HubSpot data access and security

We request only the permissions needed to do the job — and nothing more. This article explains exactly what data we access, what we store, and what we never touch.

Written By Kevin Lawrie

Last updated About 6 hours ago

Our approach to data access

Minimal data access, by design. We interact with only what's needed to do the job and nothing more. No bulk sync, no mirroring of your contact database, no retention of data we don't need.

  • We store only the internal HubSpot contact ID and LinkedIn username (public data) for records we create or monitor. No contact properties are retained.

  • Duplicate checks read your LinkedIn username and email fields — we don't retain that data. It's a read-only exercise.

  • We never replicate your contact database.

  • Integration audit logs are automatically rotated every 30 days.

  • Read access for configuration is limited to list names, internal IDs, and field schema — never contact content.

OAuth scopes we request

When you connect HubSpot, you'll see a list of permissions on HubSpot's authorisation screen. Here's exactly what each scope is used for:

Required scopes

Scope What we use it for

crm.objects.contacts.write

Create new contacts and update existing ones when Signal Sync runs

crm.objects.contacts.read

Read contact data to detect duplicates before creating new records

crm.schemas.contacts.read

Fetch your contact property list so you can configure field mapping

crm.schemas.contacts.write

Create custom properties (prefixed gs_*) used for engagement count syncing

crm.objects.owners.read

Read your HubSpot owners list so you can assign contacts to a specific owner

crm.lists.read

Read your lists so you can select which list to sync from or add contacts to

crm.lists.write

Add new contacts to a selected HubSpot list when Signal Sync creates them

timeline

Create timeline notes on contact records for social engagement activity

oauth

Powers the OAuth connection flow

Optional scopes (Sales Hub Pro+ only)

Scope What we use it for

automation.sequences.read

Read your sequences so you can select one for contact enrollment

automation.sequences.enrollments.write

Enroll new contacts in a selected sequence automatically

These optional scopes are only used if you configure sequence enrollment in Signal Sync. If your HubSpot account doesn't have Sales Hub Pro+, these scopes won't be available and sequence enrollment won't appear as an option.

What we store — by mode

Mode 1 — Creating contacts from engagement (Signal Sync)

When we turn a reaction or comment into a HubSpot contact, our READ access is used only to detect duplicates. We check the LinkedIn username property and the email property — only if you have Email Finder enabled and we have an email to compare. In both cases we don't retain that data. It's a read-only exercise.

The only data points we store are:

  • The internal HubSpot contact ID created when we generate a record

  • The Note ID for any timeline notes we create representing social engagement

These are internal CRM identifiers and contain no personal data.

Mode 2 — Syncing existing contacts or monitoring job changes (Engagement Sync)

When you create a HubSpot list and sync it, we READ the LinkedIn username property and the contact's internal HubSpot ID, saving both to our system. This relationship is what allows us to sync notes back to the correct contact every time that LinkedIn username publishes a post, likes a post, or comments.

We also retain the internal ID of each note we create — primarily for audit purposes, so you can always see every action we've taken inside your CRM.

Read access for configuration

We fetch your available HubSpot lists (name and internal ID only) so you can select which list to sync from or add new contacts to. We also read your contact property schema to configure field mapping — specifying which enriched data fields get pushed to HubSpot and where they land.

Audit logs

All HubSpot integration activity is logged and visible in your account dashboard. Logs are automatically rotated every 30 days.

What we never do

  • Never bulk-sync or mirror your contact database

  • Never retain contact property values from your CRM

  • Never store email addresses, phone numbers, or personal data from your existing contacts

  • Never access deals, companies, tickets, or any HubSpot object outside of contacts, lists, owners, and sequences

  • Never read contact content beyond what's needed for duplicate detection and matching