Mapbox Legal Portal

Mapbox provides a location data platform that powers maps and location services. Mapbox provides SDKs (software   development   kits)   and   APIs   (application   programming   interfaces),   which   businesses   and developers use to incorporate Mapbox mapping and navigation technologies into the licensed applications and  websites  they  make.  The  SDKs  contain  libraries  of  software  code  which  are  incorporated  into  a customer’s  licensed  application  or  website.  These  libraries  of  software  code  facilitate  API  requests  to Mapbox’s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer’s application or website.
In addition, Mapbox offers an on-premise version of its location data services, called Atlas.

No. Mapbox does not sell personal data.

No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.

Mapbox applies the principle of data minimization to product development and operations in an effort to collect  only  limited  data  from  the  outset.  Mapbox  operates  a  number  of  technical  and  organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. Mapbox deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability  to  track  user  requests  over  time.  Billing  IDs  are  not  transmitted  with  unrelated  events,  further reducing  the  feasibility  of  correlating  a  user’s  activities  over  time.  In  addition,  Mapbox  operates  strict anonymization procedures, such as clipping traces, for telemetry events that send location data.

Communication   through   the   Internet   requires   the   presence   of   IP   addresses,   which   specify   each transmission’s  origin  and  destination.  When  end  users  engage  with  applications  that  access  Mapbox products/services through the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.

Mapbox  receives  location  data  when  a  Mapbox  customer’s  end  users  uses  a  licensed  application  that incorporates Mapbox mobile SDKs and the end user has authorized the licensed application’s use of the end user’s device location via their mobile phone or device operating system.

‍

Location  data  includes  fields  such  as  latitude  and  longitude,  altitude,  horizontal  and  vertical  accuracy,  a session  ID  rotating  every  24  hours,  and  origin  IP  address  (as  would  any  Internet  communication).   The  IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023https://www.mapbox.com/legal/legal-faq Mapbox Customer FAQ, Page 3billing  purposes  and  discarded  after  30  days).  This  IP  address  is  not  forwarded  to  the  location  telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.

In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized  location   data  is  then  used  to  improve  Mapbox  mapping  products,   including  the  Traffic  and Movement data products.

In AWS in the United States. However, for performance purposes, Mapbox regularly caches content on its AWS  content  delivery  network  (“CDN”)  located  in  various  regions.  Mapbox  employees  who  work  for Mapbox wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide Mapbox products/services.

No. Mapbox’s  products/services  store  and  serve  source  data  from  an  AWS  primary  region  in  the  US.  As noted  above,  data  is  cached  and  served  out  of  various  regions  outside  the  US  for  performance  reasons, however  Mapbox  cannot  serve  its  data  from  one  limited  geographic  region.  To  comply  with  GDPR  and safeguard transfers to the US and other countries, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.

Yes.  Mapbox  carefully  scrutinizes  the  personal  data  it  processes  within  its  engineering  lifecycle,  which includes conducting a privacy review for new (or changed) processing activities. Mapbox follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.

Mapbox runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna,  USA),  GDPR  (Europe),  CTDPA  (Connecticut,  USA),  CCPA  and  its  implementing  regulations including  CPRA  (California,  USA),  CPA  (Colorado,  USA),  and  APPI  (Japan),  among  many  other  important jurisdictions.

Mapbox’s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws  and  regulations  to  assess  whether  its  practices  may  need  to  be  adjusted  to  maintain  compliance; product/service  privacy  reviews;  data  breach  response  processes; and  operationalized  technical  and organizational measures designed to ensure the security of the personal data it receives including: security audits  and  SOC2  certification;  anonymization  &  pseudonymization  of  personal  data  (where  applicable); strict access control with logging; limited data retention periods.

Yes.  Mapbox  is  SOC2  Type  2  certified  with  a summary  SOC3  report  available  for  customer  review.   In addition, Mapbox earned and maintains Trusted Information Security Assessment Exchange (“TISAX”) and ISO 9001 certifications. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.

Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at privacy@mapbox.com.