway
Some of the most consequential vendor changes are additions to a privacy policy rather than headline product news. A single new subsection can turn the engagement data from your own campaigns into an input for a dataset your vendor provides to others. HubSpot's July 1 Privacy Policy update is exactly that kind of change, and catching it early is what lets a team update its own disclosures before an audit or a customer question forces the issue.
Real-time change notifications
Stay ahead of every legal change
Get updates, product news and expert tips on navigating legal changes
Dispute resolution clause now requires mandatory arbitration in all regions
Data retention period extended from 2 years to 5 years for all services
New restrictions on AI-generated content in product descriptions
Third-party data sharing expanded to include analytics partners
Real-time change notifications
Stay ahead of every legal change
Get updates, product news and expert tips on navigating legal changes
Dispute resolution clause now requires mandatory arbitration in all regions
Data retention period extended from 2 years to 5 years for all services
New restrictions on AI-generated content in product descriptions
Third-party data sharing expanded to include analytics partners
