Handling Work Email and Personal Data in Security-Conscious Industries for Customer Marketing Tools

·Mar 27, 2026 07:58 PM·

Hey folks, is anyone here in a security-conscious industry? Right now my company doesn't ingest end-user emails—we only use hashed IDs. That’s making it very hard to use any modern customer marketing tools, especially as we evaluate a CDP. I’m trying to make the case to our Chief Security Officer that ingesting work email + first name + last name, with clear opt-out controls, is a reasonable tradeoff. Is this generally considered standard practice in your world? I get that this is common for productivity SaaS, but I’m not sure how it plays in more security-sensitive environments. Would love to hear how your teams handle it.

8 comments

· Sorted by Oldest

Gabrielle Herrera
·
·
I used to work for a cybersecurity vendor and I would not consider what you described your current set up as common practice, even for DACH customers.
Sandhya Simhan
·
·
But then how do you send emails to your end users? For example: Hey there, you tried building an agent but didn't share it.
Sandhya Simhan
·
·
Right now we're only able to message our admins and it limits adoption of our productivity tool
Gabrielle Herrera
·
·
We don't obfuscate their email or names, so we are able to use our email marketing tools in HubSpot to send customer lifecycle marketing. (Same scenario for previous employer, they were HubSpot customers)
Gabrielle Herrera
·
·
From an end user perspective, I've received similar “abandoned cart” messages from other SaaS tools. I'd be curious to better understand the perceived compliance or security risk here.
Sandhya Simhan
·
·
ahh sorry I read your note wrong. Like to you ingesting user emails IS common practice. It's not "something weird and insecure" like our CISO thinks it is.
Gabrielle Herrera
·
·
Correct.
Gabrielle Herrera
·
·
I see how my response was confusing, edited to clarify