Privacy Policy
Last Updated: March 28, 2026 · Effective: March 28, 2026
Third Space, LLC ("Thirdspace," "we," "us," or "our") operates Safe Merge ("the Service"), a HubSpot integration that provides snapshot protection, 3-stage duplicate detection, snapshot-based unmerge, and Emergency Unmerge for CRM records. This Privacy Policy describes how we collect, use, store, share, and protect information when you use Safe Merge.
If you have questions about this Privacy Policy, contact us at joshua@thirdspaced.com.
1. Identity and Contact Details
Data Controller (for account & billing data):
Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://safemerge.app
Data Processor (for CRM data processed on your behalf): When we process HubSpot CRM data on behalf of your organization, your organization is the Data Controller and we act as a Data Processor. See our Data Processing Agreement for details.
2. Categories of Data We Collect and Process
2.1 HubSpot CRM Data (Processed on Your Behalf)
When you install Safe Merge and authorize access via HubSpot OAuth, we access the following CRM data through HubSpot's API:
- Contact properties (names, email addresses, phone numbers, job titles, custom fields)
- Company properties (names, domains, industry, revenue, custom fields)
- Deal properties (deal names, amounts, stages, pipelines, custom fields)
- Associations between records (contact-company, contact-deal, company-deal, etc.)
- Engagement metadata (notes, tasks, calls, emails, meetings - accessed during Emergency Unmerge operations)
- Merge audit history (HubSpot's internal
hs_merged_object_ids property)
2.2 CRM Snapshot Data
Safe Merge creates automated snapshots of CRM records to enable merge protection and unmerge capabilities. Snapshot data includes:
- Compressed JSON representations of contact, company, and deal record states at point-in-time
- Association mappings between records at time of snapshot
- Snapshot metadata (timestamps, record IDs, operation type)
Storage: Snapshot data is stored in two locations:
- PostgreSQL database (Render): Full CRM record snapshots, including all property values and association mappings, are stored in our encrypted hosted database. This is the authoritative copy used for all unmerge operations, and supports records of any size.
- HubSpot custom properties (supplementary): Where technically feasible (within HubSpot's 65 KB per-property limit), an encoded copy of the snapshot is also written to a custom property on the record in your HubSpot portal. Records exceeding this limit are stored in our database only.
Retention: Snapshot data is retained according to your subscription plan tier:
| Plan | Snapshot Retention |
|---|
| Free | 7 days |
| Starter | 30 days |
| Growth | 90 days |
| Pro | 180 days |
| Enterprise | 365 days |
Snapshots exceeding the retention period are automatically purged. Upon account termination, snapshot data is retained for 30 days to allow data export, then permanently deleted.
2.3 Account and Authentication Data
- HubSpot Portal ID
- OAuth access and refresh tokens (encrypted at rest)
- Portal administrator email address
- Account creation and authentication timestamps
2.4 Billing and Payment Data
- Stripe Customer ID and subscription status
- Plan tier, billing frequency, and payment history
- Credit balance and usage history (for Emergency Unmerge credits)
We never see or store credit card numbers, bank account details, or other direct payment instruments. All payment processing is handled by Stripe. All subscription payments and credit purchases are final and non-refundable - see our Terms of Service, Section 3.6 for complete refund policy details.
2.5 Usage and Activity Data
- Snapshot operation counts and timestamps
- Unmerge operation logs (record IDs, operation type, timestamps)
- Duplicate detection operation logs (record pairs analyzed, confidence scores)
- Bulk Merge Audit activity (records reviewed, actions taken)
- API request metadata (endpoints accessed, response codes)
- IP addresses (for security and rate limiting)
- Error logs (with PII sending disabled via Sentry configuration)
3. Purposes of Processing
We process personal data for the following specific purposes:
- Service delivery: Creating pre-dedup CRM snapshots before each merge, detecting merges, executing snapshot-based unmerge operations, and restoring record associations.
- Duplicate detection: Analyzing CRM record fields using a 3-stage detection pipeline (exact matching, fuzzy matching, and advanced pattern matching via Anthropic's API) to identify potential duplicate records. CRM field data (names, emails, phone numbers, company names, domains) is transmitted to Anthropic for comparison analysis. See Section 5a for details.
- Web search verification: Using web search tools to retrieve publicly available information for validating duplicate match confidence. See Section 5b for details.
- Reconstruction: When you use Emergency Unmerge, transmitting relevant CRM data to Anthropic's API for reconstruction analysis to reconstruct pre-merge record states. See Section 5 for full details.
- Snapshot storage: Maintaining full point-in-time CRM record snapshots (property values and association mappings) in our encrypted database, with supplementary copies in HubSpot custom properties where size permits, to enable merge recovery.
- Billing and payment processing: Managing subscriptions, processing credit purchases, enforcing plan limits, and maintaining billing records.
- Customer support: Responding to support requests and troubleshooting service issues.
- Security and fraud prevention: Detecting unauthorized access, enforcing rate limits, and protecting the integrity of the Service.
- Legal compliance: Retaining records required by applicable tax, financial, and data protection regulations.
- Service improvement: Analyzing aggregated, anonymized usage patterns to improve service reliability and performance.
4. Lawful Basis for Processing (GDPR)
As a Data Processor for CRM data (including snapshots and data transmitted for duplicate detection or reconstruction), the lawful basis determination falls on you (the Data Controller). We process CRM data solely on your documented instructions per our Data Processing Agreement.
As a Data Controller for our own account and operational data, we rely on the following bases:
- Contract performance (Article 6(1)(b)): Processing necessary to deliver the Safe Merge service you have subscribed to.
- Legitimate interest (Article 6(1)(f)): Security monitoring, fraud prevention, and service reliability - balanced against your privacy rights.
- Legal obligation (Article 6(1)(c)): Retaining billing records and tax documentation as required by law.
5. Reconstruction Processing Disclosure
Important: This section describes how your data is processed when you use the Emergency Unmerge feature. Standard snapshot-based unmerge does not involve reconstruction processing.
When you use the Emergency Unmerge feature, relevant CRM data (names, email addresses, phone numbers, deal amounts, company information, and engagement metadata) is transmitted to Anthropic's API via encrypted API calls for reconstruction analysis. Anthropic processes this data solely to generate analysis outputs for the Safe Merge service. The reconstruction analysis is the primary deliverable you purchase with Emergency Unmerge credits. The resulting analysis, including per-property attributions, confidence scores, merge forensics, and association mappings, is provided to you as a downloadable JSON report. The optional execution step (applying changes to HubSpot) is a supplementary service provided on top of the reconstruction analysis at no additional credit cost.
Under our agreement with Anthropic:
- Your data is not used to train models. Anthropic's Commercial Terms of Service prohibit the use of API customer content for model training.
- Prompts and outputs are deleted within 30 days of submission to Anthropic's API.
- Anthropic is bound by our Data Processing Agreement including Standard Contractual Clauses for international data transfers.
Reconstructions are probabilistic analyses, not guaranteed reproductions of original data. You must independently review, verify, and approve all reconstructions before they are executed. The Emergency Unmerge feature includes a mandatory human review step - no changes are made to your CRM until you explicitly approve them.
We use Anthropic's advanced pattern matching service for reconstruction analysis. We may update the specific version used without notice, but will always use services covered by Anthropic's Commercial Terms.
Important: By using Emergency Unmerge, you assume all risk associated with data reconstructions applied to your production CRM data. See our Terms of Service, Sections 7 (Assumption of Risk) and 8 (Reconstruction Disclaimer) for complete details on liability, risk allocation, and your review obligations.
5a. Duplicate Detection Processing
Safe Merge uses a 3-stage duplicate detection pipeline, with Stage 3 leveraging Anthropic's advanced pattern matching API. When duplicate detection is performed:
- Data transmitted: CRM record fields relevant to identity matching (names, email addresses, phone numbers, company names, domains, job titles, and other identifying properties) are transmitted to Anthropic's API for comparison analysis.
- Processing purpose: The advanced matching engine analyzes field values across record pairs to determine the likelihood that two records represent the same entity. Results include confidence scores and match reasoning.
- Data retention at Anthropic: Per Anthropic's Commercial Terms, prompts and outputs are deleted within 30 days. Your CRM data is not used for model training.
- No persistent external storage: Duplicate detection results are stored in our database for your review. The raw CRM data sent to Anthropic is not stored by us beyond the analysis session.
- Scope: Duplicate detection may process records across contacts, companies, and deals as configured by you or your portal administrator.
5b. Web Search Verification
As part of the duplicate detection process, Safe Merge may use web search tools to retrieve publicly available information from the internet to validate and enhance duplicate match confidence.
- What is searched: Company names, domains, professional profiles, and other publicly available business information that can help confirm or deny whether two CRM records represent the same entity.
- Data sources: Publicly accessible websites, business directories, LinkedIn profiles, company websites, and similar public sources.
- No persistent storage: Web search results are used solely within the context of the duplicate detection analysis session. We do not persistently store web search results.
- Purpose limitation: Web search is used exclusively to improve duplicate match accuracy. It is not used for data enrichment, marketing, profiling, or any purpose beyond duplicate detection.
- Anthropic's role: Web search requests are processed through Anthropic's infrastructure. Anthropic's data processing terms apply to these requests.
6. Data Sharing and Sub-Processors
We share personal data only with the following sub-processors, each bound by data processing agreements:
| Sub-Processor |
Purpose |
Location |
Transfer Mechanism |
| Render |
Application hosting, PostgreSQL database (including snapshot metadata) |
United States (Oregon) |
EU-US DPF, SCCs |
| Anthropic |
Reconstruction analysis (Emergency Unmerge), advanced pattern matching (duplicate detection), web search verification |
United States |
SCCs, DPA |
| Stripe |
Payment processing, subscription management |
United States |
EU-US DPF, SCCs |
| Sentry |
Error monitoring (PII sending disabled) |
United States |
SCCs |
We do not sell, rent, or share your data with any other third parties for marketing, advertising, or unrelated purposes. See our full Sub-Processor List for change notification details.
7. International Data Transfers
Our infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, personal data is transferred to the United States.
We rely on the following transfer mechanisms:
- EU-US Data Privacy Framework (DPF): Adopted by the European Commission in July 2023 (Adequacy Decision C(2023) 4745) and upheld by the EU General Court in September 2025. Where our sub-processors are certified under the DPF, transfers rely on this framework.
- Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914. We maintain SCCs with all sub-processors as a supplementary safeguard.
- UK International Data Transfer Agreement / UK Addendum: For transfers from the United Kingdom, we use the UK Addendum to the EU SCCs as approved by the UK Information Commissioner.
8. Data Retention Periods
| Data Category |
Storage Location |
Retention Period |
| Full CRM record snapshots (properties + associations) |
PostgreSQL (Render) - primary; HubSpot custom properties - supplementary (where size permits) |
Per plan tier (7-365 days) + 30 days post-termination |
| Emergency Unmerge reconstruction data |
PostgreSQL (Render) |
Auto-deleted 30 days after operation |
| Duplicate detection results |
PostgreSQL (Render) |
Duration of account + 30 days post-termination |
| OAuth tokens (encrypted) |
PostgreSQL (Render) |
Duration of active integration; deleted on uninstall |
| Billing and payment records |
Stripe |
7 years (tax/legal compliance) |
| Account data |
PostgreSQL (Render) |
Duration of account + 30 days post-termination |
| Advanced matching processing data (Anthropic) |
Anthropic servers |
30 days maximum per Anthropic Commercial Terms |
| Usage and application logs |
Application infrastructure |
90 days |
8.1 GDPR Implications of Snapshot Storage
CRM snapshots may contain personal data of your contacts, including names, email addresses, phone numbers, and other identifying information. As the Data Controller, you are responsible for:
- Ensuring you have a lawful basis for the storage of snapshot data containing personal information
- Responding to data subject access requests that may encompass snapshot data
- Ensuring snapshot retention periods align with your organization's data retention policies
- Requesting deletion of snapshot data if required to comply with erasure requests
We will assist you in fulfilling data subject requests related to snapshot data as described in our Data Processing Agreement.
9. Your Data Protection Rights
Depending on your jurisdiction, you may have the following rights:
- Right of Access: Request a copy of the personal data we hold about you or your portal.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction of Processing: Request that we limit how we process your data.
- Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
- Right to Object: Object to processing based on legitimate interests.
- Right Related to Automated Decision-Making: The Emergency Unmerge feature and duplicate detection include mandatory human review before execution. No fully automated decisions with legal or similarly significant effects are made about data subjects.
For data stored in our PostgreSQL database (OAuth tokens, account data, snapshot metadata, usage logs): Submit requests directly to us and we will fulfill them within 30 days.
For CRM snapshot data stored in HubSpot custom properties: This data resides in your HubSpot portal. You can access and delete it directly through HubSpot's interface (Settings → Properties).
How to submit a request:
We respond to all data subject requests within 30 days. If a request is complex, we will inform you of an extension (up to an additional 60 days under GDPR).
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights.
Categories of Personal Information Collected
- Identifiers: Names, email addresses, phone numbers, HubSpot Portal IDs, IP addresses.
- Commercial information: Subscription plans, billing history, credit purchase records.
- Internet or electronic network activity: API usage logs, snapshot and unmerge operation records, duplicate detection logs.
- Professional or employment-related information: Job titles and company affiliations from CRM data.
Sources of Personal Information
Directly from you (account registration), from HubSpot's API (CRM data you authorize), from Stripe (billing events), and from publicly available sources (web search verification during duplicate detection).
Business Purposes for Collection
Providing the Safe Merge service (including merge protection, duplicate detection, and unmerge), billing, security, customer support, and legal compliance, as detailed in Section 3 above.
Third-Party Sharing
We share data only with the sub-processors listed in Section 6 for the specific purposes described. We do not sell or share personal information with third parties for cross-context behavioral advertising.
Your CCPA Rights
- Right to Know: Request the categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
CCPA Service Provider Designation: For CRM data processed on behalf of our customers, Third Space, LLC is a "Service Provider" as defined by the CCPA. We process personal information solely for the business purpose of providing the Safe Merge service and are contractually prohibited from retaining, using, or disclosing personal information for any other purpose.
11. Cookies and Tracking Technologies
Safe Merge uses session cookies for authenticated session management, and may use analytics cookies (GA4) with your consent. For payment processing, Stripe may set cookies on its domain during checkout. For complete details, see our Cookie Policy.
12. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- All API communications encrypted with TLS 1.2 or higher
- OAuth tokens encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256)
- Database access restricted to application service only (no public access)
- HTTPS enforced across all endpoints with HSTS headers
- Error monitoring via Sentry with PII sending disabled (
send_default_pii=False)
- Infrastructure hosted on Render.com (SOC 2 Type II certified data centers)
- Regular security updates and dependency patching
For comprehensive details, see our Security page.
13. Children's Privacy
Safe Merge is a business-to-business product and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at joshua@thirdspaced.com and we will promptly delete it.
14. Our Role: Data Processor and Data Controller
Safe Merge operates in a dual capacity:
- Data Processor: For HubSpot CRM data (contact, company, deal, and engagement data), CRM snapshots, and data transmitted for duplicate detection or reconstruction that we access and process on your behalf. Your organization is the Data Controller. We process this data only on your documented instructions as set forth in our Data Processing Agreement.
- Data Controller: For account registration data, billing information, usage analytics, and operational data that we collect and manage independently to operate the Service.
Under CCPA, the equivalent designations are "Service Provider" (for CRM data) and "Business" (for our own account data).
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will:
- Notify installed portal administrators via email at least 30 days before the changes take effect
- Update the "Last Updated" date at the top of this page
- Post a prominent notice on our website
Your continued use of Safe Merge after changes take effect constitutes acceptance of the revised Privacy Policy.
16. Complaint Rights and Contact Information
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:
- EU: Your local Data Protection Authority. A full list is available at edpb.europa.eu.
- UK: The Information Commissioner's Office (ICO) at ico.org.uk.
- California: The California Privacy Protection Agency at cppa.ca.gov.
We encourage you to contact us first so we can address your concerns directly:
Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://safemerge.app