Data handling

Private-beta privacy information

This page explains how the Restor private beta handles operator and HubSpot data. The legal entity, controller/processor roles, contacts, and binding commitments must also appear in the signed beta agreement and DPA before access is provisioned.

Last updated 18 July 2026 · private beta

Roles and scope

The HubSpot customer is normally the controller of CRM data and Restor acts as its processor for the documented backup service. Restor is a controller for limited account, security, support, and business-contact information. If the signed DPA says otherwise, that agreement controls.

Data we handle

  • Approved operator email, authentication/session information, and MFA factor metadata.
  • HubSpot portal identifiers, granted scopes, and encrypted OAuth credentials.
  • The supported CRM, activity, workflow, and behavioral-event data described in the customer's coverage schedule.
  • Restore audit records, sync outcomes, safe operational identifiers, and support correspondence.
  • Route-level aggregate analytics with HubSpot and database identifiers replaced by placeholders.

Restor does not intentionally put HubSpot property values into logs, analytics, or notification email.

Why and where

We use this data to authenticate the designated operator, create and monitor backups, show history and diffs, execute confirmed supported restores, detect failures or unusual deletion volume, provide exports/support, and meet security or legal obligations.

CRM backup contents are stored and processed in the configured EU application, database, worker, and encrypted-backup regions. Control-plane and email metadata have separately disclosed transfer boundaries. See the current subprocessor list.

Retention and deletion

Backup history remains available while the service is connected. Disconnecting starts the documented 90-day live-service retention window. An organization-deletion request has a seven-day grace period; live-service data is then removed. Access-restricted, encrypted disaster-recovery copies expire under a separate approximately 60-day lifecycle, so residual ciphertext can remain for up to roughly 150 days after disconnect. The signed agreement states the applicable customer-specific schedule.

Requests and contact

CRM data-subject requests should normally go to the HubSpot customer as controller. Operators can request access, correction, export, deletion, or security help through the monitored address in their agreement or at hello@restor.eu. We may need to verify identity and customer authorization before acting.