Last updated: 17 April 2026
Effective date: 17 April 2026
Published at: https://arisegtm.com/events-os/privacy
ARISE Events OS is a HubSpot Marketplace application developed and operated by ARISE GTM Ltd ("we", "us", "our").
Registered address: Available at arisegtm.com/about-us Privacy contact: support@arisegtm.com Data Controller: ARISE GTM Ltd (for data processed as part of providing the Application) Data Processor: ARISE GTM Ltd acts as a data processor for personal data held in your HubSpot portal
This policy explains how ARISE Events OS ("the Application") collects, stores, uses, and protects data when installed on a HubSpot portal.
This policy applies to:
When installed, the Application accesses data from your HubSpot portal to provide its services:
| Data type | Properties accessed | Purpose |
|---|---|---|
| Contact records | Name, email, job title, company, lifecycle stage, deal associations, events_os_* rollup properties | Match event registrants to contacts; calculate pipeline attribution; generate post-event intelligence |
| Company records | Name, industry, employee count | Audience analysis; attribution reports |
| Deal records | Name, amount, stage, close date, associated contacts | Pipeline attribution; Deal Room intelligence |
| Event records (custom/app object) | All event properties | Core application data |
| Registration records (custom/app object) | All registration properties | Attendee lifecycle management |
| Owner/user records | Name, HubSpot Meetings link | Meeting URL resolution for virtual events |
| HubSpot account settings | Portal ID, timezone, currency | Application configuration |
When contacts register for events managed by the Application:
This data is stored as Registration records in your HubSpot portal, associated to the registrant's Contact record.
The Application generates intelligence outputs using Anthropic's Claude API:
| Output | Where stored | Retention |
|---|---|---|
| Post-event narratives | Supabase (intelligence layer) | Duration of active subscription + 30 days |
| Pipeline attribution calculations | Supabase | Duration of active subscription + 30 days |
| No-show risk scores | Computed fresh on each request; not persisted | Not retained |
| Waitlist fit scores | Written to Registration record in HubSpot | Subject to HubSpot retention settings |
| Invite recommendations | Returned in real-time; not stored | Not retained |
Performance metrics from completed events (attendance rates, pipeline per attendee, event type) are contributed to a shared benchmark dataset. This data is fully anonymised — it contains no portal IDs, contact names, email addresses, company names, or any other personally identifiable information. It is aggregated statistical data only.
When the Application generates post-event alerts and notifications:
The arisegtm.com/events-os website may collect:
| Purpose | Data used | Lawful basis |
|---|---|---|
| Operating the Application (event builds, registration, check-in, workflows) | HubSpot CRM data, OAuth tokens | Contract performance |
| Pipeline attribution calculations | Deals, contacts, registrations | Contract performance |
| AI-generated intelligence (narratives, risk scores, recommendations) | Event and registration data | Contract performance |
| Anonymous cross-portal benchmarks | Aggregated, anonymised event metrics | Legitimate interest |
| Security monitoring and abuse prevention | Access logs, error logs | Legitimate interest |
| Billing and subscription management | Portal ID, plan data | Contract performance |
| Support and troubleshooting | Audit trail, command log | Legitimate interest |
| Product improvement | Anonymised usage patterns | Legitimate interest |
| Chrome extension functionality | Portal ID from HubSpot URL, notification preferences | Contract performance |
We do not sell your data. We do not allow advertisers to target users based on data processed by the Application.
We share data with the following sub-processors:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| HubSpot, Inc. | CRM platform host | All CRM data lives in your HubSpot portal — we read/write via OAuth | USA (EU SCCs in place) |
| Anthropic, PBC | Claude AI API | Event context, attendee summaries for intelligence generation | USA |
| Railway Corp. | Backend hosting (Node.js/SQLite) | Encrypted OAuth tokens, operational data | USA |
| Supabase, Inc. | Intelligence data storage | Post-event narratives, attribution data, anonymised benchmarks | EU (by configuration) |
| Resend, Inc. | Transactional email | Email addresses for operational notifications only | USA |
All sub-processors are bound by data processing agreements. For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms.
We may disclose data to competent authorities where required by law, or to protect against fraud, security threats, or abuse.
| Data | Location | Encryption |
|---|---|---|
| OAuth access/refresh tokens | Railway, SQLite | AES-256-GCM at rest |
| Post-event narratives, attribution | Supabase (EU) | At rest + TLS in transit |
| Anonymised benchmarks | Supabase (EU) | At rest + TLS in transit |
| Notification log | Railway, SQLite | At rest |
| HubSpot CRM data | Your HubSpot portal | HubSpot's own security controls |
The Application implements the following security controls:
In the event of a personal data breach, we will notify affected customers and relevant supervisory authorities in accordance with GDPR Article 33 (within 72 hours of becoming aware) and Article 34 where applicable.
| Data | Retention period |
|---|---|
| HubSpot CRM data (events, registrations, contacts) | Held in your HubSpot portal — subject to your own retention settings and GDPR obligations |
| Post-event narratives + attribution (Supabase) | Duration of active subscription + 30 days after cancellation |
| OAuth access and refresh tokens | Duration of active subscription; deleted on uninstall |
| Server access logs | 30 days |
| Notification log | 90 days |
| Command audit trail | Last 50 entries per portal (rolling) |
| Agent run logs | 90 days |
| Anonymised benchmark data | Indefinitely (no personal data) |
| Billing records | 7 years (UK/EU legal requirement) |
On cancellation: Post-event intelligence data stored in Supabase (narratives, attribution calculations) is deleted within 30 days of subscription cancellation. HubSpot CRM data (Event records, Registration records, contact rollup properties) remains in your portal under your control and is not deleted by us.
On uninstall: OAuth tokens are deleted immediately on uninstall. Supabase data is scheduled for deletion within 30 days.
If you are located in the United Kingdom or European Economic Area, you have the following rights regarding personal data we process:
To exercise any of these rights, contact support@arisegtm.com. We will respond within 30 days. We may need to verify your identity before processing your request.
Right to complain: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk (UK), or your local EU supervisory authority.
If you are a contact who registered for an event managed by this Application, your personal data is held in the HubSpot portal of the organisation that ran the event. To request access, correction, or deletion of your personal data, contact that organisation directly — their contact details will be in the confirmation email you received when registering.
ARISE GTM Ltd acts as a data processor for this data on behalf of the event organiser (the data controller). If you cannot reach the event organiser or believe your rights are not being respected, contact us at support@arisegtm.com and we will direct you to the appropriate contact.
ARISE Events OS is distributed via the HubSpot App Marketplace. Your use of the Application is subject to:
HubSpot manages billing and subscription for Marketplace applications. Payment data is processed by HubSpot, not by ARISE GTM Ltd.
The Application sends event context data to Anthropic's Claude API to generate intelligence outputs. This includes:
Data sent to Anthropic is processed in accordance with Anthropic's API Data Usage Policy. We do not send personally identifiable information (names, email addresses) to the Anthropic API.
The ARISE Events OS Chrome Extension:
chrome.storage.local)The extension does not collect browsing history, read page content outside HubSpot, or transmit any data except portal ID and explicit user-triggered report requests.
The arisegtm.com/events-os website may use essential cookies for session management. We do not use tracking, advertising, or analytics cookies without consent.
The Application itself (HubSpot card, RSVP pages, check-in pages) does not set cookies.
The Application is not designed for use by children under 13 and we do not knowingly collect data from children. If you believe we have collected data from a child, contact support@arisegtm.com immediately.
We will update this policy when material changes are made. We will notify HubSpot portal administrators of significant changes via email at least 14 days before they take effect. The date at the top of this page indicates when it was last updated.
For non-material changes (formatting, clarifications that do not affect data practices), we will update the policy without separate notification.
Privacy enquiries and data subject requests: Email: support@arisegtm.com
Security vulnerability reports: Email: support@arisegtm.com
General support: Email: support@arisegtm.com Website: arisegtm.com/events-os
ARISE GTM Ltd United Kingdom arisegtm.com
