Privacy Policy
ExtendStack ("we," "our," or "us") is operated by Impulse Creative Inc.. This privacy policy explains how we collect, use, and protect your information when you use our HubSpot integration tools and services ("Services") at extendstack.com.
1. Information We Collect
Information you provide through authorization: When you connect your HubSpot portal via OAuth, HubSpot provides us with an access token, refresh token, your email address, portal ID (Hub ID), company name, and portal domain. This is required for the Services to function.
Third-party API credentials: Some integrations require you to provide API keys or credentials for third-party services. These are provided voluntarily through our settings interfaces.
User preferences: Settings such as target keywords and custom instructions are stored locally in your browser (localStorage) and are only transmitted to our servers when you initiate a specific action that requires them.
Automatically collected information: When you authenticate, we create an encrypted session cookie containing your portal ID and app identifier. This cookie is HttpOnly, Secure, and expires after 7 days. Our website uses HubSpot's tracking code which may set cookies and collect standard analytics data such as page views and referral sources, governed by HubSpot's Privacy Policy.
2. How We Use Your Information
- OAuth tokens: Used exclusively to make authorized API calls to HubSpot on your behalf. Tokens are encrypted at rest and refreshed automatically.
- Portal ID and domain: Used to identify your HubSpot account and route API requests to the correct portal.
- Email address and company name: Submitted to our CRM via form submission when you first connect a portal, for the purpose of providing support, product updates, and service communications.
- Third-party API credentials: Used solely to interact with the respective third-party service on your behalf. Encrypted at rest.
- Page content: When you use AI-powered features, we may temporarily fetch published content from your pages to provide context to AI models. This content is processed in real-time and is not stored by ExtendStack.
3. KPI Dashboard — Specific Data Practices
The KPI Dashboard app has additional data practices specific to its functionality:
- What we read: Lifecycle stage property definitions, contact/company list membership counts, and closed-won deal amounts. We read these through HubSpot's API using the OAuth scopes you authorized.
- What we create in your portal: Dynamic HubSpot lists that track contacts or companies by lifecycle stage. These lists are native HubSpot objects that you own and can modify or delete at any time.
- What we store outside your portal: Aggregate numerical counts only — how many contacts/companies are in each list, and total deal revenue amounts. We do not store individual contact records, deal records, company records, emails, names, or any personally identifiable information from your portal.
- What we do NOT do: We do not modify, delete, or export your contacts, companies, or deals. We do not write to any contact or deal properties. We do not access email content, conversation history, or activity logs.
- Paid plan data: Subscription status is determined by looking up service records in our own HubSpot portal — not yours. No payment information passes through ExtendStack servers.
4. Data We Do NOT Store or Retain (General)
We want to be explicit about what we do not keep:
- Page content: We do not store copies of your website pages or CMS content. When used for AI features, content is fetched, processed, and discarded within the same request.
- AI prompts and responses: Prompts sent to AI services and the responses received are not logged or stored by ExtendStack. They exist only for the duration of the API request.
- HubSpot passwords: We never receive or store your HubSpot password. Authentication is handled entirely through HubSpot's OAuth flow.
- Change history: We do not maintain a history of edits or changes you make through our tools. All modifications are written directly to HubSpot via their API.
- Personal browsing activity: We do not track which specific records, pages, or data you view or edit within our tools beyond standard website analytics on our marketing pages.
5. Data Storage and Security
- Encryption: All sensitive data stored in our database (OAuth tokens, API keys, webhook secrets) is encrypted using AES-256-GCM encryption with a securely managed encryption key.
- Database: We use a managed Redis database for storing encrypted tokens and configuration only. No personal data, page content, or user activity is stored in this database.
- Session cookies: Encrypted with AES-256-GCM, set with HttpOnly and Secure flags, use SameSite=Lax, and expire after 7 days.
- Infrastructure: Our application runs on Vercel's serverless platform. API requests are processed in-memory and do not persist beyond the request lifecycle.
- Access control: Only authorized team members at Impulse Creative have access to production infrastructure and environment variables.
6. Third-Party Services
We use the following categories of third-party services to deliver our functionality:
| Category | Purpose | Data Shared |
|---|---|---|
| CRM Platform (HubSpot) | OAuth provider, data source/destination | OAuth tokens, CRM/CMS data per authorized scopes |
| Application Hosting (Vercel) | Serverless function hosting | Server logs (IP addresses, request paths) |
| Encrypted Storage (Redis) | Token and configuration storage | Encrypted tokens and API keys only |
| AI Services (Google Gemini) | Content analysis and recommendations | Page content (temporarily), current metadata |
| Third-Party Integrations | Data sync per integration | API credentials (encrypted), synced data |
We do not sell, rent, or share your data with any parties beyond what is necessary to deliver the Services as described above.
7. Data Retention
- OAuth tokens: Retained in our encrypted database until you disconnect your portal, revoke access through HubSpot, or request deletion.
- Third-party API credentials: Retained until you remove them through the settings interface or contact us for deletion.
- Session cookies: Automatically expire after 7 days.
- CRM form submissions: Contact records created in our CRM are retained according to standard CRM data retention policies.
- Browser localStorage: Stored in your browser only. Clearing your browser data removes these settings. We do not have access to your localStorage data.
- KPI Dashboard snapshots: The KPI Dashboard stores aggregate list size counts and revenue totals (not individual contact or deal records) in our encrypted database. Up to 90 historical snapshots are retained per portal for trend visualization. This data includes only numerical counts and dollar totals — no contact names, emails, deal names, or other personally identifiable information is stored. Snapshots are deleted when you disconnect your portal or request deletion.
- HubSpot lists created by KPI Dashboard: The KPI Dashboard creates dynamic lists in your HubSpot portal to track lifecycle stage metrics. These lists are native HubSpot objects owned by you and remain in your portal. We do not delete or modify these lists. You can edit or remove them at any time through HubSpot's list management interface.
- Embed tokens: Secure embed tokens generated for iframe embedding expire after 90 days. The HMAC secret used to generate tokens is stored encrypted in our database and can be rotated at any time from the dashboard settings, which immediately invalidates all previously issued tokens.
- Payment and subscription status: If you purchase a paid plan, your portal's paid status is stored in our database. We do not store payment card details, billing addresses, or financial information — all payment processing is handled by HubSpot Payments.
8. Your Rights
You have the right to:
- Disconnect: Revoke ExtendStack's access to your HubSpot portal at any time through HubSpot's Connected Apps settings.
- Request deletion: Contact us through impulsecreative.com to request deletion of all data associated with your portal ID.
- Access: Request a summary of what data we store for your portal.
- Correct: Update your information by reconnecting your portal or contacting us.
9. Children's Privacy
ExtendStack is a business tool designed for professional use. We do not knowingly collect information from children under 16. If you believe we have inadvertently collected such information, please contact us immediately.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this page. Continued use of the Services after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this privacy policy or your data:
- Website: extendstack.com
- Company: Impulse Creative Inc. — impulsecreative.com