Information We Collect
- Account Information: If you sign up for or authenticate into an account with us, we may collect information that you provide to us in connection with setting up the account, such as your username, name, email address and, for an account you authenticate into, role. Further, in the course of using your account, you may provide us with additional information through your communications with us.
- Information from Third Parties: We may receive information related to your use of our Vendor websites and services, including your username, name, email address, shipping address and your interaction with our Vendor. Common examples include signing up for an event or requesting shipment of a product from us. From time to time, we may also receive contact enrichment information from third parties.
- APIs and SDKs: We automatically collect certain technical information whenever requests are made to our APIs or applications use our SDKs, including (a) IP address, (b) device and browser information, (c) operating system, (d) the content of the request, (e) the date and time of the request, (f) limited usage data, and (g) for our mobile SDKs, limited location data. We delete IP addresses after 30 days. In addition, when a mobile application uses our SDKs, it may send us certain limited location and usage data along with an ephemeral ID. This ephemeral ID changes hourly and we do not associate it or the unprocessed mobile location data with any personally identifying information, including names, permanent IDs, email addresses, IP addresses, or phone numbers. We also collect randomly-generated IDs for the limited purpose of analyzing the use of our APIs and SDKs, including the number of active users. We will delete the randomly generated IDs and the content of requests made to our APIs after 36 months.
- Vision SDK: We automatically collect certain information whenever the Vision SDK is in use, including (a) IP address, (b) device and browser information, (c) operating system, (d) the content of the API requests, (e) the date and time of the request, (f) limited location and usage data, (g) limited front-facing camera imagery and video, (h) a randomly generated ID, (i) accelerometer data and (j) detected road feature data.
- Hosted Data: In using your account, you may upload data to us via Mapbox Studio, Mapbox Studio Classic, our Dataset API or our Upload API ("Hosted Data") so that Mapbox can host it for you as part of providing our Services. We delete Hosted Data upon your request, however, due to our highly available, distributed implementation of our hosting solution, artifacts of Hosted Data may remain on Mapbox systems after you delete the file in your account. We will delete those artifacts in accordance with our standard platform maintenance practices after we either receive a specific request from you to delete the Hosted Data artifacts (along with sufficient information to identify which data you want to ensure are deleted) or we receive a request from you to delete your account.
- Feedback: You and/or your end users may provide us with feedback regarding our Services (e.g., in the form of email, suggestions for how to improve our maps, etc). We do not delete this information.
How We Use the Information We Collect
- Account Information: We use the account information we collect to provide our Services to you, to maintain your accounts, and to process your transactions. This information is necessary for us to provide the Services to you. We may combine account information with data we receive from other sources. We also may use certain information, such as your email address, to help you by telling you about new Mapbox products or features that may be of interest to you and by providing you with examples of how Mapbox products and services can be used. We have a legitimate interest in improving and marketing our Services. If you receive promotional emails from Mapbox, you can opt out by following the instructions in those emails.
- Payment Information: We use payment information solely for billing purposes, which is necessary to provide the Services.
- Information from Third Parties: We may use the information you provide to our Vendors in connection with the event or transaction (including shipments and deliveries), to improve our Services, and to provide you with information about our Services and/or the event or transaction. In addition, from time to time we obtain data from contact enrichment providers for sales and marketing purposes. We have a legitimate interest in improving and marketing our Services and certain data collection is necessary in order to provide the Services. You may opt out of receiving promotional communications from us at any time.
- APIs and SDKs: We use the data collected through our APIs and SDKs (1) for internal diagnostic and analytic purposes (2) to improve our mapping products and services (3) to provide our Services to end users of our customers and (4) to generate aggregated and anonymized usage statistics. We have a legitimate interest in improving our Services and certain data collection is necessary in order to provide the Services. You can find more information specifically about how we secure and use location data on our telemetry page.
- Vision SDK: We use the data collected from Vision SDK (a) for internal diagnostic and analytic purposes, (b) to improve our mapping products and services, (c) to provide our Services to end users of our customers and (d) to generate aggregated and anonymized usage statistics. We have a legitimate interest in improving our Services and certain data collection is necessary in order to provide the Services.
- Hosted Data: We use Hosted Data to provide our Services to you.
- Feedback: We may use the feedback that you provide for any purpose, including improving our Services. We have a legitimate interest in improving our Services for the benefit of all of our users.
When We Share the Information We Collect With Third Parties
- In General: We are a global company and may transfer your information outside of the country where you live. However, we will not transfer personal information outside of the European Union unless the recipient is subject to suitable contractual safeguards to ensure that the personal information is processed in accordance with EU law. For more information, please email us at email@example.com.
- Account Information and Information from Third Parties: We may share your account information and information we receive from third parties with our service providers (e.g., hosted infrastructure providers) who need access to such information to carry out work on our behalf.
- Payment Information: We may disclose Payment Information to (a) our payment provider, Stripe, as described above in the “Information We Collect” section, (b) billing and accounting service providers acting on our behalf and (c) in connection with “Rare and Limited Disclosures” described below.
- Website Logs and Cookies: We share information about your device and interaction with our website with our service providers that host our website and provide marketing and analytics services to us. Certain marketing and analytics services that integrate directly into our website may collect information about your device, browser, and interaction with our websites (including by placing third-party cookies on your browser or other similar technologies). We do not control how these third parties use or share this information, which is subject to their privacy policies. You can find out more information about the cookies on our website and managing your browser’s cookie preferences for our website here.
- APIs and SDKs: If provided, we only share raw location data with our hosted infrastructure service providers. We share other data collected through your use of our APIs and SDKs with our hosted infrastructure and internal analytics service providers. In limited situations, we may also share API log data associated with a specific customer's account with that customer for the purpose of resolving billing questions. We also may share aggregated and anonymized usage statistics with other third parties.
- Vision SDK: We share data collected through your use of Vision SDK with our hosted infrastructure and internal analytics service providers. In addition, we may share Vision SDK data with the person or entity that controls the account associated with the data. We also may share aggregated and anonymized usage statistics with other third parties.
- Feedback: We may share your feedback with third parties, including our third-party suppliers and partners who help us provide the Services.
- Rare and Limited Disclosures: We may share information in our possession in response to a request if we believe disclosure is in accordance with, or required by, any applicable law, regulation or legal process. For more information, see “Law Enforcement and Transparency,” below.
Furthermore, we may share information in our possession if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to enforce our terms of service, detect, prevent, or otherwise address threats to our platform, or protect against harm to the rights, property or safety of Mapbox, our users, or the public as required or permitted by law.
Finally, we may also share the information we collect in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company. We may also share information among our current and future parents, affiliates, subsidiaries and other companies under common control and ownership.
Your Choices About What We Do with the Information We Collect
- Account and Payment Information: Certain account information is optional, and you may choose not to provide it to Mapbox. Note that some of this account and payment information is necessary for related Services to function properly – for example, if you do not provide payment information, you cannot take advantage of features that require payment.
- Website Logs and Cookies: You may delete cookies from your computer, and most browsers provide the option to block cookies. Note that if you block cookies placed by us (first party cookies), portions of our Services, including our website, may not work as intended. However, your access to our websites should not be affected if you disable third-party cookies placed by third parties that manage marketing and analytics aspects of our website. You can find out more information about the cookies on our website and managing your browser’s cookie preferences for our website here.
- APIs and SDKs: If you are an end user of a product or service that integrates our Services, your privacy options will be largely determined by the developer of the product or service. In addition to any privacy options that the developer may have provided you with, you may also be able to control the applications that can collect information about your precise location by using the settings available on your device, including opting out of collection of telemetry data.
- Questions. If you have any questions about how to limit the disclosure and/or use of your personal information to us, please email us at firstname.lastname@example.org.
Your Access to and Control of the Information We Collect
- Account Information, Hosted Data, and Payment Information: You may correct or change certain account information in the account pages we’ve made available to you, and you may update, correct or delete other Account Information, Hosted Data or Payment Information that you have provided to us at any time by emailing us at email@example.com. If you wish to delete or deactivate your account, please email us at firstname.lastname@example.org, but note that we may retain certain information as required by law or to protect our rights and property.
- Website Logs, Cookies, APIs and SDKs: We temporarily retain IP addresses for security and accounting purposes. Given the temporary nature of this storage, it is generally not feasible for us to provide access to IP addresses or the logs associated with them.
- Feedback: You may request that we update, correct or delete any feedback that you have provided to us by emailing us at email@example.com, however we may have deleted or anonymized the feedback you had previously provided to us in a way that makes it infeasible for us to associate a particular piece of feedback with a particular user.
Your rights under the California Consumer Protection Act (CCPA)
California consumers have the following rights:
- to not receive discriminatory treatment by Mapbox for the exercise of privacy rights conferred by the CCPA;
- to request to know the personal information Mapbox has about you. You may access personal information associated with your Mapbox account, such as username, email address, and associated account activity by logging into your Mapbox account. If you do not have a Mapbox account, it will not be possible for Mapbox to verify your identity to a reasonably high degree of certainty to permit disclosure of specific pieces of information, as Mapbox only has limited personal information about non-accountholders; and
- to request deletion of their personal information collected or maintained by Mapbox.
In order to submit a verifiable consumer request to delete your information, you must do the following:
- If you have a Mapbox account, login to your Mapbox account, go to Settings, and click “Delete account” and follow the instructions. Mapbox uses your request while you are logged in to verify that you are the account holder. If you do not login to your Mapbox account to make this request, information associated with your Mapbox account will not be deleted.
- You may, without logging into your Mapbox account, request deletion of your email address and associated personal information (if any) through this form. Mapbox will email you a confirmation link at the email you provide in order to verify the request. You must click on this confirmation link in the verification email Mapbox sends you to verify the email belongs to you before Mapbox can process your request. A request through this form will only request to delete personal information from non-account-related sources (such as the list of emails we send newsletters to). To delete account-related information, you must login to your Mapbox account to verify your identity.
- If you believe Mapbox has any personal information about you that is not account-related and not an email address and associated information, please email Mapbox at firstname.lastname@example.org describing in detail the information you believe Mapbox has and how you believe Mapbox obtained it. Please note that without an email address, it may not be possible for Mapbox to verify your identity to a reasonable degree of certainty to locate or delete any information.
- Alternatively, you may call 1 (833) 732-4082 and leave a voicemail requesting deletion of personal information. In your voicemail, leave your email address, if you have one. You must still complete the verification steps described above in order for Mapbox to verify your identity.
It is our firm belief that we do not and will not “sell” your personal information. Nonetheless, if you don’t agree with our opinion, you are welcome to complete this form and you will be opted out of disclosure to third parties that are not our service providers. (If you also want to opt out of third-party cookies on our website, you can do so using your browser’s cookie preferences. More information is available here.)
Law Enforcement and Transparency
- In General: Although we acknowledge that government sometimes must act to protect citizens' safety and security, we strongly believe that current laws regulating surveillance of individuals and access to user information need to be reformed. We have signed the Stop Watching Us petition and supports the principles of the Reform Government Surveillance open letter to Congress.
We post anonymized information about all law enforcement requests in our transparency report. Mapbox has never received a national security letter, FISA court order, or any other classified request for user information. If we ever receive such a request, we will review it carefully and make sure it follows the law (including the Fourth Amendment). If we believe a request is overly broad, we will seek to narrow it.
If we have a good faith belief that there is an emergency involving the danger of death or severe physical injury, we may disclose limited information necessary to prevent that harm.
- Account Information, Hosted Data, Store Data and Payment Information: We require a subpoena or court order to provide information about your account, such as the name associated with the account, means of payment, and length of service. If we are ever forced to share identifiable information about you, we'll notify you with the full details of the request before we disclose it unless we are legally prohibited from doing so by law or court order.
- Website Logs, Cookies, APIs and Mobile SDKs: We will only disclose information collected through our Services, including maps and associated data and location information, in response to a subpoena or court order.
U.S.-EU Privacy Shield and Swiss-U.S. Privacy Shield
- In compliance with the Privacy Shield Principles, we are committed to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us using the information in the "Contact Us" section below. We have further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
- Under certain conditions, you may be able to invoke binding arbitration to resolve your complaint. Mapbox is subject to the investigatory and enforcement powers of the Federal Trade Commission.
- If we shared personal data transferred to the U.S. under the Privacy Shield with a third-party service provider that processes such data on our behalf, then we will be liable for that third party’s processing in violation of the U.S. Privacy Shield Principles, unless we can prove that we are not responsible for the event giving rise to the damage.
If you wish to transfer data to us under the Standard Contractual Clauses, please see our DPA.
- December 15, 2020: Added clarifications re data collection and usage for mobile vs web SDKs.
- September 29, 2020: Clarified that Mapbox's Privacy Shield commitments remain in effect for historic transfers.
- August 3, 2020: Updated information that we collect to cover use of our SDKs without our APIs.
- July 27, 2020: Removed a reference to Privacy Shield.
- June 29, 2020: Added clarifications regarding "Your Choices About What We Do with the Information We Collect", including how to opt out of telemetry collection and where to email with questions.
- December 31, 2019: Added California Consumer Protection Act (CCPA)-specific disclosures; updated cookie disclosure and information on other domains.
- October 21, 2019: Updated list of marketing and analytics services.
- September 12, 2019: Added single sign-on terms.
- June 19, 2019: Minor changes to the privacy shield section.
- March 4, 2019: Updates to SDK collection provisions.
- February 21, 2019: Added language providing more clarity on our right to use information in the event of a dispute under the "Rare and Limited Disclosure" section.
- November 16, 2018: Added language describing information practices specific to Vision SDK.
- October 30, 2018: Added language clarifying limited use of randomly-generated IDs and sharing API logs for the purpose of resolving billing questions.
- June 22, 2018: Added additional marketing and analytics services that integrate directly into our website.
- May 17, 2018: Added additional clarification as to how deletion of Hosted Data works.
- May 14, 2018: Added language to distinguish between website logs and API logs; added more information about cookies and similar technologies; updates to comply with GDPR disclosure requirements.
- November 16, 2017: Added clarifying language regarding corporate emails, removed online merchandise store, and updated policy to cover information submitted to Our Vendors.
- May 12, 2017: Added language regarding data collected through our soon to be launched online merchandise store.
- May 2, 2017: Updated the Privacy Shield certification language.
- April 14, 2017: Re-wrote the policy for the purposes of Privacy Shield certification.
- January 20, 2016: Updated to reflect EU Safe Harbor invalidation.
- July 24, 2015: We now participate in the EU Safe Harbor program.
- July 6, 2015: Added clarification regarding third party services, mobile data collection and user age requirements.
- March 27, 2015: Added guarantee that we will require a warrant for access to location information. Added exception to legal process requirements for life-threatening or similarly dire emergencies.