One place for personal data
HubSpot CRM is the only store of personal data. Access uses a least-privilege token scoped to Contacts only — no shadow copies, no standing application database.
#ClientCentric
Trust & Data Handling
How Centric3 handles your data — in plain language. What we collect, where it lives, who processes it, and how to access or delete it.
Centric3 collects personal data only to reply to you, schedule a conversation, or — with your explicit opt-in — send you insights. Personal data lives in one system (HubSpot). Analytics is privacy-first and runs without storing personal identifiers. You can access or delete your data anytime.
- HubSpot is the only PII store
- Consent before any PII
- Global Privacy Control honored
- No accounts, no passwords
Last reviewed 2026-05-29
#ProcessCentric
How we handle your data
A small, deliberate footprint: one place for personal data, consent before anything non-essential, and analytics that don't need to know who you are.
Consent before PII
Analytics and marketing fire only after you opt in. Reject is as easy as accept, and Global Privacy Control (GPC) signals are honored automatically.
Privacy-first analytics
Usage analytics (GA4) run server-side with opaque identifiers — no heavy browser tracking pixel, and your IP address isn't stored.
Your rights, honored
Access, correction, deletion, and opt-out of sale or share under GDPR and CCPA/CPRA — handled by a real person, not a maze.
What we don't do
- We never sell your personal data.
- No cross-site advertising or social tracking pixels.
- No standing app database beyond HubSpot + an ephemeral key-value store.
- No dark-pattern consent — reject is one tap, same as accept.
#ImpactCentric
Sub-processor register
The vetted third parties that process data on our behalf under GDPR Art. 28. HubSpot is the only one that stores personal data; the rest handle limited or pseudonymous data.
| Sub-processor | Purpose | Region | Data terms |
|---|---|---|---|
| HubSpot | CRM & system of record — the only store of personal dataLeast-privilege Contacts scope | US / EU | DPASCCs |
| Cookiebot | Consent management — Consent Mode v2, GPC honoring | EU (Denmark) | DPASCCs |
| Cal.com | Meeting scheduling (lazy, optional) | EU / US | DPASCCs |
| Resend | Transactional email (confirmations, result links) | US | DPASCCs |
| Cloudflare Turnstile | Privacy-first bot protection (no user tracking) | Global edge | DPASCCs |
| Vercel | Hosting, edge & serverless runtime | US + global edge | DPASCCs |
| Upstash | Ephemeral KV — tokens (24h TTL), consent audit, rate-limit — non-PII | EU / US | DPASCCs |
| GA4 | PII-free analytics via server-side Measurement Protocol | Google global | DPAGoogle DPT |
Regions and DPAs are verified per vendor before launch (per-vendor launch-gate). This list changes only with notice.
#ResultsCentric
Access & deletion (DSAR)
Want a copy of your data, a correction, or full erasure? Here's exactly how it works — a real person handles every request.
-
Send your request
Email hello@centric3.com (subject "Data request") or use the form on our Privacy page. Tell us whether you want access, correction, or erasure.
-
We verify it's you
We confirm your identity before acting — protecting your data from someone else's request.
-
We locate your records
We look you up through a pseudonymous audit reference — the lookup index holds no personal data and no plaintext IP addresses.
-
We action & confirm
Erasure or export executes in HubSpot (the only PII store) and we confirm in writing. We respond within ~30 days.
We also maintain 72-hour breach-notification readiness (GDPR Art. 33).
#TechnologyCentric
Built secure by construction
Security isn't a bolt-on. The smallest possible attack surface, enforced by code and CI gates.
- Strict nonce-based CSP — no inline script execution; a single per-vendor allowlist plus Subresource Integrity.
- Engineered to OWASP ASVS Level 2 and the OWASP API Top 10.
- No user accounts, no passwords — there is no authentication surface to attack.
- PII stays server-side — personal data is never exposed to the browser; the only PII store is HubSpot.
- HSTS preload, no-referrer on sensitive routes, and pseudonymous, split & hashed lead identifiers.
- Supply-chain hardening — pinned dependencies, secret scanning, SBOM.
- GDPR Art. 6/7/17/25/28/32/33/44 · CCPA/CPRA · Global Privacy Control.
These describe the standards we engineer to and the regulations we honor. We don't claim third-party audit certifications we don't hold. Questions? Read the Privacy Policy or email hello@centric3.com.