Privacy Policy
Last updated: 2026-05-03
Who we are
HubSpot Jobber Sync (the App) is operated by Crosstown Tech, based in Ontario, Canada (the Operator, we, us). Contact: support@crosstowntech.com.
What data we access
When you install the App, we access the following data via the HubSpot and Jobber APIs:
From HubSpot
- Contacts, companies, and deals (read + write — we mirror them into Jobber)
- Deal pipelines and stage definitions (schema)
- Form submissions (read — to create Jobber Requests on intake)
- Files associated with form submissions (read — for attachment sync)
- Owner metadata (names, emails — for attribution)
From Jobber
- Clients, Properties, Requests, Quotes, Jobs, Invoices (read + write within the scopes you grant)
- Custom field configurations (read + write to register app-configured fields)
- Webhook events for the lifecycle topics you've subscribed to
We do not read or store: HubSpot conversations, marketing email bodies, payments / financial details beyond invoice balances, Jobber payments / payouts, or any object the OAuth scopes you grant do not cover.
What data we store
- Pairing records (a HubSpot Contact ↔ Jobber Client link, etc.) for sync routing.
- An audit log of every sync action: create, update, skip, fail, conflict.
- OAuth refresh tokens for both HubSpot and Jobber, encrypted at rest with AES-256-GCM.
- Installation + connection metadata: portal id, Jobber account id, scopes, install timestamps.
- Per-portal settings: pipeline mapping, dedup rule, notification email.
- Conflict review queue: records that need human resolution before sync continues.
We do not maintain copies of every Contact, Client, or Deal. We store the ids needed to route sync events and pull authoritative data on demand.
Where data is stored
All data is stored on Convex Cloud (operated by Convex Inc.) in their managed infrastructure in the United States. Refresh tokens are encrypted with AES-256-GCM before storage; the encryption key is held in environment variables outside the database.
Sub-processors
- Convex Inc. — backend database, function execution, and webhook ingestion (US).
- Vercel Inc. — frontend hosting and TLS termination (US).
- HubSpot, Inc. — your source CRM.
- Jobber Software Inc. — your field-service operations platform.
Retention
Pairing records, audit logs, and conflict queues are retained for as long as the App is installed. On uninstall, you may request deletion of all stored data by emailing support@crosstowntech.com. We will complete the deletion within 30 days. Refresh tokens are revoked and removed from our database immediately on uninstall.
Your rights (GDPR / CCPA)
If your data is covered by GDPR, CCPA, or similar laws, you have the right to access, correct, delete, or export the data we store about your HubSpot and Jobber accounts. Email support@crosstowntech.com and we will respond within 30 days.
Security
OAuth refresh tokens are encrypted at rest. Webhook payloads are verified using HubSpot's v3 signature and Jobber's HMAC-SHA256 schemes. All traffic between the App and either platform uses TLS. Access to production infrastructure is restricted to authorized personnel.
Changes to this policy
We may update this policy. Material changes will be communicated via the App's listings on the HubSpot and Jobber marketplaces, and via email to the installation owner.