California Notices At Collection
This privacy policy describes the personal data Mapbox and/or its affiliates (hereinafter collectively referred to as “Mapbox”) may receive and why such personal data may be received in its capacity as a data controller, how such personal data may be used (including whom it may be shared with and for what purposes), and choices about such personal data.
This privacy policy applies to the extent Mapbox processes personal data in its capacity as a data controller under the GDPR (or “business” under the CCPA) when an individual: (a) visits and engages with any of Mapbox’s websites, (b) attends a virtual or in-person Mapbox event, (c) provides contact information for the purposes of Mapbox contacting about Mapbox products/services, (d) uses third-party websites or applications that cite this privacy policy, (e) provide billing information for Mapbox products/services account administration, or (f) apply to or are contacted about possible employment with Mapbox. Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (“CCPA”), or relating to an identified or identifiable natural person (hereinafter referred to as "personal data").
This Privacy Policy does not apply when Mapbox acts as a data processor. Most Mapbox customer personal data is not governed by this policy. Mapbox operates in the capacity of a data processor for certain personal data when operating Mapbox’s products/services that are purchased by developers and businesses to develop their own licensed applications. As such, customers/prospective customers should read Mapbox’s data processing addendum (“DPA”): https://www.mapbox.com/legal/dpa which governs certain customer personal data that may be processed through use of Mapbox products/services including creation of a Mapbox products/services account. For other data not Processed by Mapbox as a Processor, e.g. billing and usage statistics data, see Mapbox's Product Privacy Policy.
Corporate Accounts: If any account created with Mapbox lists a corporate email address for a company with which an individual is currently (or was formerly) employed (a “Corporate Email”), then the corporate entity to whom the Corporate Email pertains is responsible for privacy practices relating to use of Corporate Email. If Corporate Email is used within the scope of this privacy policy (as described at the top of this privacy policy), then this privacy policy applies. For clarification, commonly known personal email account services (e.g., Gmail, Yahoo, Outlook) are not Corporate Email.
Personal data may be processed by one or more of Mapbox’s affiliates, processors, or service providers in order to operate Mapbox’s business. Therefore, personal data may be processed outside of the location(s) where an individual engaged with Mapbox within the scope of this privacy policy. Personal data may also be processed at Mapbox’s select affiliates' locations and in the United States for account administration and billing.
Mapbox ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.
ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
Some countries require that companies only process personal data if they have a “legal basis” (or justifiable need) to process personal data. To the extent those laws apply, Mapbox’s legal bases for processing personal data are as follows:
Mapbox stores personal data for so long as it is needed to fulfill the purposes for which it was collected, as described in Section 2 of this privacy policy.
Mapbox takes steps designed to secure personal data in accordance with this privacy policy. Unfortunately, no system is 100% secure, and Mapbox cannot ensure or warrant the security of any personal data it receives. To the fullest extent permitted by applicable law, Mapbox does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.
Mapbox products/services, websites, events, and other communications are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and Mapbox does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided Mapbox with personal data without their consent, then they should contact Mapbox as set forth below in the Contact Mapbox section of this privacy policy. If Mapbox learns that it has collected personal data in violation of applicable law, it will promptly take steps to delete such personal data.
An individual may opt-out of processing of their personal data within the scope of this privacy policy at any time and prevent further Mapbox processing by contacting Mapbox as described below.
Click the unsubscribe link found at the bottom of the email received from Mapbox to opt out of receiving future commercial emails. Note that for current customers, Mapbox will continue to send non-promotional communications which may not be opted out of (e.g., communications regarding products/services or updates to Mapbox Terms or this privacy policy). Mapbox processes requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.
Devices have settings to delete stored cookies and most browsers have the option to decline cookies. However, certain parts of Mapbox’s website (including pages that require login) will not be accessible if Mapbox cookies (first party cookies) are not accepted. In contrast, third-party cookies set by third parties for marketing and analytics purposes on Mapbox’s website can be disabled, in principle, without affecting access. For information about cookies on Mapbox’s website and how to change browser cookie settings, please visit the Mapbox website here.
To exercise your right to deletion of personal data, please complete the form here. For any other rights, please contact Mapbox at privacy@mapbox.com. In your email include name, and request or question. To protect privacy, Mapbox will take steps to verify the identity of the requestor before fulfilling the request. Mapbox will process such requests in accordance with applicable laws. Although we encourage you to contact us if you have questions or complaints, you also have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in your jurisdiction. In some cases, these rights may be subject to exceptions, as permitted by applicable law.
Personal Data Mapbox May Receive
How Mapbox Uses Personal Data
To Whom Mapbox May Disclose Personal Data
Data Retention
Mapbox will update this privacy policy at its own discretion from time to time to reflect changes in Mapbox’s practices, technologies, legal requirements, and other factors.
Mapbox would love to hear any questions, concerns, or feedback about this privacy policy or Mapbox’s data protection practices. Please contact Mapbox at privacy@mapbox.com.
See Section 9 below for "California Notice At Collection"
Mapbox provides a location data platform that powers map and location services in a wide variety of web, mobile, game and embedded device applications. Mapbox customers are developers/companies who embed Mapbox software development kits (SDKs) or integrate with Mapbox application program interfaces (APIs) (collectively, “Mapbox materials”) in their licensed applications to enable maps and location features.
This product privacy policy applies when Mapbox is processing personal data (sometimes referred to as personal information), from an end user of a licensed application (provided by Mapbox or one of its customers) that contains Mapbox materials, in its capacity (where legally applicable) as an independent data controller. For example, when Mapbox determines the purpose and means of processing such as making decisions about how to process personal data that benefits Mapbox customers generally, not just a single customer, Mapbox is processing as an independent data controller. In all cases, Mapbox’s processing of personal data continues to be controlled by its contracts with Mapbox customers, this product privacy policy and applicable data protection laws and regulations.
Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, or relating to an identified or identifiable natural person, or data defined as personal information or personal data under applicable data protection laws and regulations (in this policy, referred to as "personal data”).
Additional Privacy Policy: Mapbox also processes as a data controller when individuals use any Mapbox website or engage with Mapbox marketing programs, including attending live or virtual events or applying for a job with Mapbox. Please see the applicable Mapbox privacy policy, available here.
Mapbox applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that Mapbox may receive, outlined below, describes personal data categories and associated example data elements. Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.
Dash branded products and services: In addition to the above categories of personal data, Mapbox may also collect the following categories of personal data (specific to its Dash branded products and services).
Mapbox does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, Mapbox processes personal data to:
Mapbox processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.
Dash branded products and services: In addition to the above uses of personal data, Mapbox may also use personal data in the following ways (specific to its Dash branded products and services).
Mapbox may disclose personal data to:
Dash branded products and services: In addition to the above parties that Mapbox may disclose personal data to, Mapbox may also disclose personal data to the following third party independent controllers (specific to its Dash branded products and services).
Personal data may be processed by one or more Mapbox affiliates, processors, or service providers in order to operate Mapbox’s business – for example, in the United States for account administration and billing. Therefore, personal data may be processed outside of the location from which it was received. Mapbox ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.
Some countries require that companies only process personal data if they have a “legal basis” (or justifiable need) to process personal data. To the extent those laws apply, Mapbox’s legal bases to process personal data are as follows:
In all cases of data processing on the basis of legitimate interests, Mapbox considers the impact on the rights and freedoms of the individuals whose data may be part of the processing, and ensures that its processing activities do not contradict or place at unreasonable risk any such rights or freedoms. Mapbox has assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals. In all cases, Mapbox ensures that such processing is legal, fair, and reasonable.
Mapbox stores personal data for so long as Mapbox determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, Mapbox considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and Mapbox’s legitimate interests. The purposes for which Mapbox processes data may dictate different retention periods for the same types of data. For example, Mapbox retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.
Mapbox takes steps designed to secure personal data in accordance with this product privacy policy. Unfortunately, no system is 100% secure, and Mapbox cannot ensure or warrant the security of any personal data it receives. To the fullest extent permitted by applicable law, Mapbox does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.
Mapbox products and services are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and Mapbox does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided Mapbox with personal data without their consent, then they should contact Mapbox as set forth below in the Contact Mapbox section of this product privacy policy. If Mapbox learns that it has collected personal data in violation of applicable data protection laws and regulations, it will promptly take steps to delete such personal data.
To the fullest extent possible, Mapbox will fulfill data subject rights requests provided it can match a data subject (natural person to whom the personal data in question pertains) to personal data that Mapbox processes. Mapbox does not, and is not required to, collect additional personal data in order to positively identify a data subject.
As outlined in Section 1 above, Mapbox receives only minimal personal data and operates controls designed to promptly de-identify and anonymize such personal data. For example, Mapbox deletes IP addresses within 30 days of receipt (unless required for an investigation), so it is unlikely that Mapbox would have personal data capable of identifying a data subject after 30 days of receiving such data. However, if verifiable and detailed information is available, Mapbox will work with the data subject to determine if the request can reasonably be met. The data subject will need to provide a valid email address so that Mapbox can communicate and support the request, as well as any information that Mapbox determines may be needed to verify whether it holds any applicable personal data.
In accordance with applicable data protection laws and regulations and depending upon the data subject’s residency, the data subject to whom the personal data pertains may have the right to request the following regarding certain of their personal data:
To request deletion of certain personal data, please complete the form here. For any other request to exercise rights, please contact Mapbox at privacy@mapbox.com. The requesting email must come from the data subject to whom the personal data pertains and include the data subject’s name, email address and specific request or question. To protect privacy, Mapbox will take steps to verify the identity of the requestor before fulfilling the request. Mapbox will process such requests in accordance with applicable data protection laws and regulations.
To the extent required in the state where the data subject resides and where Mapbox has denied such data subject’s earlier request, the data subject may file an appeal with Mapbox for reconsideration. To file an appeal, please contact Mapbox at privacy@mapbox.com. The requesting email must come from the data subject to whom the personal data pertains and include the data subject’s name, email address and reference to the specific request and denial.
Mapbox encourages data subjects to contact it directly with any questions or complaints. However, Mapbox acknowledges and informs the data subject that they have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in the applicable jurisdiction; .; and in select United States states, to contact the respective state’s Attorney General’s Office, whose contact information may be identified here https://www.usa.gov/state-attorney-general (or successor link). In some cases, these rights may be subject to exceptions, as permitted by applicable law.
Personal Data Mapbox May Receive
Mapbox applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that Mapbox may receive, outlined below, describes personal data categories and associated example data elements. Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.
Dash branded products and services: In addition to the above categories of personal data, Mapbox may also collect the following categories of personal data (specific to its Dash branded products and services).
Mapbox does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, Mapbox processes personal data to:
Mapbox processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.
Dash branded products and services: In addition to the above uses of personal data, Mapbox may also use personal data in the following ways (specific to its Dash branded products and services).
Mapbox may disclose personal data to:
Dash branded products and services: In addition to the above parties that Mapbox may disclose personal data to, Mapbox may also disclose personal data to the following third party independent controllers (specific to its Dash branded products and services).
Data Retention
Mapbox stores personal data for so long as Mapbox determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, Mapbox considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and Mapbox’s legitimate interests. The purposes for which Mapbox processes data may dictate different retention periods for the same types of data. For example, Mapbox retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.
Mapbox will update this product privacy policy at its own discretion from time to time to reflect changes in Mapbox’s practices, technologies, legal requirements, and other factors.
Mapbox would love to hear any questions, concerns, or feedback about this product privacy policy or Mapbox’s data protection practices. Please contact Mapbox at privacy@mapbox.com.
Last Updated: Aug 22, 2023
Mapbox provides a location data platform that powers maps and location services. Mapbox provides SDKs (software development kits) and APIs (application programming interfaces), which businesses and developers use to incorporate Mapbox mapping and navigation technologies into the licensed applications and websites they make. The SDKs contain libraries of software code which are incorporated into a customer’s licensed application or website. These libraries of software code facilitate API requests to Mapbox’s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer’s application or website.
In addition, Mapbox offers an on-premise version of its location data services, called Atlas.
No. Mapbox does not sell personal data.
No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.
Mapbox applies the principle of data minimization to product development and operations in an effort to collect only limited data from the outset. Mapbox operates a number of technical and organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. Mapbox deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability to track user requests over time. Billing IDs are not transmitted with unrelated events, further reducing the feasibility of correlating a user’s activities over time. In addition, Mapbox operates strict anonymization procedures, such as clipping traces, for telemetry events that send location data.
Communication through the Internet requires the presence of IP addresses, which specify each transmission’s origin and destination. When end users engage with applications that access Mapbox products/services through the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.
Mapbox receives location data when a Mapbox customer’s end users uses a licensed application that incorporates Mapbox mobile SDKs and the end user has authorized the licensed application’s use of the end user’s device location via their mobile phone or device operating system.
Location data includes fields such as latitude and longitude, altitude, horizontal and vertical accuracy, a session ID rotating every 24 hours, and origin IP address (as would any Internet communication). The IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023https://www.mapbox.com/legal/legal-faq Mapbox Customer FAQ, Page 3billing purposes and discarded after 30 days). This IP address is not forwarded to the location telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.
In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized location data is then used to improve Mapbox mapping products, including the Traffic and Movement data products.
In AWS in the United States. However, for performance purposes, Mapbox regularly caches content on its AWS content delivery network (“CDN”) located in various regions. Mapbox employees who work for Mapbox wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide Mapbox products/services.
No. Mapbox’s products/services store and serve source data from an AWS primary region in the US. As noted above, data is cached and served out of various regions outside the US for performance reasons, however Mapbox cannot serve its data from one limited geographic region. To comply with GDPR and safeguard transfers to the US and other countries, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.
Yes. Mapbox carefully scrutinizes the personal data it processes within its engineering lifecycle, which includes conducting a privacy review for new (or changed) processing activities. Mapbox follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.
Mapbox runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna, USA), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA), CPA (Colorado, USA), and APPI (Japan), among many other important jurisdictions.
Mapbox’s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; anonymization & pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.
Yes. Mapbox is SOC2 Type 2 certified with a summary SOC3 report available for customer review. In addition, Mapbox earned and maintains Trusted Information Security Assessment Exchange (“TISAX”) and ISO 9001 certifications. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.
Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at privacy@mapbox.com.
Please subscribe below: