Mapbox Non-U.S. Privacy Notice
Last updated: July 2018
This notice describes how Mapbox, Inc., along with its affiliates, (collectively, “Mapbox”, “we” or “us”) collect, use, store, transfer and protect personal data we gather concerning prospective, current and former employees for management, human resources and benefits purposes. If you are an applicant, independent contractor or an employee who resides in the EEA, Canada, India, Hong Kong or the People’s Republic of China, this policy applies to you.
Mapbox, Inc. and, if different, the Mapbox entity listed in Schedule 1 with whom you enter into an employment contract or for which you otherwise agree to or seek to provide services, are data controllers of your personal data. If you have any questions or concerns regarding the processing of your personal data by us, you may refer to the details provided below under “Contact us”.
What personal data do we process?
“Personal data” is information that relates to you and which identifies you or is capable of identifying you as an individual and may be provided to us by you or generated as a result of being recruited by, applying to, or working at Mapbox.
We process a variety of different types of personal data, including:
identification information (e.g. your name, gender, address, birth date, information required to determine work authorization, such as birthplace or citizenship, passport information, tax and/or social security/insurance numbers, system IDs);
contact information (e.g. your home address, email address, phone number, emergency contact details, internal extension number, building/office location);
employment information (e.g. your employment contract details, employee ID, hire date, contract expiration date, vacation, leave, job position, information related to marital status or family members who are beneficiaries under employee benefit plans, resumes, date of resignation or termination, reason for resignation or termination);
organizational information (e.g. information on your manager, assistant, reporting chain, title, department, cost center, information relating to expat status);
financial and economic information (e.g. your salary, bonus payments and additional payments for meals, commuting, car allowance, insurance contributions, other expenses);
performance and quality control data (e.g. your performance reviews, personal objectives, languages, feedback results);
information about your business travel;
information in relation to internal and external business-related event participations (e.g. your meal preferences, information relating to event planning);
information regarding usage of certain IT systems (e.g. your internet access, IP address, log in information, emails, including communication partner and data and time of communication, instant messages, access information from access key, such as access door, date and time of access, information regarding usage of telephony systems).
scans of original documents (e.g. documentation used for work permit or visa purposes); and
information captured on security systems, which may include CCTV (where legally permissible) and key card entry systems.
There may be instances in which the personal data that you voluntarily provide to us is considered “sensitive personal data” under applicable data protection laws. “Sensitive personal data” includes personal data from which we can determine or infer an individual's racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, genetic or biometric information, sexual life or sexual orientation, or information relating to the commission of a criminal offence. Mapbox complies with privacy and data protection legislation in the jurisdictions where employees are located in connection with its processing of sensitive personal information.
When collecting personal data is mandatory (either under applicable law or in accordance with a contractual requirement), this will be stated at the time of collection. The consequences of your failure to provide the required personal data may include rejection of your application, termination of your employment or your inability to avail of certain Mapbox benefits.
How do we use personal data?
We use personal data for the purposes described below, except where restricted by law. In doing so, we rely on a number of separate and overlapping legal bases to lawfully process such data.
Mapbox uses personal data for the following purposes to comply with its contractual obligations to you, such as to:
manage all aspects of an employee’s employment relationship, including, but not limited to, payroll administration and management, benefits administration and management, leave of absence administration, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes and other general administrative and human resource related processes.
Mapbox uses personal data for the following purposes to comply with its legal obligations, such as to:
maintain sickness records and occupational health programs, or assess/implement accommodations in compliance with human rights legislation;
perform compliance and risk management; and
comply with applicable laws (e.g. health, safety and tax).
Mapbox also uses personal data for the following purposes to protect the vital interests of its employees, such as to:
maintain emergency contact and beneficiary details; and
facilitate communications with relevant third parties, such as medical providers, in an emergency.
Mapbox also uses personal data in pursuit of its legitimate interests and those of its employees in line with all the purposes described above, including using data as necessary to:
develop and retain talent, evaluate and determine the qualifications of applicants for employment, and administer the employee separation process;
protect the safety and security of staff and Mapbox assets (including controlling and facilitating access to, and monitoring activity in, secured premises and monitoring activity using our computers, communications and other resources);
improve efficiencies through the use of employee opinion surveys and administer employee recognition programs;
manage resources by developing HR strategies, manpower, succession plans and corporate planning;
provide employee access to and support employees in their use of Mapbox IT-resources, and monitor these resources to ensure compliance with our policies, investigate and defend against allegations, investigate reasonable suspicions of misconduct, protect and ensure the security of our confidential information, intellectual property, systems, devices and networks, manage IT resources, and audit for compliance;
provide for internal Mapbox communications or external communications, including with third parties, such as customers and vendors; and
investigate, administer, manage and respond to claims against us, our employees, customers and business partners.
Note that Mapbox may monitor its IT systems in a reasonable manner and for reasonable purposes related to managing our business and the workplace. Therefore, you should have no expectation of privacy when using our IT systems. The types of personal data that may be collected during such monitoring include your internet access, your personal access to Mapbox or its customer’s confidential data, IP address, log in information, emails, including communication partner and data and time of communication, instant messages, access information from access key, such as access door, date and time of access). Review of such personal data is conducted or facilitated by our IT security personnel using certain computer programs or software. Such monitoring may take place in circumstances where the need arises to fulfill any of the following business purposes: ensuring compliance with our policies, investigating claims and allegations or reasonable suspicions of misconduct, ensuring the security of our confidential information, intellectual property, systems, devices and networks, managing IT resources and auditing for compliance. Additionally, at times, meetings conducted via Google Meet are recorded for knowledge sharing purposes with the advance consent of all meeting participants.
Will we share your personal data?
In order to carry out the processing outlined above, your personal data may be disclosed to managers, senior executives, and members of our People, Payroll, IT, Finance, Operations, Sales Operations, Security, and Legal teams on a need to know basis. This may involve the disclosure of your personal data to other entities in the Mapbox family of companies.
In addition, we may disclose your personal data to the following third parties:
Professional advisors: accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all of the countries in which Mapbox operates.
Service providers: companies that provide products and services to Mapbox such as payroll, pension or provident fund scheme, benefits providers; human resources services, performance management, training, expense management; IT systems suppliers, storage, security and support, internal communications and workflow management; third parties assisting with equity compensation programs, credit card companies, medical or health practitioners, trade bodies and associations, and other service providers.
Public and governmental authorities: entities that regulate or have jurisdiction over Mapbox such as regulatory authorities, law enforcement, public bodies, and judicial bodies.
Corporate transaction: a third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
We also reserve the right to disclose your personal data if we are compelled to do so by a court of law or requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with applicable law or to protect or defend our employees’ rights or our rights or property in the course of an investigation or proceeding or to detect or prevent fraud or to prevent death or injury.
(a) Employee located in the European Economic Area (“EEA”)
Mapbox is a global business and we may disclose and transfer your personal data to persons or companies located outside the EEA for any of the purposes set out in this Notice. Some of these countries may not have the same levels of data protection or similar rules regulating government agency access to personal data as are present in the EEA. In these cases, we take steps to protect your personal data.
We rely on the EU-US Privacy Shield to lawfully transfer your personal data to the United States. Mapbox, Inc. complies with the Privacy Shield Framework Principles, including the Supplemental Principles, (together, the “Principles”) regarding the collection, use, sharing, further transfer and retention of personal information from the EEA as described in our Privacy Shield certification.
Should you have a Privacy Shield-related (or general privacy-related) complaint, we encourage you to contact us using the contact details listed below. However, if you have an unresolved complaint with us about our adherence to the Principles, Mapbox commits to cooperate with EU data protection authorities (DPAs). You may contact your local DPA in your EEA Member State for further assistance.
As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available via the Privacy Shield framework to those working in the EEA in order to address residual complaints under the Privacy Shield that are not resolved by any other means. Privacy Shield participants are subject to the investigatory and enforcement powers of the US Federal Trade Commission and other authorized statutory bodies. Learn more about Privacy Shield at https://www.privacyshield.gov/.
(b) Non-US Employees located outside the EEA
Mapbox is a global business and we may disclose and transfer your personal data under applicable law to persons or companies located outside the country in which you work. More particularly, your information will be kept on our and our vendors' third party-hosted infrastructure (i.e., in the cloud) and may be accessed at any Mapbox office location by Mapbox managers, members of the Mapbox People Team, Payroll, IT, Finance, Operations, Sales Operations, Security, and Legal on a need to know basis. In the case of international transfers, we take reasonable precautions to protect your personal information. However, you should be aware that information that is transferred or stored outside your home country may be accessible to law enforcement or national authorities in the jurisdictions where it is stored.
How long will we retain your personal data?
Your personal data shall be retained for as long as it is necessary to meet the purposes for which it has been collected or lawfully further processed. This includes information necessary to pay you, to pay federal and state/provincial income tax withholdings on your behalf, to contribute to your retirement account, to book travel, and overall help support you in your work at Mapbox. If you stop working at Mapbox, we will delete or anonymize your personal data within ten years, and if you apply to Mapbox and are not hired, we will delete any personal data you have submitted to us or which we generated as part of your recruitment process within one year. Notwithstanding the foregoing, we may retain your personal data for longer periods of time if required by law or if it is necessary to retain documents for purposes of litigation.
How can you update your personal data and exercise your statutory rights?
Please make sure that your personal data is accurate and up to date, and please inform us of changes in a timely manner.
If you live in the EEA, with some limited exceptions, you may inquire about the personal data we maintain about you and exercise your rights to access, correct, export, and delete your personal data, including information contained in your employee file. In addition, when we process your personal data based on our legitimate interests (as set out above), you have a right to object to our processing of your personal data.
If you live in British Columbia, Quebec or the People’s Republic of China (PRC), or work for Mapbox Asia Limited, with some exceptions, you may also access, correct, and update your personal data, including information contained in your employee file. If you live in PRC, you may also have your personal data deleted upon request if Mapbox’s use of such personal data violates your labor agreement or PRC law, or if such personal information as collected and used is incorrect.
If you would like to exercise any of the statutory rights set forth above, please contact the Mapbox People team at email@example.com.
You may also have a right to lodge a complaint with your local data protection authority, or privacy commissioner, as applicable.
Changes to the Notice
We may update this notice from time-to-time. We will take reasonable steps to notify you of any changes.
If you have questions, complaints or suggestions about our personal data processing practices or if you would like to exercise your statutory rights, you can contact the Mapbox People team at firstname.lastname@example.org.