New: gauge your AI readiness in 5 minutes. Take the AI Readiness Assessment →

#ClientCentric

Trust & Data Handling

How Centric3 handles your data — in plain language. What we collect, where it lives, who processes it, and how to access or delete it. No dark patterns, no fine-print surprises.

Centric3 collects personal data only to reply to you, schedule a conversation, or — with your explicit opt-in — send you insights. Personal data lives in one system (HubSpot). Analytics is privacy-first and runs without storing personal identifiers. You can access or delete your data anytime.

  • HubSpot is the only PII store
  • Consent before any PII
  • Global Privacy Control honored
  • No accounts, no passwords

Last reviewed 2026-05-29

#ProcessCentric

How we handle your data

A small, deliberate footprint: one place for personal data, consent before anything non-essential, and analytics that don't need to know who you are.

One place for personal data

HubSpot CRM is the only store of personal data. Access uses a least-privilege token scoped to Contacts only — nothing more. No shadow copies, no standing application database.

Consent before PII

Analytics and marketing fire only after you opt in. Reject is as easy as accept, you can change your mind anytime, and Global Privacy Control (GPC) signals are honored automatically.

Privacy-first analytics

Usage analytics (GA4) run server-side with opaque identifiers — no heavy browser tracking pixel on the critical path, and your IP address isn't stored.

Your rights, honored

Access, correction, deletion, and opt-out of sale or share under GDPR and CCPA/CPRA — handled by a real person, not a maze. See the path below.

What we don't do

  • We never sell your personal data.
  • No cross-site advertising or social tracking pixels.
  • No standing app database beyond HubSpot + an ephemeral key-value store.
  • No dark-pattern consent — reject is one tap, same as accept.

#ImpactCentric

Sub-processor register

The vetted third parties that process data on our behalf under GDPR Art. 28. HubSpot is the only one that stores personal data; the rest handle limited or pseudonymous data.

Each sub-processor operates under a Data Processing Agreement, with Standard Contractual Clauses for cross-border transfers.
Sub-processor Purpose Processing region Data terms
HubSpot CRM & system of record — the only store of personal data (contact leads, newsletter)Least-privilege Contacts-scoped access US / EU (account region) DPA in placeSCCs for transfers
Cookiebot (Usercentrics) Consent management — Consent Mode v2, GPC honoring EU (Denmark) DPA in placeSCCs
Cal.com Meeting scheduling (lazy-loaded, optional) EU / US DPA in placeSCCs
Resend Transactional email (confirmations, result links) US DPA in placeSCCs
Cloudflare Turnstile Privacy-first bot protection on forms (no user tracking) Global edge DPA in placeSCCs
Vercel Hosting, edge & serverless runtime US (primary) + global edge DPA in placeSCCs
Upstash (Redis/KV) Ephemeral data plane — result tokens (24h TTL), consent audit, rate-limit — non-PII / pseudonymous EU / US (configurable) DPA in placeSCCs
GA4 (Google Analytics 4) PII-free product analytics via server-side Measurement Protocol Google global DPA in placeSCCs (Google DPT)

Processing regions and Data Processing Agreements are verified per vendor before launch (per-vendor launch-gate). This list changes only with notice.

#ResultsCentric

Access & deletion (DSAR)

Want a copy of your data, a correction, or full erasure? Here's exactly how it works — a real person handles every request.

  1. Send your request

    Email hello@centric3.com (subject "Data request") or use the form on our Privacy page. Tell us whether you want access, correction, or erasure.

  2. We verify it's you

    We confirm your identity before acting — protecting your data from someone else's request.

  3. We locate your records

    We look you up through a pseudonymous audit reference — the lookup index holds no personal data and no plaintext IP addresses.

  4. We action & confirm

    Erasure or export executes in HubSpot (the only PII store) and we confirm in writing. We respond within ~30 days.

We also maintain 72-hour breach-notification readiness (GDPR Art. 33).

Read the Privacy Policy Email a data request →

Manage your cookie preferences

Reject is as easy as accept, and you can reopen this anytime. Necessary cookies keep the site working; Analytics and Marketing stay off until you turn them on.

#TechnologyCentric

Built secure by construction

Security isn't a bolt-on. The smallest possible attack surface, enforced by code and CI gates.

  • Strict nonce-based CSP — no inline script execution; a single per-vendor allowlist plus Subresource Integrity.
  • Engineered to OWASP ASVS Level 2 and the OWASP API Top 10.
  • No user accounts, no passwords — there is no authentication surface to attack.
  • PII stays server-side — personal data is never exposed to the browser; the only PII store is HubSpot.
  • HSTS preload, no-referrer on sensitive routes, and pseudonymous, split & hashed lead identifiers.
  • Supply-chain hardening — pinned dependencies, secret scanning, SBOM.
  • GDPR Art. 6/7/17/25/28/32/33/44 · CCPA/CPRA · Global Privacy Control.

These describe the standards we engineer to and the regulations we honor. We don't claim third-party audit certifications we don't hold. Questions? Read the Privacy Policy or email hello@centric3.com.