Information We Collect
- Account Information: If you sign up for or an account or join an existing corporate account, we may collect information that you provide to us in connection with setting up the account, such as your username, name, email address and, for corporate accounts, your role. Further, in the course of using your account, you may provide us with additional information through your communications with us.
- Information from Third Parties: We may receive information related to your use of our Vendor websites and services, including your username, name, email address, shipping address and your interaction with our Vendor. Common examples include signing up for an event or requesting shipment of a product from us. From time to time, we may also receive contact enrichment information from third parties.
- APIs and SDKs: We automatically collect certain technical information through our APIs and SDKs, including (a) IP address, (b) device and browser information, (c) operating system, (d) the content of the request, (e) the date and time of the request, (f) limited usage data, and (g) for our mobile SDKs, limited location data. We delete IP addresses after 30 days. In addition, when a mobile application uses our SDKs, it may send us certain limited location and usage data along with an ephemeral ID. This ephemeral ID changes hourly and we do not associate it or the unprocessed mobile location data with any personally identifying information, including names, permanent IDs, email addresses, IP addresses, or phone numbers. We also collect randomly-generated IDs for the limited purpose of analyzing the use of our APIs and SDKs, including the number of active users. We will delete the randomly generated IDs and the content of requests made to our APIs after 5 years.
- Vision SDK: We automatically collect certain information whenever the Vision SDK is in use, including (a) IP address, (b) device and browser information, (c) operating system, (d) the content of the API requests, (e) the date and time of the request, (f) limited location and usage data, (g) limited front-facing camera imagery and video, (h) a randomly generated ID, (i) accelerometer data and (j) detected road feature data.
- Hosted Data: In using your account, you may upload data to us via Mapbox Studio, Mapbox Studio Classic, our Dataset API or our Upload API ("Hosted Data") so that Mapbox can host it for you as part of providing our Services. We delete Hosted Data upon your request, however, due to our highly available, distributed implementation of our hosting solution, artifacts of Hosted Data may remain on Mapbox systems after you delete the file in your account. We will delete those artifacts in accordance with our standard platform maintenance practices after we either receive a specific request from you to delete the Hosted Data artifacts (along with sufficient information to identify which data you want to ensure are deleted) or we receive a request from you to delete your account.
- Feedback: You and/or your end users may provide us with feedback regarding our Services (e.g., in the form of email, suggestions for how to improve our maps, etc).
How We Use the Information We Collect
- Account Information: We use the account information we collect to provide our Services to you, to maintain your accounts, and to process your transactions. This information is necessary for us to provide the Services to you. We may combine account information with data we receive from other sources. We also may use certain information, such as your email address, to help you by telling you about new Mapbox products or features that may be of interest to you and by providing you with examples of how Mapbox products and services can be used. We have a legitimate interest in improving and marketing our Services. If you receive promotional emails from Mapbox, you can opt out by following the instructions in those emails.
- Payment Information: We use payment information solely for billing purposes, which is necessary to provide the Services.
- Information from Third Parties: We may use the information you provide to our Vendors in connection with the event or transaction (including shipments and deliveries), to improve our Services, and to provide you with information about our Services and/or the event or transaction. In addition, from time to time we obtain data from contact enrichment providers for sales and marketing purposes. We have a legitimate interest in improving and marketing our Services and certain data collection is necessary in order to provide the Services. You may opt out of receiving promotional communications from us at any time.
- APIs and SDKs: We use the data collected through our APIs and SDKs (1) for internal diagnostic and analytic purposes (2) to improve our mapping products and services (3) to provide our Services to end users of our customers and (4) to generate aggregated and anonymized usage statistics. We have a legitimate interest in improving our Services and certain data collection is necessary in order to provide the Services. You can find more information specifically about how we secure and use location data on our telemetry page.
- Vision SDK: We use the data collected from Vision SDK (a) for internal diagnostic and analytic purposes, (b) to improve our mapping products and services, (c) to provide our Services to end users of our customers and (d) to generate aggregated and anonymized usage statistics. We have a legitimate interest in improving our Services and certain data collection is necessary in order to provide the Services.
- Hosted Data: We use Hosted Data to provide our Services to you.
- Feedback: We may use the feedback that you provide for any purpose, including improving our Services. We have a legitimate interest in improving our Services for the benefit of all of our users.
When We Share the Information We Collect With Third Parties
- In General: We are a global company and may transfer your information outside of the country where you live. However, we will not transfer personal information outside of the European Union unless the recipient is subject to suitable contractual safeguards to ensure that the personal information is processed in accordance with EU law. For more information, please email us at email@example.com.
- Account Information and Information from Third Parties: We may share your account information and information we receive from third parties with our service providers (e.g., hosted infrastructure providers) who need access to such information to carry out work on our behalf.
- Payment Information: We may disclose Payment Information to (a) our payment provider, Stripe, as described above in the “Information We Collect” section, (b) billing and accounting service providers acting on our behalf and (c) in connection with “Rare and Limited Disclosures” described below.
- Website Logs and Cookies: We share information about your device and interaction with our website with our service providers that host our website and provide marketing and analytics services to us. Certain marketing and analytics services that integrate directly into our website may collect information about your device, browser, and interaction with our websites (including by placing third-party cookies on your browser or other similar technologies). We do not control how these third parties use or share this information, which is subject to their privacy policies. You can find out more information about the cookies on our website and managing your browser’s cookie preferences for our website here.
- APIs and SDKs: If provided, we only share raw location data with our hosted infrastructure service providers. We share other data collected through your use of our APIs and SDKs with our hosted infrastructure and internal analytics service providers. In limited situations, we may also share API log data associated with a specific customer's account with that customer for the purpose of resolving billing questions. We also may share aggregated and anonymized usage statistics with other third parties.
- Vision SDK: We share data collected through your use of Vision SDK with our hosted infrastructure and internal analytics service providers. In addition, we may share Vision SDK data with the person or entity that controls the account associated with the data. We also may share aggregated and anonymized usage statistics with other third parties.
- Feedback: We may share your feedback with third parties, including our third-party suppliers and partners who help us provide the Services.
- Rare and Limited Disclosures: We may share information in our possession in response to a request if we believe disclosure is in accordance with, or required by, any applicable law, regulation or legal process. For more information, see “Law Enforcement and Transparency,” below.
Furthermore, we may share information in our possession if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to enforce our terms of service, detect, prevent, or otherwise address threats to our platform, or protect against harm to the rights, property or safety of Mapbox, our users, or the public as required or permitted by law.
Finally, we may also share the information we collect in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company. We may also share information among our current and future parents, affiliates, subsidiaries and other companies under common control and ownership.
Your Choices About What We Do with the Information We Collect
- Account and Payment Information: Certain account information is optional, and you may choose not to provide it to Mapbox. Note that some of this account and payment information is necessary for related Services to function properly – for example, if you do not provide payment information, you cannot take advantage of features that require payment.
- Website Logs and Cookies: You may delete cookies from your computer, and most browsers provide the option to block cookies. Note that if you block cookies placed by us (first party cookies), portions of our Services, including our website, may not work as intended. However, your access to our websites should not be affected if you disable third-party cookies placed by third parties that manage marketing and analytics aspects of our website. You can find out more information about the cookies on our website and managing your browser’s cookie preferences for our website here.
- APIs and SDKs: If you are an end user of a product or service that integrates our Services, your privacy options will be largely determined by the developer of the product or service. In addition to any privacy options that the developer may have provided you with, you may also be able to control the applications that can collect information about your precise location by using the settings available on your device, including opting out of collection of telemetry data.
- Questions. If you have any questions about how to limit the disclosure and/or use of your personal information to us, please email us at firstname.lastname@example.org.
Your Access to and Control of the Information We Collect
- Account Information, Hosted Data, and Payment Information: You may exercise your privacy rights with respect to certain account information in the account pages we’ve made available to you, and you may exercise your privacy rights over other Account Information, Hosted Data or Payment Information that you have provided to us at any time by emailing us at email@example.com. If you wish to delete or deactivate your account, please email us at firstname.lastname@example.org, but note that we may retain certain information as required by law or to protect our rights and property.
- Non-account Information: If we have non-account information about you, such as your email address on our newsletter list, you may exercise your privacy rights with respect to this information. However, we may not be able to verify your identity for purposes of processing your request, as we do not have sufficient information to adequately verify your request if you do not have an account. To unsubscribe from our newsletter, please follow the instructions in the emails that you receive from us.
- Website Logs, Cookies, APIs and SDKs: We temporarily retain IP addresses for security and accounting purposes. Given the temporary nature of this storage, it is generally not feasible for us to provide access to IP addresses or the logs associated with them.
- Feedback: You may request that we update, correct or delete any feedback that you have provided to us by emailing us at email@example.com, however we may have deleted or anonymized the feedback you had previously provided to us in a way that makes it infeasible for us to associate a particular piece of feedback with a particular user.
Your privacy rights under the California Consumer Protection Act (CCPA)
California consumers have the following privacy rights:
- to not receive discriminatory treatment by Mapbox for the exercise of privacy rights conferred by the CCPA;
- to request to know the personal information Mapbox has about you. You may access personal information associated with your Mapbox account, such as username, email address, and associated account activity by logging into your Mapbox account; and
- to request deletion of your personal information collected or maintained by Mapbox; and
- to designate an authorized agent to make a verifiable consumer request related to your personal information on your behalf.
In order to submit a request to exercise your privacy rights, you may do one or more of the following:
- If you have a Mapbox account, login to your Mapbox account, go to Settings, and click “Delete account” and follow the instructions. By logging into your account, Mapbox can verify that you are the account holder. If you do not login to your Mapbox account to make this request, information associated with your Mapbox account will not be deleted, as we are not able to sufficiently verify your identity.
- You may, without logging into your Mapbox account, request deletion of your email address and associated personal information (if any) through this form. Mapbox will email you a confirmation link at the email you provide in order to verify the request. You must click on the confirmation link in the verification email Mapbox sends you to verify the email belongs to you before Mapbox can process your request. A request through this form will only request to delete personal information from non-account-related sources (such as our newsletter email list). To delete account-related information, you must login to your Mapbox account to verify your identity.
- If you believe Mapbox has any personal information about you that is not account-related and not an email address and associated information, please email Mapbox at firstname.lastname@example.org describing in detail the information you believe Mapbox has and how you believe Mapbox obtained it. Please note that without an email address, it may not be possible for Mapbox to verify your identity to a reasonable degree of certainty to locate or delete any information.
- Alternatively, you may call 1 (833) 732-4082 and leave a voicemail requesting deletion of personal information. In your voicemail, leave your email address, if you have one. You must still complete the verification steps described above in order for Mapbox to verify your identity.
The CCPA provides California residents with the right to know what categories of personal information Mapbox has collected about them and whether Mapbox disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months.
The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above in the sections Information We Collect, How We Use the Information We Collect, and When We Share the Information We Collect With Third Parties.
For purposes of the CCPA, Mapbox does not "sell" personal information, nor do we have actual knowledge of any "sale" of personal information of minors under 16 years of age. You may complete this form to opt out of the disclosure of your personal information to third parties that are not our service providers. (If you also want to opt out of third-party cookies on our website, you can do so using your browser’s cookie preferences. More information is available here.)
If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.
Law Enforcement and Transparency
- In General: Although we acknowledge that government sometimes must act to protect citizens' safety and security, we strongly believe that current laws regulating surveillance of individuals and access to user information need to be reformed. We have signed the Stop Watching Us petition and support the principles of the Reform Government Surveillance open letter to Congress.
We post anonymized information about all law enforcement requests in our transparency report. Mapbox has never received a national security letter, FISA court order, or any other classified request for user information. If we ever receive such a request, we will review it carefully and make sure it follows the law (including the Fourth Amendment). If we believe a request is overly broad, we will seek to narrow it.
If we have a good faith belief that there is an emergency involving the danger of death or severe physical injury, we may disclose limited information necessary to prevent that harm.
- Account Information, Hosted Data, Store Data and Payment Information: We require a subpoena or court order to provide information about your account, such as the name associated with the account, means of payment, and length of service. If we are ever forced to share identifiable information about you, we'll notify you with the full details of the request before we disclose it unless we are legally prohibited from doing so by law or court order.
- Website Logs, Cookies, APIs and Mobile SDKs: We will only disclose information collected through our Services, including maps and associated data and location information, in response to a subpoena or court order.
International Data Transfers
- We (Mapbox, Inc. and Mapbox International, Inc.) have withdrawn from the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks; however, we continue to comply with ongoing Privacy Shield obligations with respect to personal information transferred to us from the European Economic Area prior to July 16,2020. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/welcome.
After July 16, 2020, all transfers of personal information to us from the European Economic Area are undertaken pursuant to the Standard Contractual Clauses. If you wish to transfer data to us under the Standard Contractual Clauses, please see our DPA.
By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.
The Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect personal information from children.
If you are a parent or guardian and wish to review information collected from your child, or have that information modified or deleted, you may contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account.
- June 10, 2021: Update to reflect withdrawal from Privacy Shield, add Security and Children’s Information section, stylistic clarifications throughout.
- December 15, 2020: Added clarifications re data collection and usage for mobile vs web SDKs.
- September 29, 2020: Clarified that Mapbox's Privacy Shield commitments remain in effect for historic transfers.
- August 3, 2020: Updated information that we collect to cover use of our SDKs without our APIs.
- July 27, 2020: Removed a reference to Privacy Shield.
- June 29, 2020: Added clarifications regarding "Your Choices About What We Do with the Information We Collect", including how to opt out of telemetry collection and where to email with questions.
- December 31, 2019: Added California Consumer Protection Act (CCPA)-specific disclosures; updated cookie disclosure and information on other domains.
- October 21, 2019: Updated list of marketing and analytics services.
- September 12, 2019: Added single sign-on terms.
- June 19, 2019: Minor changes to the privacy shield section.
- March 4, 2019: Updates to SDK collection provisions.
- February 21, 2019: Added language providing more clarity on our right to use information in the event of a dispute under the "Rare and Limited Disclosure" section.
- November 16, 2018: Added language describing information practices specific to Vision SDK.
- October 30, 2018: Added language clarifying limited use of randomly-generated IDs and sharing API logs for the purpose of resolving billing questions.
- June 22, 2018: Added additional marketing and analytics services that integrate directly into our website.
- May 17, 2018: Added additional clarification as to how deletion of Hosted Data works.
- May 14, 2018: Added language to distinguish between website logs and API logs; added more information about cookies and similar technologies; updates to comply with GDPR disclosure requirements.
- November 16, 2017: Added clarifying language regarding corporate emails, removed online merchandise store, and updated policy to cover information submitted to Our Vendors.
- May 12, 2017: Added language regarding data collected through our soon to be launched online merchandise store.
- May 2, 2017: Updated the Privacy Shield certification language.
- April 14, 2017: Re-wrote the policy for the purposes of Privacy Shield certification.
- January 20, 2016: Updated to reflect EU Safe Harbor invalidation.
- July 24, 2015: We now participate in the EU Safe Harbor program.
- July 6, 2015: Added clarification regarding third party services, mobile data collection and user age requirements.
- March 27, 2015: Added guarantee that we will require a warrant for access to location information. Added exception to legal process requirements for life-threatening or similarly dire emergencies.