DiffSpot - Privacy Policy

Effective Date: 2026-02-14

Company: Concretio Holistic Software Services Private Limited

Contact: diffspot@concret.io

1. Introduction

Concretio Holistic Software Services Private Limited ("Concretio", "we", "us", "our") operates HubSpot Sandbox Scanner, also branded as DiffSpot ("the Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.

By using the Service, you agree to the collection and use of information as described in this Policy.

2. Information We Collect

2.1 Information You Provide

  • Email address (transient) — If you submit your email to receive a scan report, it is used only to send that single email via SMTP. Your email address is not stored in any database after delivery.

  • HubSpot OAuth authorization — When you connect your HubSpot portal, we receive a time-limited OAuth access token. This token is stored only in an encrypted, httpOnly session cookie (15-minute expiry) and is never persisted to a database. We use it solely to perform read-only CRM configuration scans on your behalf.

2.2 HubSpot Configuration Metadata (Not Personal CRM Records)

When you authorize a scan, we access the following configuration metadata from your HubSpot portal via read-only APIs:

  • Custom properties and property groups

  • Custom object schemas

  • Deal and custom pipelines

  • Association labels

  • Forms (structure and settings)

  • Workflow definitions (enabled/disabled status, object bindings)

  • Portal/account identifiers (Portal ID, account name)

Important: We access CRM configuration metadata only — property names, pipeline names, schema definitions, workflow names, and form structure. We do not access, read, or store actual HubSpot CRM records (contact emails, company names, deal values, or any customer data).

OAuth scopes requested: The required scopes include crm.objects.contacts.read, crm.objects.companies.read, crm.objects.deals.read, crm.objects.projects.read, crm.lists.read, crm.schemas.*.read, forms, and oauth. We also request the following optional scopes (which HubSpot may or may not grant depending on your portal): automation, crm.objects.custom.read, and crm.schemas.custom.read. Some of these scopes (e.g., crm.objects.*.read, crm.lists.read) grant record-read capability, but our code only calls schema and configuration endpoints — never the record-retrieval endpoints. These broader scopes are required by HubSpot's permission model for schema access.

Temporary server-side storage: Configuration metadata retrieved during a scan is temporarily cached in Google Cloud Firestore (encrypted at rest) for up to 10 minutes to power comparison and export features. This cache is automatically deleted after 10 minutes or immediately when you disconnect or log out. See Section 5.3 for full retention details.

2.3 Automatically Collected Technical Data

  • IP address — Collected automatically via Google Cloud Run server logs (us-central1, Iowa, USA)

  • Request metadata — HTTP method, response codes, request timestamps

  • Session data — Encrypted httpOnly session cookie (JWT, 15-minute expiry) containing: HubSpot OAuth access tokens, portal identifiers (ID and name), session creation timestamp, current workflow type (scan or compare), Firestore cache document IDs, and optional GitHub OAuth token. For comparison workflows, the cookie also contains portal session data for both portals being compared. All session data is stored in your browser only, not in our database.

We do not use third-party analytics platforms (e.g., Google Analytics, Mixpanel) and do not set advertising or tracking cookies. Note: the Service loads Material Symbols icons from Google Fonts CDN (fonts.googleapis.com), which means your browser makes a direct request to Google's servers when using the Service, subject to Google's own privacy policy.

2.4 User-Initiated Data Exports

When you choose to export scan or comparison results, data leaves our system via the method you select:

  • Email export — Your scan/comparison report (JSON and/or Excel attachment) is sent to the email address you provide via SMTP (with TLS encryption enforced). Once delivered, we do not retain a copy. The report then resides on your email provider's servers, subject to their privacy practices.

  • GitHub export — Your scan/comparison report (JSON) is committed to a repository you specify on GitHub under hubspot-backups/. This is stored in your GitHub account, subject to GitHub's privacy practices. We do not retain a copy after the export completes.

  • Browser download — JSON or Excel files are generated server-side and delivered directly to your browser as a download. No copy is retained on our servers.

3. How We Use Your Information

We use collected information to:

  • Deliver the Service — Perform HubSpot portal scans, compute diffs, generate complexity scores and reports

  • Send reports — Email scan and diff reports to the address you provide (email is used once for delivery and not retained)

  • Cache scan results transiently — Store HubSpot configuration metadata in Firestore for up to 10 minutes to power comparison features; deleted on disconnect or logout

  • Security and fraud prevention — Detect and investigate unauthorized access or misuse

  • Legal compliance — Comply with applicable laws and legal obligations

  • Service improvement — Analyze aggregate, anonymized server log patterns to improve the Service

We do not use your data for advertising, sell it to third parties, or use it to train AI or machine learning models.

3.1 Legal Basis for Processing (GDPR — EU Users)

For users in the European Union, our legal bases for processing are:

Processing ActivityLegal Basis
HubSpot config scan (OAuth)Performance of service (you initiated the scan)
Email report delivery (transient)Consent (you provided the email to receive the report)
Server logs / securityLegitimate interest (security and service integrity)
Legal complianceLegal obligation

4. How We Share Your Information

We do not sell your personal information to third parties.

4.1 Service Providers

We share data with the following sub-processors to operate the Service:

ProviderPurposeData Shared
HubSpot (via API)CRM configuration accessOAuth token; portal config metadata received
GitHub (Octokit)User-initiated config backup exportsHubSpot config JSON artifacts (user-triggered, to your own repo); requires repo scope (full repository access) — only used to write to hubspot-backups/ folder
SMTP / NodemailerReport email deliveryYour email address and report content
Google Cloud Run (GCP)Application hosting and infrastructureServer logs, IP addresses
Google Cloud Firestore (GCP)Ephemeral scan cache (10-min TTL)HubSpot configuration metadata; no user PII

All sub-processors are contractually required to protect your data and use it only for specified purposes.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or to:

  • Comply with a legal process or regulatory requirement

  • Enforce our Terms of Service

  • Protect the rights, property, or safety of Concretio, our users, or the public

  • Investigate potential fraud or security incidents

4.3 Business Transfers

If Concretio is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via a prominent service notice before your data is transferred and becomes subject to a different privacy policy.

5. Data Storage and Security

5.1 Storage Location

The Service runs on Google Cloud Run in us-central1 (Iowa, USA). HubSpot configuration metadata is temporarily cached in Google Cloud Firestore (same GCP project, encrypted at rest, 10-minute TTL). No personal data (email addresses or OAuth tokens) is stored in our database — all sensitive session data lives exclusively in your browser's encrypted httpOnly session cookie. User-initiated GitHub backup exports are stored in the GitHub repository you specify and are subject to GitHub's own storage and security practices. User-initiated email exports are delivered via SMTP and reside on the recipient's email provider.

5.2 Security Measures

We implement the following security measures:

  • TLS/SSL encryption for all data in transit

  • Encryption at rest for database storage

  • OAuth token handling with short-lived bearer tokens

  • Access controls limiting internal access to production data

  • Health checks and monitoring via Google Cloud Run

5.3 Data Retention

Data TypeRetention Period
Email addressesNot retained — used transiently for SMTP delivery only
HubSpot OAuth tokensNot retained — stored only in your browser session cookie (15-min expiry); deleted on disconnect or logout
GitHub OAuth tokenNot retained — stored only in session cookie; cleared on logout
Scan cache (Firestore)10 minutes — explicit TTL; also deleted immediately on disconnect or logout
Server logs (Cloud Run)Per GCP standard retention (typically 30–90 days)

se no personal data is stored in our database, there is effectively no data to delete on our end beyond server logs. If you have concerns about server log retention, contact diffspot@concret.io.

6. Your Rights and Choices

6.1 Access and Correction

You may request access to the personal information we hold about you by contacting diffspot@concret.io.

6.2 Deletion

The Service does not persist personal data in our database. Session data (OAuth tokens, scan cache) is automatically deleted within 10 minutes or immediately on disconnect/logout. For server log deletion requests, contact diffspot@concret.io; we will respond within 30 days.

6.3 No Marketing Communications

The Service does not retain your email address for marketing purposes. If you receive any communication from us, it is limited to the specific report you requested. You may contact diffspot@concret.io to raise any communication concerns.

6.4 HubSpot OAuth Revocation

You may revoke our access to your HubSpot portal at any time through your HubSpot account settings under "Connected Apps". Since scan cache is deleted within 10 minutes by design (and immediately on disconnect), revoking access effectively ends all data processing.

6.5 Cookies

The Service sets exactly two cookies, both strictly necessary for operation:

CookiePurposeExpiry
sessionEncrypted JWT containing HubSpot/GitHub OAuth tokens and scan cache IDs15 minutes
github_oauth_csrfCSRF nonce for GitHub OAuth flow10 minutes (deleted on completion)

We also use browser localStorage to store your theme preference:

StoragePurposeExpiry
localStorage: themeDark/light mode preference ("dark" or "light" string)Persistent until browser data cleared

All cookies are httpOnly, Secure (in production), and SameSite=Lax. The localStorage item stores only a UI preference string (no personal data). We do not set advertising, tracking, analytics, or persistent identification cookies. Blocking cookies will prevent OAuth authentication from working.

7. Children's Privacy

The Service is intended for business users (HubSpot administrators, RevOps professionals, and agencies) and is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us immediately at diffspot@concret.io.

8. International Data Transfers

Concretio is incorporated in India. Data you provide may be transferred to and processed in other countries, including the United States (Google Cloud Platform) and wherever our sub-processors operate.

As an India-incorporated company receiving data from EU/UK users, we act as a data processor or controller subject to GDPR's extraterritorial scope. The obligation to implement transfer safeguards under GDPR Chapter V (Articles 44–49) sits with the EU/UK-side data controller. Where we act as a data processor receiving EU personal data, we are prepared to enter into Standard Contractual Clauses (SCCs) or Data Processing Agreements (DPAs) as required by the EU-side controller. For questions about applicable transfer mechanisms, contact diffspot@concret.io.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a prominent notice on the Service prior to the change taking effect. Because the Service does not maintain persistent user accounts or retain email addresses, in-app notification is our primary notice mechanism.

The "Effective Date" at the top of this Policy indicates when it was last updated. Continued use of the Service after changes constitutes acceptance.

10. Contact Information

For privacy-related questions, requests, or complaints:

Email: diffspot@concret.io

Address: A-697 Malviya Nagar, Jaipur, Rajasthan, 302017, India

Regional Privacy Rights

US Users — General

Your rights vary by state. California residents have additional rights under CCPA (see below). We do not sell your personal information to any third party.

California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). New CPPA regulations effective January 1, 2026 (covering cybersecurity audits, risk assessments, and automated decision-making) apply where relevant to our processing activities:

  • Right to Know — Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, or sell about you

  • Right to Delete — Request deletion of personal information we have collected, subject to legal exceptions

  • Right to Correct — Request correction of inaccurate personal information

  • Right to Opt Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required.

  • Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

To exercise your rights: Contact diffspot@concret.io. We will respond within 45 days.

Do Not Sell or Share: We do not sell or share personal information for cross-context behavioral advertising. You can verify this at our Do Not Sell or Share page.

European Union Users (GDPR)

If you are in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Right of Access (Art. 15) — Obtain a copy of your personal data we process

  • Right to Rectification (Art. 16) — Correct inaccurate personal data

  • Right to Erasure (Art. 17) — Request deletion of your data ("right to be forgotten")

  • Right to Restriction (Art. 18) — Restrict processing in certain circumstances

  • Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format

  • Right to Object (Art. 21) — Object to processing based on legitimate interests

  • Right to Lodge a Complaint — You have the right to lodge a complaint with your local supervisory authority

To exercise your rights: Contact diffspot@concret.io. We will respond within one month of receipt, extendable by a further two months for complex or numerous requests (three months maximum under GDPR Article 12(3)). We will notify you of any extension within the initial one-month period.

EU Representative: Under GDPR Article 27(2)(a), we are not required to appoint an EU-based representative. Our processing of EU personal data is occasional (short on-demand sessions with no persistent user accounts), does not include large-scale processing of special categories of data (Article 9) or data relating to criminal convictions (Article 10), and is unlikely to result in a risk to the rights and freedoms of natural persons — given that we store no personal data beyond a 10-minute ephemeral cache, do not retain email addresses, and access only CRM configuration metadata (not personal records). Should our processing activities change in nature or scale, we will appoint an EU representative and update this section accordingly. For all GDPR-related matters, contact: diffspot@concret.io.

Data Protection Officer (DPO): We are not required to appoint a DPO as we are not a public authority, do not carry out large-scale systematic monitoring, and do not process sensitive data at scale. Privacy inquiries should be directed to diffspot@concret.io.

United Kingdom Users (UK GDPR / DPA 2018 / DUAA 2025)

If you are in the United Kingdom, you have the same rights as EU users above under the UK GDPR and Data Protection Act 2018. Note: The Data (Use and Access) Act 2025 (DUAA) introduces targeted reforms layered on top of this framework, including changes to recognised legitimate interests and international transfer rules. To exercise your rights or lodge a complaint, you may contact the Information Commissioner's Office (ICO) at www.ico.org.uk.

UK Contact: diffspot@concret.io

Canadian Users (PIPEDA / Quebec Law 25)

If you are in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). Note: Bill C-27 (which would have replaced PIPEDA with the CPPA) did not pass and is not in force as of 2026; PIPEDA remains the governing federal law. If you are in Quebec, the stricter requirements of Quebec's Law 25 (Act 25, fully in force since September 2024) may also apply, including enhanced consent requirements and extended privacy rights.

You have the right to:

  • Access your personal information

  • Challenge the accuracy of your personal information

  • Withdraw consent (subject to legal restrictions)

  • Lodge a complaint with the Office of the Privacy Commissioner of Canada (or the Commission d'accès à l'information for Quebec residents)

Privacy Officer: diffspot@concret.io

Australian Users (Privacy Act 1988)

If you are in Australia, your personal information is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs). Note: The Privacy and Other Legislation Amendment Act 2024 (Royal Assent December 10, 2024) introduced a statutory tort for serious privacy invasions (effective June 2025) and enhanced enforcement powers for the OAIC. You have the right to access and correct your personal information. To exercise your rights or lodge a complaint, contact diffspot@concret.io. You may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Indian Users (DPDP Act 2023 / IT Act 2000)

If you are in India, your personal data is protected under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. The DPDP Rules were notified on November 13–14, 2025. Full substantive compliance obligations (consent, data principal rights, grievance redressal with penalties) are being phased in, with enforcement expected by May 2027. We are committed to proactive early compliance with all provisions.

Your rights under the DPDP Act:

  • Right to Access — Know what personal data we process about you

  • Right to Correction and Erasure — Request correction or deletion of your personal data

  • Right to Grievance Redressal — File a complaint with our Grievance Officer; escalate to the Data Protection Board of India (DPBI) if unresolved

Grievance Officer:
Abhinav Gupta
diffspot@concret.io
A-697 Malviya Nagar, Jaipur, Rajasthan, 302017, India

Grievances will be acknowledged within 24–72 hours and resolved within 7 working days, per the DPDP Rules, 2025.

Brazilian Users (LGPD)

If you are in Brazil, your personal data is protected under the Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018). You have the right to:

  • Confirm existence of and access your personal data

  • Correct incomplete or inaccurate data

  • Anonymize, block, or delete unnecessary data

  • Data portability

  • Information about third-party sharing

  • Revoke consent

  • Lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados)

LGPD Contact / DPO: diffspot@concret.io