hubspot-data-handling

Implement HubSpot GDPR compliance, data export, and contact privacy operations. Use when handling GDPR/CCPA data subject requests, implementing data export, contact deletion, or privacy-compliant HubSpot integrations. Trigger with phrases like "hubspot GDPR", "hubspot data export", "hubspot delete contact", "hubspot privacy", "hubspot CCPA", "hubspot PII".

1,868 stars

byjeremylongshore

View on GitHub Installation ↓

Best use case

hubspot-data-handling is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using hubspot-data-handling should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/hubspot-data-handling/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/hubspot-pack/skills/hubspot-data-handling/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/hubspot-data-handling/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How hubspot-data-handling Compares

Feature / Agent	hubspot-data-handling	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# HubSpot Data Handling

## Overview

Handle GDPR/CCPA compliance with HubSpot's built-in privacy APIs: GDPR delete, data export, consent management, and PII handling for CRM data.

## Prerequisites

- HubSpot account with GDPR features enabled
- Scope: `crm.objects.contacts.write` (for GDPR delete)
- Understanding of GDPR/CCPA requirements

## Instructions

### Step 1: GDPR Contact Deletion

HubSpot provides a dedicated GDPR delete endpoint that permanently removes all contact data and communications:

```typescript
import * as hubspot from '@hubspot/api-client';

const client = new hubspot.Client({
  accessToken: process.env.HUBSPOT_ACCESS_TOKEN!,
});

// GDPR delete: permanently removes contact and all associated data
// POST /crm/v3/objects/contacts/gdpr-delete
async function gdprDeleteContact(email: string): Promise<void> {
  // First, find the contact
  const search = await client.crm.contacts.searchApi.doSearch({
    filterGroups: [{
      filters: [{ propertyName: 'email', operator: 'EQ', value: email }],
    }],
    properties: ['email'],
    limit: 1, after: 0, sorts: [],
  });

  if (search.results.length === 0) {
    console.log(`Contact not found: ${email}`);
    return;
  }

  const contactId = search.results[0].id;

  // GDPR delete via API
  await client.apiRequest({
    method: 'POST',
    path: '/crm/v3/objects/contacts/gdpr-delete',
    body: {
      objectId: contactId,
      idProperty: 'hs_object_id',
    },
  });

  // Also delete from your local systems
  await deleteLocalContactData(email);

  // Audit log (keep for compliance -- do NOT delete audit records)
  await auditLog({
    action: 'GDPR_DELETE',
    email: '[REDACTED]', // don't store the email in audit
    contactId,
    timestamp: new Date().toISOString(),
    reason: 'Data subject deletion request',
  });

  console.log(`GDPR deleted contact ${contactId}`);
}
```

### Step 2: Data Subject Access Request (DSAR)

Export all data HubSpot holds about a contact:

```typescript
async function exportContactData(email: string): Promise<ContactDataExport> {
  // Find contact
  const search = await client.crm.contacts.searchApi.doSearch({
    filterGroups: [{
      filters: [{ propertyName: 'email', operator: 'EQ', value: email }],
    }],
    properties: [], // get all default properties
    limit: 1, after: 0, sorts: [],
  });

  if (search.results.length === 0) {
    return { found: false, data: null };
  }

  const contact = search.results[0];

  // Get all properties for complete export
  const fullContact = await client.crm.contacts.basicApi.getById(
    contact.id,
    undefined, // all properties
    undefined,
    ['companies', 'deals', 'tickets'] // include associations
  );

  // Get associated deals
  const deals = await client.crm.deals.searchApi.doSearch({
    filterGroups: [{
      filters: [{
        propertyName: 'associations.contact',
        operator: 'EQ',
        value: contact.id,
      }],
    }],
    properties: ['dealname', 'amount', 'dealstage', 'createdate'],
    limit: 100, after: 0, sorts: [],
  });

  // Get engagement history (notes, emails, calls)
  const notes = await client.crm.objects.notes.basicApi.getPage(
    100, undefined, ['hs_note_body', 'hs_timestamp']
  );

  return {
    found: true,
    data: {
      exportedAt: new Date().toISOString(),
      source: 'HubSpot CRM',
      contact: fullContact.properties,
      associations: fullContact.associations,
      deals: deals.results.map(d => d.properties),
      notes: notes.results.map(n => n.properties),
    },
  };
}

interface ContactDataExport {
  found: boolean;
  data: {
    exportedAt: string;
    source: string;
    contact: Record<string, string>;
    associations?: any;
    deals: Record<string, string>[];
    notes: Record<string, string>[];
  } | null;
}
```

### Step 3: PII Redaction for Logging

```typescript
// Never log PII from HubSpot responses
const PII_FIELDS = new Set([
  'email', 'firstname', 'lastname', 'phone', 'mobilephone',
  'address', 'city', 'state', 'zip', 'country',
  'date_of_birth', 'ip_city', 'ip_state', 'ip_country',
]);

function redactContactForLogging(properties: Record<string, string>): Record<string, string> {
  const redacted: Record<string, string> = {};
  for (const [key, value] of Object.entries(properties)) {
    redacted[key] = PII_FIELDS.has(key) ? '[REDACTED]' : value;
  }
  return redacted;
}

// Usage
const contact = await client.crm.contacts.basicApi.getById(id, ['email', 'lifecyclestage']);
console.log('Contact data:', redactContactForLogging(contact.properties));
// Output: { email: "[REDACTED]", lifecyclestage: "customer" }
```

### Step 4: Consent Tracking

```typescript
// Track consent using HubSpot's communication preferences
// POST /crm/v3/objects/contacts (with consent properties)
async function createContactWithConsent(
  email: string,
  properties: Record<string, string>,
  consent: { marketing: boolean; sales: boolean }
): Promise<void> {
  await client.crm.contacts.basicApi.create({
    properties: {
      ...properties,
      email,
      hs_legal_basis: consent.marketing
        ? 'Legitimate interest - existing customer'
        : 'Not applicable',
    },
    associations: [],
  });

  // Set communication preferences via the subscriptions API
  if (consent.marketing) {
    await client.apiRequest({
      method: 'POST',
      path: `/communication-preferences/v3/subscribe`,
      body: {
        emailAddress: email,
        subscriptionId: process.env.HUBSPOT_MARKETING_SUBSCRIPTION_ID!,
        legalBasis: 'CONSENT_WITH_NOTICE',
        legalBasisExplanation: 'User opted in via signup form',
      },
    });
  }
}
```

### Step 5: Data Minimization

```typescript
// Only request the properties you actually need
// BAD: Fetches all default properties including PII
const bad = await client.crm.contacts.basicApi.getById(id);

// GOOD: Only fetch non-PII fields for analytics
const good = await client.crm.contacts.basicApi.getById(id, [
  'lifecyclestage',      // not PII
  'hs_lead_status',      // not PII
  'createdate',          // not PII
  'num_associated_deals', // not PII
]);
```

## Output

- GDPR delete endpoint permanently removing contact data
- Data export for Subject Access Requests
- PII redaction utility for safe logging
- Consent tracking with communication preferences
- Data minimization patterns for non-PII analytics

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| GDPR delete returns 404 | Contact already deleted | Idempotent -- log and continue |
| Export missing associations | Scope not granted | Add `crm.objects.deals.read` scope |
| Consent API returns 400 | Invalid subscription ID | Check Settings > Marketing > Email > Subscriptions |
| PII in logs | Missing redaction | Wrap all logging with `redactContactForLogging` |

## Resources

- [HubSpot GDPR Compliance](https://developers.hubspot.com/docs/guides/api/crm/gdpr)
- [Communication Preferences API](https://developers.hubspot.com/docs/reference/api/marketing/subscriptions-preferences)
- [GDPR Developer Guide](https://gdpr.eu/developers/)

## Next Steps

For enterprise access control, see `hubspot-enterprise-rbac`.

Related Skills

generating-test-data

1868

from jeremylongshore/claude-code-plugins-plus-skills

Generate realistic test data including edge cases and boundary conditions. Use when creating realistic fixtures or edge case test data. Trigger with phrases like "generate test data", "create fixtures", or "setup test database".

managing-database-tests

1868

from jeremylongshore/claude-code-plugins-plus-skills

Test database testing including fixtures, transactions, and rollback management. Use when performing specialized testing. Trigger with phrases like "test the database", "run database tests", or "validate data integrity".

encrypting-and-decrypting-data

1868

from jeremylongshore/claude-code-plugins-plus-skills

Validate encryption implementations and cryptographic practices. Use when reviewing data security measures. Trigger with 'check encryption', 'validate crypto', or 'review security keys'.

scanning-for-data-privacy-issues

1868

from jeremylongshore/claude-code-plugins-plus-skills

Scan for data privacy issues and sensitive information exposure. Use when reviewing data handling practices. Trigger with 'scan privacy issues', 'check sensitive data', or 'validate data protection'.

windsurf-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Control what code and data Windsurf AI can access and process in your workspace. Use when handling sensitive data, implementing data exclusion patterns, or ensuring compliance with privacy regulations in Windsurf environments. Trigger with phrases like "windsurf data privacy", "windsurf PII", "windsurf GDPR", "windsurf compliance", "codeium data", "windsurf telemetry".

webflow-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement Webflow data handling — CMS content delivery patterns, PII redaction in form submissions, GDPR/CCPA compliance for ecommerce data, and data retention policies. Trigger with phrases like "webflow data", "webflow PII", "webflow GDPR", "webflow data retention", "webflow privacy", "webflow CCPA", "webflow forms data".

vercel-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".

veeva-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Veeva Vault data handling for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva data handling".

vastai-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Manage training data and model artifacts securely on Vast.ai GPU instances. Use when transferring data to instances, managing checkpoints, or implementing secure data lifecycle on rented hardware. Trigger with phrases like "vastai data", "vastai upload data", "vastai checkpoints", "vastai data security", "vastai artifacts".

twinmind-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Handle TwinMind meeting data with GDPR compliance: transcript storage, memory vault management, data export, and deletion policies. Use when implementing data handling, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind data handling", "twinmind data handling".

supabase-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement GDPR/CCPA compliance with Supabase: RLS for data isolation, user deletion via auth.admin.deleteUser(), data export via SQL, PII column management, backup/restore workflows, and retention policies. Use when handling sensitive data, implementing right-to-deletion, configuring data retention, or auditing PII in Supabase database columns. Trigger: "supabase GDPR", "supabase data handling", "supabase PII", "supabase compliance", "supabase data retention", "supabase delete user", "supabase data export".

speak-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Handle student audio data, assessment records, and learning progress with GDPR/COPPA compliance. Use when implementing data handling, or managing Speak language learning platform operations. Trigger with phrases like "speak data handling", "speak data handling".