Privacy Policy

Pipeline Reports for HubSpot (the App) is operated by Crosstown Tech, based in Ontario, Canada (the Operator, we, us). Contact: support@crosstowntech.com.

When a HubSpot account installs the App, we read the following data via HubSpot's APIs:

• Deal records (read-only)
• Deal pipelines and stage definitions (schema)
• Deal stage change events (via webhooks and the property-history API)
• HubSpot owner / user metadata (names, emails — for owner attribution on the dashboard)

We do not request write access to your CRM. We do not read contacts, companies, tickets, marketing email content, files, conversations, payments, or any object the OAuth scopes you grant do not cover.

• Deal records: deal id, name, pipeline, current stage, current stage entry timestamp, owner id, amount.
• Deal stage change history: deal id, before/after stage, timestamp, source, and HubSpot user id of the editor.
• HubSpot owner metadata (name, email) snapshotted at change time so attribution survives user deletion.
• Per-stage stuck thresholds you configure in the App.
• OAuth refresh tokens, encrypted at rest with AES-256-GCM.
• Installation metadata: portal id, app id, installed-at timestamp, OAuth scopes.

All data is stored on Convex Cloud (operated by Convex Inc.) in their managed infrastructure in the United States. Refresh tokens are encrypted with AES-256-GCM before storage; the encryption key is held in environment variables outside the database.

• Convex Inc. — backend database, function execution, and webhook ingestion (US).
• Vercel Inc. — frontend hosting and TLS termination (US).
• HubSpot, Inc. — source CRM (we read your data from HubSpot when you install).

Deal records and stage change history are retained for as long as the App is installed. On uninstall, you may request deletion of all stored data by emailing support@crosstowntech.com. We will complete the deletion within 30 days. Refresh tokens are revoked at HubSpot and removed from our database immediately on uninstall.

If your data is covered by GDPR, CCPA, or similar laws, you have the right to access, correct, delete, or export the data we store about your HubSpot account. Email support@crosstowntech.com and we will respond within 30 days.

OAuth refresh tokens are encrypted at rest. Webhook payloads are verified using HubSpot's v3 signature scheme. All traffic between the App and HubSpot uses TLS. Access to production infrastructure is restricted to authorized personnel.

We may update this policy. Material changes will be communicated via the App's listing on the HubSpot Marketplace and via email to the installation owner.