This privacy policy describes the personal data Mapbox and/or its affiliates (hereinafter collectively referred to as “Mapbox”) may receive and why such personal data may be received in its capacity as a data controller, how such personal data may be used (including whom it may be shared with and for what purposes), and choices about such personal data.
See Section 9 for "California Notice At Collection"
This privacy policy applies to the extent Mapbox processes personal data in its capacity as a data controller under the GDPR (or “business” under the CCPA) when an individual: (a) visits and engages with any of Mapbox’s websites, (b) attends a virtual or in-person Mapbox event, (c) provides contact information for the purposes of Mapbox contacting about Mapbox products/services, (d) uses third-party websites or applications that cite this privacy policy, (e) provide billing information for Mapbox products/services account administration, or (f) apply to or are contacted about possible employment with Mapbox. Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (“CCPA”), or relating to an identified or identifiable natural person (hereinafter referred to as "personal data").
This Privacy Policy does not apply when Mapbox acts as a data processor. Most Mapbox customer personal data is not governed by this policy. Mapbox operates in the capacity of a data processor (and not a data controller) for customer personal data when operating Mapbox’s products/services that are purchased by developers and businesses to develop their own licensed applications. As such, customers/prospective customers should read Mapbox’s data processing addendum (“DPA”): https://www.mapbox.com/legal/dpa which governs personal data that may be processed through use of Mapbox products/services including creation of a Mapbox products/services account.
Corporate Accounts: If any account created with Mapbox lists a corporate email address for a company with which an individual is currently (or was formerly) employed (a “Corporate Email”), then the corporate entity to whom the Corporate Email pertains is responsible for privacy practices relating to use of Corporate Email. If Corporate Email is used within the scope of this privacy policy (as described at the top of this privacy policy), then this privacy policy applies. For clarification, commonly known personal email account services (e.g., Gmail, Yahoo, Outlook) are not Corporate Email.
Personal data may be processed by one or more of Mapbox’s affiliates, processors, or service providers in order to operate Mapbox’s business. Therefore, personal data may be processed outside of the location(s) where an individual engaged with Mapbox within the scope of this privacy policy. Personal data may also be processed at Mapbox’s select affiliates' locations and in the United States for account administration and billing.
Mapbox ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.
ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
Some countries require that companies only process personal data if they have a “legal basis” (or justifiable need) to process personal data. To the extent those laws apply, Mapbox’s legal bases for processing personal data are as follows:
Mapbox stores personal data for so long as it is needed to fulfill the purposes for which it was collected, as described in Section 2 of this privacy policy.
Mapbox takes steps designed to secure personal data in accordance with this privacy policy. Unfortunately, no system is 100% secure, and Mapbox cannot ensure or warrant the security of any personal data it receives. To the fullest extent permitted by applicable law, Mapbox does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.
Mapbox products/services, websites, events, and other communications are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and Mapbox does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided Mapbox with personal data without their consent, then they should contact Mapbox as set forth below in the Contact Mapbox section of this privacy policy. If Mapbox learns that it has collected personal data in violation of applicable law, it will promptly take steps to delete such personal data.
An individual may opt-out of processing of their personal data within the scope of this privacy policy at any time and prevent further Mapbox processing by contacting Mapbox as described below.
Click the unsubscribe link found at the bottom of the email received from Mapbox to opt out of receiving future commercial emails. Note that for current customers, Mapbox will continue to send non-promotional communications which may not be opted out of (e.g., communications regarding products/services or updates to Mapbox Terms or this privacy policy). Mapbox processes requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.
Devices have settings to delete stored cookies and most browsers have the option to decline cookies. However, certain parts of Mapbox’s website (including pages that require login) will not be accessible if Mapbox cookies (first party cookies) are not accepted. In contrast, third-party cookies set by third parties for marketing and analytics purposes on Mapbox’s website can be disabled, in principle, without affecting access. For information about cookies on Mapbox’s website and how to change browser cookie settings, please visit the Mapbox website here.
To exercise your right to deletion of personal data, please complete the form here. For any other rights, please contact Mapbox at privacy@mapbox.com. In your email include name, and request or question. To protect privacy, Mapbox will take steps to verify the identity of the requestor before fulfilling the request. Mapbox will process such requests in accordance with applicable laws. Although we encourage you to contact us if you have questions or complaints, you also have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in your jurisdiction. In some cases, these rights may be subject to exceptions, as permitted by applicable law.
Personal Data Mapbox May Receive
How Mapbox Uses Personal Data
To Whom Mapbox May Disclose Personal Data
Data Retention
Mapbox will update this privacy policy at its own discretion from time to time to reflect changes in Mapbox’s practices, technologies, legal requirements, and other factors.
Mapbox would love to hear any questions, concerns, or feedback about this privacy policy or Mapbox’s data protection practices. Please contact Mapbox at privacy@mapbox.com.
Last Updated: December 2022
No. Mapbox is an API and SDK platform company. Mapbox customer end user applications send structured requests to Mapbox and then receive (from Mapbox) the requested information (e.g., a specific map tile or route from A to B).
No. However, some customers do choose to upload map data to Mapbox for distribution to their end users. Customers may elect to use Mapbox Upload APIs (currently, Uploads, Tilesets and Datasets), although customers may also technically restrict their developers from using the Upload APIs through token scoping.
Data Processor. Mapbox’s Data Processing Addendum (“DPA”) is incorporated into any applicable agreement with its customers and scoped broadly enough to encompass many global privacy laws. Mapbox's goal is to provide transparency about the data entrusted to it, how such data is used, and the technical and organizational measures designed to protect such data.
Yes. Mapbox is SOC2 Type 2 certified and its summary SOC3 report is available for customer review. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.
Mapbox takes privacy and data security very seriously and implements processes designed to operate in compliance with: VCDPA (Virginia, USA), UK-GDPR (UK), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA, and APPI (Japan), among many other important jurisdictions.
Mapbox runs a global data protection program, based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; encryption of IP addresses in transit and at rest; pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.
In some jurisdictions consent from the end user may be required to collect and process location based data (e.g., Virginia and Connecticut). To the extent customer’s end users are in such locations and customer’s application is implicated by these laws, customer shall obtain end users' affirmative express consent before making available to such end users Mapbox products/services within the customer’s licensed application that collects or processes location data. Additionally, customers shall at all times allow end users to opt out of location data sharing using one of the methods described in Mapbox’s developer documentation.
Please see Mapbox DPA, Schedule B to learn what personal data may be collected and how it is used. Mapbox applies the principle of data minimization to product development and operations in an effort to ensure the least amount of personal data is collected from the outset. Regarding the limited personal dataset that Mapbox processes, it has implemented a number of technical and organization measures designed to ensure data protection, including prompt deletion of raw log files that contain IP addresses and billing IDs. For billing IDs, which need to be retained for accounting and billing purposes, Mapbox deploys regular ID rotation and 1-way hashing to minimize the ability to track user requests over time. In addition, Mapbox operates strict de-identification procedures, such as clipping traces, for telemetry events that send location data.
Transmission of information across the Internet requires the presence of IP addresses, which define where information will be sent and where such data is coming from. When end users engage with applications that access Mapbox products/services over the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers.
The United States. However, for performance purposes, Mapbox regularly caches content on its AWS CDN network located in various regions. When content is unavailable in the CDN cache or where the API service requires custom calculations, the requests are routed to the US for processing. Mapbox also utilizes the services of employees who work for Mapbox wholly-owned subsidiaries in order to support, develop and provide its products/services.
No. Mapbox’s products/services store and serve source data from an AWS primary region in the US. Data is sometimes cached and served out of various regions outside the US for performance reasons, as described in the questions/response above, but Mapbox cannot serve its data from one limited geographic region. To safeguard such transfers to the US and other regions, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.
No. Mapbox does not sell personal data or build targeted profiles with personal data processed through its products/services.
No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of such MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across such 30 day billing cycles.
Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at privacy@mapbox.com.
Please subscribe below: