1. Scope and roles
This notice applies to territorylogic.com, the hosted console, HubSpot application surfaces, and the current early-access integration. For CRM data selected by a customer, the customer determines why that data is processed and TerritoryLogic acts as a service provider processing it to provide the app. For website visits, installation records, support communication, security logs, and service administration, the TerritoryLogic operator determines the operational purpose.
2. Information processed
HubSpot installation and identity
- HubSpot portal, app, installer/user, and owner identifiers; display information needed to show eligible owners and members.
- Approved OAuth scopes and encrypted access/refresh token envelopes.
- Portal-scoped roles, sessions, launch-code evidence, and authorization events.
Company routing data
- Opaque HubSpot company record ID, current owner ID, recognized country, normalized ZIP5, and bounded validity/source evidence.
- Territory programs, exact ZIP membership, fixed-owner configuration, drafts, simulations, decisions, exceptions, jobs, and write/rollback evidence.
- Only bounded, allowlisted filter facts when required by a configured current capability.
Operational and support data
- Request/correlation identifiers, timestamps, bounded provider response metadata, service logs, and security events.
- Email address and the information you choose to include when contacting support.
- Basic browser/network metadata received by hosting and map-tile providers, such as IP address, user agent, requested URL, and map viewport requests.
3. Information deliberately outside the current routing path
TerritoryLogic does not geocode addresses in the current release and does not retain raw company street addresses or malformed ZIP input for routing. Contacts, deals, tickets, leads, activities, and custom objects are not supported public programs. Sensitive and highly sensitive HubSpot scopes are not requested. Paid checkout and production transactional email are disabled, so the app does not currently create Stripe purchases or send automated lifecycle messages.
4. Purposes
- Authenticate the selected HubSpot portal and enforce portal-scoped roles.
- Sync supported company/owner evidence, evaluate exact ZIP territories, and display explainable results.
- Operate authorized publication, safe-skip, recovery, rollback, audit, privacy, and uninstall paths.
- Secure, diagnose, meter, and improve the service; enforce plan and abuse limits.
- Respond to support, privacy, security, and uninstall requests.
5. Cookies and browser storage
The service uses necessary cookies for OAuth state, selected-portal installation intent, CSRF protection, and secure hosted-console sessions. It does not currently describe advertising cookies or behavioral advertising as part of the product. Do not remove necessary session cookies while operating a job; sign in again if they expire.
6. Sharing and service providers
Data is disclosed only as needed to operate the connected HubSpot workflow, infrastructure, support, security, and future services you explicitly activate. Current and inactive providers are listed on Subprocessors. TerritoryLogic does not sell CRM data or use it for third-party advertising.
7. Retention
Active-workspace data is retained while needed to provide the service, protect the write/rollback boundary, and satisfy security/operational needs. The current early-access service does not yet apply catalog-specific automatic audit deletion periods. The seven-day, 90-day, one-year, and two-year figures on the Pricing page are planned launch entitlements, not current purge schedules or contractual minimum/maximum guarantees. Short-lived launch codes and hosted sessions expire earlier. Uninstall triggers deletion of the active installation's customer-derived workspace data and may leave a data-free generation/purge receipt.
Support correspondence is retained in the operational mailbox while needed to resolve the request, maintain a reasonable security and service history, and address abuse or legal obligations. A fixed contractual maximum for support-email retention has not yet been adopted. You may request deletion of a support thread, subject to identity verification and any record that must be retained for security or legal reasons. A defined commercial retention schedule will be posted before paid launch.
Provider backups may expire after active deletion rather than immediately. A contractual maximum backup-retention window has not yet been published. It will be posted before paid commercial launch; customers needing that commitment now should not use early access.
8. Security
Implemented controls include encrypted token envelopes, portal-bound sessions, forced PostgreSQL row-level security, separate maintenance access, request signing/CSRF checks, data minimization, immutable evidence, and fail-closed write gates. See Security for both controls and unfinished assurance work.
9. Deletion and rights requests
Uninstall the app in HubSpot to initiate the portal lifecycle purge. For access, correction, deletion, objection, restriction, or portability questions that apply under your law, contact support@territorylogic.com with the portal ID and request type—never tokens or CRM exports. TerritoryLogic may need to verify portal authority and coordinate with the customer organization that controls the HubSpot data.
10. International processing and children
The current infrastructure and primary customer-data region are United States based, while Cloudflare and connected providers may process network traffic globally. Regional data residency is not offered. TerritoryLogic is a business operations tool and is not directed to children.
11. Changes and contact
The reviewed date above identifies the current notice. Automated policy-change email is not enabled, so review this page during early access. Contact support@territorylogic.com; the best-effort early-access response target is one business day and is not a contractual SLA.