Privacy Policy

The Data Controller for personal data processed through HubSlot is:

Tribehub — Viale Giovanni Suzzani 96, 20162 Milano (MI), Italy P.IVA: 02002830897 Email: privacy@hubslot.io

For any questions or requests regarding your personal data, please contact us at the address above.

We collect the following categories of personal data: - Account data: name, email address, hashed password, profile picture (optional) - Workspace data: content you create within the platform (campaigns, tasks, assets, etc.) - Billing data: payment method details and transaction history (processed directly by Stripe; we do not store card numbers) - Usage data: IP address, browser type, operating system, pages visited, timestamps, feature interactions - Communications: emails sent in connection with the Service (invitations, notifications, support)

We process your personal data for the following purposes: - To provide, maintain, and improve the Service - To manage your account and subscription - To process payments and issue invoices - To send transactional emails (account events, trial reminders, invoices) - To respond to support requests and communicate service updates - To detect and prevent fraud, abuse, and security incidents - To comply with legal and regulatory obligations

We process your personal data under the following legal bases pursuant to Article 6 GDPR: - Performance of contract (Art. 6(1)(b)): account management, service delivery, subscription billing - Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, service analytics and improvement - Legal obligation (Art. 6(1)(c)): tax records, compliance with Italian fiscal law - Consent (Art. 6(1)(a)): marketing communications, where you have opted in

We retain your personal data for the following periods: - Account data: for the duration of your account, plus 30 days after deletion to allow recovery - Workspace content: deleted immediately upon account deletion or on your request - Billing records: 10 years, as required by Italian fiscal law (D.P.R. 633/1972) - Server access logs: 12 months

You may request deletion of your account and personal data at any time by contacting privacy@hubslot.io.

We share your personal data only with the following trusted sub-processors, strictly for the purpose of providing the Service: - Supabase Ireland Ltd. — database hosting and authentication (EU region, Ireland) - Vercel Inc. — application hosting and content delivery (EU region) - Stripe Inc. — payment processing (US; see International Transfers below) - Resend Inc. — transactional email delivery - AI service providers — AI-assisted features such as campaign creation (details available on request)

All sub-processors are bound by data processing agreements ensuring GDPR compliance.

Stripe Inc. is headquartered in the United States. Data transferred to Stripe is protected by Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46(2)(c), providing an adequate level of protection equivalent to that within the EU/EEA.

All other sub-processors listed process data within the European Union or European Economic Area.

Under GDPR, you have the following rights regarding your personal data: - Right of access (Art. 15): obtain a copy of the data we hold about you - Right to rectification (Art. 16): correct inaccurate or incomplete data - Right to erasure (Art. 17): request deletion of your data ('right to be forgotten') - Right to restriction (Art. 18): limit how we process your data in certain circumstances - Right to data portability (Art. 20): receive your data in a structured, machine-readable format - Right to object (Art. 21): object to processing based on legitimate interests

To exercise any of these rights, contact privacy@hubslot.io. We will respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it.

HubSlot uses only technically necessary cookies required for session management and authentication. We do not use advertising, tracking, or analytics cookies that require consent.

Session cookies are automatically deleted when you close your browser. No third-party tracking scripts are loaded on HubSlot pages.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: - Encryption of data in transit (TLS 1.2+) - Encrypted database storage - Role-based access controls - Regular security reviews

Our infrastructure operates entirely within the European Union. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. For material changes, we will notify registered users by email at least 14 days before the new policy takes effect.

The current version of this Privacy Policy is always available at hubslot.io/privacy. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact:

Tribehub — privacy@hubslot.io Viale Giovanni Suzzani 96, 20162 Milano (MI), Italy

If you are not satisfied with our response, you have the right to lodge a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Roma www.garanteprivacy.it