Skip to main content

Legal

Privacy Policy

How Hubpitch collects, uses, stores, and protects personal data across hubpitch.ai, app.hubpitch.ai, and the outbound workflows our customers run on the platform.

Last updated: July 3, 2026

Who we are

Hubpitch UG (haftungsbeschränkt) in formation (“Hubpitch”, “we”, “us”) is the provider of the Hubpitch marketing website and SaaS platform.

Service provider address: Forsmannstraße 22A, 22303 Hamburg, Germany.

Privacy contact: contact@hubpitch.ai

For provider and contact details required under German law, see our Legal Notice.

Scope and audience

This policy applies to visitors of hubpitch.ai, users of app.hubpitch.ai, recipients of demo and product communications, and individuals whose data is processed when our customers use Hubpitch for outbound sales.

Hubpitch is a business-to-business (B2B) platform. We do not offer our services to consumers.

Controller and processor roles

Depending on the context, Hubpitch acts as a data controller or as a data processor on behalf of our customers.

When Hubpitch is the controller

  • Website visits, demo requests, and marketing interactions on hubpitch.ai
  • Account registration, billing, support, and product administration for workspace owners and members
  • Security monitoring, fraud prevention, and service reliability
  • Product analytics needed to operate and improve Hubpitch as a service

When Hubpitch is the processor

Our customers use Hubpitch to manage leads, send outbound email, publish personalized landing pages, and handle replies. In those workflows, the customer is typically the data controller and Hubpitch processes personal data on the customer’s documented instructions.

Customers remain responsible for having a lawful basis to collect and contact leads, honouring opt-out requests, and responding to data-subject rights for the data they upload or generate in their workspace.

A Data Processing Agreement (DPA) under Article 28 GDPR is available for business customers on request. Enterprise plans may include a custom DPA.

Personal data we process

Website and marketing (hubpitch.ai)

  • Contact details you submit in demo or inquiry forms (name, email, company, message content)
  • Technical data such as IP address, browser type, device information, referrer, and page views
  • Cookie and similar-technology data described in the Cookies section below

Account and workspace data (app.hubpitch.ai)

  • Account profile data (name, email address, avatar where available)
  • Workspace membership, role, invitations, and authentication/session data
  • Billing contact details, subscription status, invoices, and payment references processed via Stripe
  • Workspace settings, brand profile, sending identities, domains, and configuration metadata
  • Product usage data such as feature activity, AI token consumption, send quotas, and audit events

Outbound workflow data processed for customers

  • Lead and prospect records (names, email addresses, company details, tags, notes, import metadata)
  • Campaign structure, sequence flows, message drafts, send status, and deliverability signals
  • Personalized landing page content generated for individual leads
  • Outbound and inbound email content, thread metadata, reply handling, and suppression status
  • Recipient engagement on published pages (page visits, CTA clicks, block views, booking clicks, and related event metadata)
  • AI prompts, completions, embeddings, and token accounting tied to workspace actions

Support, security, and operations

  • Messages you send to support and records of those interactions
  • Diagnostic, error, and performance telemetry where needed to keep the service secure and reliable
  • Immutable audit and erasure logs required for accountability and legal retention

Where data comes from

  • Directly from you when you create an account, book a demo, configure a workspace, or contact us
  • From workspace members and administrators acting on behalf of your organization
  • From customers who upload or import lead data, connect integrations, or generate content in Hubpitch
  • From email recipients when they open messages, visit published pages, click links, or submit unsubscribe requests
  • From infrastructure and service providers that help us deliver the platform, as described below

Why we use personal data

Service delivery

  • Provide, operate, and maintain the Hubpitch website and application
  • Authenticate users, manage workspaces, and enforce role-based access
  • Send and receive email, render personalized landing pages, and run campaign workflows
  • Generate AI-assisted drafts, personalization, embeddings, and in-product assistance
  • Track page engagement and campaign performance for workspace operators

Billing, compliance, and trust

  • Process subscriptions, invoices, and plan limits
  • Provide workspace-level and lead-level GDPR export and erasure tooling
  • Maintain audit trails, suppression lists, and legally required send records
  • Detect abuse, protect deliverability, and keep the platform secure
  • Respond to support requests and communicate product or security updates

Legal bases (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases: performance of a contract (Art. 6(1)(b)), legitimate interests in operating and securing a B2B SaaS platform (Art. 6(1)(f)), compliance with legal obligations (Art. 6(1)(c)), and consent where required (Art. 6(1)(a)).

Customers are responsible for determining and documenting the lawful basis for processing the lead and prospect data they upload into Hubpitch.

AI features

Hubpitch uses large-language-model providers to power drafting, personalization, embeddings, and in-product assistants. Depending on workspace configuration, prompts may include lead context, brand profile data, campaign content, and operator instructions.

AI outputs are generated automatically and should be reviewed by your team before sending or publishing. We meter AI usage by workspace and retain token accounting needed for billing, limits, and abuse prevention.

Do not submit special categories of personal data or information you are not authorized to share with AI subprocessors unless your organization has assessed the risk and put appropriate safeguards in place.

Cookies and similar technologies

Marketing website

  • Essential cookies and local storage needed for theme preference and basic site functionality
  • Vercel Web Analytics on hubpitch.ai to understand aggregate traffic and page performance without third-party advertising cookies

Application

  • Authentication and session cookies required to keep you signed in to app.hubpitch.ai
  • Functional storage used for product preferences and in-app state

Published landing pages

Pages published by Hubpitch customers may record page visits and in-page engagement events so operators can measure performance. These events are scoped to the relevant workspace and published page context.

Public unsubscribe pages are designed to work without marketing trackers and without requiring recipients to create a Hubpitch account.

Sharing and subprocessors

We share personal data with trusted service providers that help us host, secure, bill, deliver, and improve Hubpitch. These providers process data on our instructions and under appropriate contractual safeguards.

Current categories of subprocessors include:

  • Supabase — database, authentication, and file storage
  • Vercel — application and marketing site hosting
  • Resend — outbound and inbound email delivery infrastructure
  • OpenAI and Anthropic — AI completions and embeddings where enabled
  • Stripe — subscription billing and payment processing
  • Sentry — error monitoring and performance diagnostics
  • Gravatar — optional email-derived avatar lookup in the product UI

International transfers

Some subprocessors may process data outside the European Economic Area. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses and vendor contractual commitments.

Choosing an email sending region in Hubpitch can improve delivery paths for recipients but does not by itself guarantee that all data stays in the EU. Customers with strict data-residency requirements should contact us before rollout so we can align hosting, subprocessors, and contractual terms.

Retention

We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

  • Account and workspace records: for the life of the workspace and a reasonable period thereafter
  • Billing and tax-relevant records: as required under commercial and tax law
  • Audit and erasure logs: retained to demonstrate accountability; erasure-log rows are designed to survive deletion events they document
  • Outbound and inbound message records after lead erasure: metadata and send history may be retained in redacted form where commercial or legal retention duties require proof of transmission
  • Suppression entries: retained to honour opt-out and do-not-contact obligations
  • Activity log retention: plan-dependent (for example 30 days, 12 months, or unlimited on higher tiers)

Security

We use technical and organizational measures appropriate to a B2B SaaS platform, including access controls, workspace isolation, encrypted transport, secrets hygiene, audit logging, and operational monitoring.

No method of transmission or storage is completely secure. If you believe your account or workspace has been compromised, contact us immediately at contact@hubpitch.ai.

Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object to, or port personal data, and to withdraw consent where processing is consent-based.

You may also lodge a complaint with your local supervisory authority. In Germany, this is typically the authority for your place of residence or work.

Exercising your rights

  • Hubpitch account holders: contact contact@hubpitch.ai or use in-product privacy controls where available
  • Workspace owners and admins: export workspace data from Settings → Privacy & data
  • Lead-level access or erasure requests for data controlled by a customer: contact the organization that contacted you; Hubpitch assists our customers in fulfilling those requests through workspace tooling and support
  • Marketing contacts: email contact@hubpitch.ai to update or delete demo or newsletter details

Customer responsibilities

  • Obtain a valid legal basis before uploading or contacting leads
  • Provide required notices and honour opt-out, unsubscribe, and do-not-contact requests promptly
  • Configure sending domains, identities, and content in line with applicable anti-spam and data-protection law
  • Use Hubpitch export and erasure tools, or contact us, when data-subject requests require action in your workspace
  • Avoid uploading unnecessary sensitive data and review AI-generated content before sending

Children

Hubpitch is not directed at children and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact contact@hubpitch.ai.

Changes to this policy

We may update this policy to reflect product, legal, or operational changes. We will post the revised version on hubpitch.ai/privacy and update the “Last updated” date. Material changes may also be communicated through the product or by email where appropriate.

Contact

Questions about this Privacy Policy or our data-protection practices: contact@hubpitch.ai

Postal address: Hubpitch UG (haftungsbeschränkt) in formation, Forsmannstraße 22A, 22303 Hamburg, Germany.