Account Map is a HubSpot CRM integration operated by Redcoded Limited, a company registered in New Zealand. This policy describes what data Account Map accesses, how it is handled, and what is stored.
Data Accessed via HubSpot OAuth
When you install Account Map, it requests access to your HubSpot portal via OAuth. The following data is read through the HubSpot API:
Contact records
- Names, job titles, and email addresses
- Company associations
- Buying roles and custom org-chart properties
Company records
- Company name and domain
Engagement records
- Email timestamps and direction (inbound/outbound)
- Call timestamps and direction
- Meeting timestamps
- Associated owner for each engagement
Owner/sales rep records
- Name and email address
Contact property schemas
- Property definitions are read to check for and create custom properties used by Account Map (e.g., org-chart position, buying role)
Data Stored
OAuth tokens
Access tokens and refresh tokens are stored in Upstash Redis (encrypted at rest), keyed by HubSpot portal ID. Stored token data includes:
accessTokenandrefreshTokenexpiresAttimestampinstalledAttimestampportalIdapiBaseUrl
Tokens are retained until the app is uninstalled or the tokens are revoked by HubSpot.
No CRM data is stored
No contact data, engagement data, or company data is stored outside of HubSpot. All CRM data is fetched from the HubSpot API at request time, processed in memory, and returned to the CRM card. Nothing is persisted to disk or database.
Data written back to HubSpot
Org chart arrangements and buying role assignments are written back to HubSpot as contact properties on the relevant contact records. This data lives in your HubSpot portal, not on Account Map servers.
What We Do Not Collect
- No analytics or tracking scripts on the landing page or in the CRM card
- No cookies are set by Account Map (the CRM card runs inside a HubSpot iframe, which may use HubSpot's own cookies)
- No data is sold to or shared with third parties
- No data is transferred outside of the direct HubSpot API to Account Map server communication path
Data Processing
All CRM data is processed in memory during API requests and is not persisted. The data flow is:
- The HubSpot CRM card iframe makes requests to Account Map API endpoints
- Account Map API endpoints use stored OAuth tokens to fetch data from the HubSpot API
- Data is assembled into a response and returned to the CRM card
- No intermediate data is written to logs, databases, or files
CORS Policy
Account Map API endpoints accept requests from any origin. This is required for the HubSpot CRM card, which runs inside an iframe on HubSpot-controlled domains. No authentication-sensitive operations are exposed via these open CORS endpoints without valid OAuth tokens.
Data Security
- All communication between Account Map and HubSpot uses HTTPS
- OAuth tokens are encrypted at rest in Upstash Redis
- No CRM data is stored outside of HubSpot
- The application is deployed on Vercel with automatic TLS
Your Rights
You can revoke Account Map's access to your HubSpot portal at any time by uninstalling the app from your HubSpot account settings. This will invalidate all stored tokens. Since no CRM data is stored outside of HubSpot, there is no additional data to delete.
Contact
If you have questions about this privacy policy or Account Map's data handling practices, contact us at:
Redcoded Limited
New Zealand