Mapbox Legal Portal
Mapbox Privacy Policies
California Notices At Collection
- Privacy Policy "California Notice At Collection"
- Product Privacy Policy "California Notice At Collection"
Privacy Policy
This privacy policy describes the personal data Mapbox and/or its affiliates (hereinafter collectively referred to as “Mapbox”) may receive and why such personal data may be received in its capacity as a data controller, how such personal data may be used (including whom it may be shared with and for what purposes), and choices about such personal data.
This privacy policy applies to the extent Mapbox processes personal data in its capacity as a data controller under the GDPR (or “business” under the CCPA) when an individual: (a) visits and engages with any of Mapbox’s websites, (b) attends a virtual or in-person Mapbox event, (c) provides contact information for the purposes of Mapbox contacting about Mapbox products/services, (d) uses third-party websites or applications that cite this privacy policy, (e) provide billing information for Mapbox products/services account administration, or (f) apply to or are contacted about possible employment with Mapbox. Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (“CCPA”), or relating to an identified or identifiable natural person (hereinafter referred to as "personal data").
This Privacy Policy does not apply when Mapbox acts as a data processor. Most Mapbox customer personal data is not governed by this policy. Mapbox operates in the capacity of a data processor for certain personal data when operating Mapbox’s products/services that are purchased by developers and businesses to develop their own licensed applications. As such, customers/prospective customers should read Mapbox’s data processing addendum (“DPA”): https://www.mapbox.com/legal/dpa which governs certain customer personal data that may be processed through use of Mapbox products/services including creation of a Mapbox products/services account. For other data not Processed by Mapbox as a Processor, e.g. billing and usage statistics data, see Mapbox's Product Privacy Policy.
Corporate Accounts: If any account created with Mapbox lists a corporate email address for a company with which an individual is currently (or was formerly) employed (a “Corporate Email”), then the corporate entity to whom the Corporate Email pertains is responsible for privacy practices relating to use of Corporate Email. If Corporate Email is used within the scope of this privacy policy (as described at the top of this privacy policy), then this privacy policy applies. For clarification, commonly known personal email account services (e.g., Gmail, Yahoo, Outlook) are not Corporate Email.
Personal Data Mapbox May Receive
- Identifiers: Such as, name, address, email, phone number, Mapbox account username.
- Commercial information: Such as, transaction data including billing contact’s name, work phone number, work email, work address, professional title, and company name.
- Financial data: Such as, credit card data is not processed by Mapbox. Instead, credit card data is processed by Stripe, a third-party PCI-certified payment service provider, in accordance with its Privacy Policy.
- Internet or other network or device activity: When visiting any Mapbox websites, Mapbox automatically receives certain information such as: (a) browser and device type, (b) operating system, and (c) referring web pages including the pages visited on such sites. And information such as, IP address, data collected via strictly necessary and accepted website cookies / similar technologies. For information about cookies on Mapbox’s website, settings, and how to change browser cookie settings, please visit Mapbox’s website here.
- Employment data: Such as, education and employment history and other relevant personal data provided in an employment application submitted to Mapbox, information from a background check including information provided from reference checks.
- Location information: Such as, the location of an event where an individual signed up to receive communication or interact with Mapbox.
- User-generated content: Such as, a public comment provided by an individual in a Mapbox hosted webinar, Mapbox blog, or like Mapbox forum. For avoidance of doubt, an individual’s Mapbox product/service feedback does not constitute user-generated content.
- Inference data about an individual: Such as, services Mapbox thinks an individual may be interested in based on prior purchases or website browsing, subject to the Mapbox cookie policy.
- Other information that identifies or can be reasonably associated with an individual: Such as, contents of correspondence with: 1) a Mapbox service provider in order to bill for items that may have been shipped upon an individual’s request as a result of the individual’s engagement with a Mapbox marketing campaign in person or virtually. 2) Mapbox, whether received through a form submitted on its website, conversation (in person, virtual, or phone call) with its staff, or via an email sent to an [at]mapbox email account. 3) And such as, personal data from entities who provide personal data about individuals, their job functions, and the companies they work for. Such entities attests to Mapbox that they have obtained all necessary consents and have lawful grounds to share such personal data with Mapbox.
How Mapbox Uses Personal Data
Mapbox uses personal data to:
- Provide, test, maintain/support, secure and improve Mapbox’s websites, to prevent fraud, misuse and cyberattacks, to calculate de-identified aggregate statistics, and for account administration/ billing purposes.
- Send marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS or push notifications, information about Mapbox products, news or events) about Mapbox, its affiliates and partners.
- Plan or host virtual or in person events, contests, or other programs.
- Create and manage the recruitment system, job applications and a database of interested individuals and leads (including verifying the information provided to Mapbox) and assess and evaluate applicants skills and qualifications against the position(s) applied for.
- Cooperate with public and government authorities, courts or regulators in accordance with Mapbox’s legal obligations.
- Comply with applicable law.
To Whom Mapbox May Disclose Personal Data
Mapbox may disclose personal data to:
- Mapbox service providers who need to access such personal data in order to provide any of the services, or related services to those, outlined in Section 2 of this privacy policy. However, prior to sharing personal data with such parties, Mapbox will have a written agreement consistent with the obligations outlined in applicable data protection laws and regulations.
- Advertising and analytics partners. Any secondary use or sharing of personal data obtained through the use of third party cookies by these third parties is subject to their respective privacy policies. For information about cookies on Mapbox’s website and how to change browser cookie settings, please visit Mapbox’s website here.
- In response to a request so long as Mapbox believes disclosure is in accordance with, or required by, any applicable law, regulation or legal process.
- If Mapbox has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of Mapbox, its users, or the public as required or permitted by law.
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of Mapbox’s business by another company.
International Transfers
Personal data may be processed by one or more Mapbox affiliates, processors, or service providers in order to operate Mapbox’s business – for example, in the United States for account administration and billing. Therefore, personal data may be processed outside of the location from which it was received. Mapbox ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and certification certification under the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively, the “Data Privacy Framework” or “DPF”), and, if required, standard contractual clauses or alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.
Mapbox’s Notice of Certification under the DPF, is available here: https://www.mapbox.com/legal/notice-of-certification
ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
4.1 Legal bases for processing personal data:
Some countries require that companies only process personal data if they have a “legal basis” (or justifiable need) to process personal data. To the extent those laws apply, Mapbox’s legal bases to process personal data are as follows:
- To comply with a legal obligation to which Mapbox, as a controller, is subject.
- To protect the vital interests of an individual or of another natural person.
- For the purposes of the legitimate interests pursued by Mapbox as the controller or by an independent third party controller, except where the individual’s interests or fundamental rights and freedoms override such interests.
- Performance of the contract.
- Consent.
In all cases of data processing on the basis of legitimate interests, Mapbox considers the impact on the rights and freedoms of the individuals whose data may be part of the processing, and ensures that its processing activities do not contradict or place at unreasonable risk any such rights or freedoms. Mapbox has assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals. In all cases, Mapbox ensures that such processing is legal, fair, and reasonable.
Retention
Mapbox stores personal data for so long as it is needed to fulfill the purposes for which it was collected, as described in Section 2 of this privacy policy.
Security
Mapbox takes steps designed to secure personal data in accordance with this privacy policy. Unfortunately, no system is 100% secure, and Mapbox cannot ensure or warrant the security of any personal data it receives. To the fullest extent permitted by applicable law, Mapbox does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.
Children
Mapbox products/services, websites, events, and other communications are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and Mapbox does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided Mapbox with personal data without their consent, then they should contact Mapbox as set forth below in the Contact Mapbox section of this privacy policy. If Mapbox learns that it has collected personal data in violation of applicable law, it will promptly take steps to delete such personal data.
Choices About Personal Data
An individual may opt-out of processing of their personal data within the scope of this privacy policy at any time and prevent further Mapbox processing by contacting Mapbox as described below.
- Email and Telephone Communications:
Click the unsubscribe link found at the bottom of the email received from Mapbox to opt out of receiving future commercial emails. Note that for current customers, Mapbox will continue to send non-promotional communications which may not be opted out of (e.g., communications regarding products/services or updates to Mapbox Terms or this privacy policy). Mapbox processes requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.
- Website logs and cookies:
Devices have settings to delete stored cookies and most browsers have the option to decline cookies. However, certain parts of Mapbox’s website (including pages that require login) will not be accessible if Mapbox cookies (first party cookies) are not accepted. In contrast, third-party cookies set by third parties for marketing and analytics purposes on Mapbox’s website can be disabled, in principle, without affecting access. For information about cookies on Mapbox’s website and how to change browser cookie settings, please visit the Mapbox website here.
- In accordance with applicable law, the individual to whom the personal data pertains may have the following rights regarding their personal data:
- Access/view personal data
- Portability of personal data in a commonly machine readable format
- Correct personal data where it is inaccurate or incomplete
- Deletion of personal data
- Restrict or object to processing of personal data
- Opt-out of the sale of personal data, if applicable, where such requests are permitted by law and as defined in the CCPA.
To exercise your right to deletion of personal data, please complete the form here. For any other rights, please contact Mapbox at [email protected]. In your email include name, and request or question. To protect privacy, Mapbox will take steps to verify the identity of the requestor before fulfilling the request. Mapbox will process such requests in accordance with applicable laws. Although we encourage you to contact us if you have questions or complaints, you also have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in your jurisdiction. In some cases, these rights may be subject to exceptions, as permitted by applicable law.
Additional Information For California Residents
9.1 California Notice At Collection:
Personal Data Mapbox May Receive
- Identifiers: Such as, name, address, email, phone number, Mapbox account username.
- Commercial information: Such as, transaction data including billing contact’s name, work phone number, work email, work address, professional title, and company name.
- Financial data: Such as, credit card data is not processed by Mapbox. Instead, credit card data is processed by Stripe, a third-party PCI-certified payment service provider, in accordance with its Privacy Policy.
- Internet or other network or device activity: When visiting any Mapbox websites, Mapbox automatically receives certain information such as: (a) browser and device type, (b) operating system, and (c) referring web pages including the pages visited on such sites. And information such as, IP address, data collected via strictly necessary and accepted website cookies / similar technologies. For information about cookies on Mapbox’s website, settings, and how to change browser cookie settings, please visit Mapbox’s website here.
- Employment data: Such as, education and employment history and other relevant personal data provided in an employment application submitted to Mapbox, information from a background check including information provided from reference checks.
- Location information: Such as, the location of an event where an individual signed up to receive communication or interact with Mapbox.
- User-generated content: Such as, a public comment provided by an individual in a Mapbox hosted webinar, Mapbox blog, or like Mapbox forum. For avoidance of doubt, an individual’s Mapbox product/service feedback does not constitute user-generated content.
- Inference data about an individual: Such as, services Mapbox thinks an individual may be interested in based on prior purchases or website browsing, subject to the Mapbox cookie policy.
- Other information that identifies or can be reasonably associated with an individual: Such as, contents of correspondence with: 1) a Mapbox service provider in order to bill for items that may have been shipped upon an individual’s request as a result of the individual’s engagement with a Mapbox marketing campaign in person or virtually. 2) Mapbox, whether received through a form submitted on its website, conversation (in person, virtual, or phone call) with its staff, or via an email sent to an [at]mapbox email account. 3) And such as, personal data from entities who provide personal data about individuals, their job functions, and the companies they work for. Such entities attests to Mapbox that they have obtained all necessary consents and have lawful grounds to share such personal data with Mapbox.
How Mapbox Uses Personal Data
- Provide, test, maintain/support, secure and improve Mapbox’s websites, to prevent fraud, misuse and cyberattacks, to calculate de-identified aggregate statistics, and for account administration/ billing purposes.
- Send marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS or push notifications, information about Mapbox products, news or events) about Mapbox, its affiliates and partners.
- Plan or host virtual or in person events, contests, or other programs.
- Create and manage the recruitment system, job applications and a database of interested individuals and leads (including verifying the information provided to Mapbox) and assess and evaluate applicants skills and qualifications against the position(s) applied for.
- Cooperate with public and government authorities, courts or regulators in accordance with Mapbox’s legal obligations.
- Comply with applicable law.
To Whom Mapbox May Disclose Personal Data
- Mapbox service providers who need to access such personal data in order to provide any of the services, or related services to those, outlined in Section 2 of this privacy policy. However, prior to sharing personal data with such parties, Mapbox will have a written agreement consistent with the obligations outlined in applicable data protection laws and regulations.
- Advertising and analytics partners. Any secondary use or sharing of personal data obtained through the use of third party cookies by these third parties is subject to their respective privacy policies. For information about cookies on Mapbox’s website and how to change browser cookie settings, please visit Mapbox’s website here.
- In response to a request so long as Mapbox believes disclosure is in accordance with, or required by, any applicable law, regulation or legal process.
- If Mapbox has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of Mapbox, its users, or the public as required or permitted by law.
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of Mapbox’s business by another company.
Data Retention
- Only for so long as Mapbox has a business purpose to retain and process such personal data.
Changes To This Privacy Policy
Mapbox will update this privacy policy at its own discretion from time to time to reflect changes in Mapbox’s practices, technologies, legal requirements, and other factors.
Contact Mapbox
Mapbox would love to hear any questions, concerns, or feedback about this privacy policy or Mapbox’s data protection practices. Please contact Mapbox at [email protected].
Mapbox Product Privacy Policy
See Section 9 below for "California Notice At Collection"
Mapbox provides a location data platform that powers map and location services in a wide variety of web, mobile, game and embedded device applications. Mapbox customers are developers/companies who embed Mapbox software development kits (SDKs) or integrate with Mapbox application program interfaces (APIs) (collectively, “Mapbox materials”) in their licensed applications to enable maps and location features.
This product privacy policy applies when Mapbox is processing personal data (sometimes referred to as personal information), from an end user of a licensed application (provided by Mapbox or one of its customers) that contains Mapbox materials, in its capacity (where legally applicable) as an independent data controller. For example, when Mapbox determines the purpose and means of processing such as making decisions about how to process personal data that benefits Mapbox customers generally, not just a single customer, Mapbox is processing as an independent data controller. In all cases, Mapbox’s processing of personal data continues to be controlled by its contracts with Mapbox customers, this product privacy policy and applicable data protection laws and regulations.
Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, or relating to an identified or identifiable natural person, or data defined as personal information or personal data under applicable data protection laws and regulations (in this policy, referred to as "personal data”).
Additional Privacy Policy: Mapbox also processes as a data controller when individuals use any Mapbox website or engage with Mapbox marketing programs, including attending live or virtual events or applying for a job with Mapbox. Please see the applicable Mapbox privacy policy, available here.
Personal Data Mapbox May Receive
Mapbox applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that Mapbox may receive, outlined below, describes personal data categories and associated example data elements. Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.
Dash branded products and services: In addition to the above categories of personal data, Mapbox may also collect the following categories of personal data (specific to its Dash branded products and services).
How Mapbox Uses Personal Data
Mapbox does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, Mapbox processes personal data to:
- Provide, test, maintain, secure and improve Mapbox products and services,
- Provide customer requested support, including applying knowledge gained from individual customer support requests to benefit all Mapbox customers, to the extent such knowledge is de-identified,
- Prevent fraud, misuse and cyberattacks,
- Administer/bill customers (not end users),
- Calculate de-identified aggregate statistics,
- Train artificial intelligence models (to the extent personal data is first de-identified), which is a set of technologies and processes that allow computers to learn, reason, and assist in decision making; such models are used to improve Mapbox products and services,
- Anonymize such data so it is no longer considered personal data,
- Cooperate with public and government authorities, courts or regulators in accordance with Mapbox’s legal obligations, and
- Comply with applicable law.
Mapbox processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.
Dash branded products and services: In addition to the above uses of personal data, Mapbox may also use personal data in the following ways (specific to its Dash branded products and services).
- Mapbox uses personal data for purposes that are compatible with those stated above such as providing and supporting the service. For Dash branded products and services, machine learning to develop and improve and fine tune Mapbox’s models is one of those purposes.
- Third party independent controller vendors will process the data you provide to Dash branded products and services for their own purposes. For more information visit their respective privacy policies (linked in Section 3). Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
To Whom Mapbox May Disclose Personal Data
Mapbox may disclose personal data to:
- Mapbox service providers who need to access such personal data in order to process in accordance with Section 2 above.
- In response to a request, so long as Mapbox believes disclosure is required by any applicable law, regulation or legal process.
- If Mapbox has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of Mapbox, its customers or their end users, or the public as required or permitted by law.
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition or due diligence related thereto of all or a portion of Mapbox’s business by another company.
Dash branded products and services: In addition to the above parties that Mapbox may disclose personal data to, Mapbox may also disclose personal data to the following third party independent controllers (specific to its Dash branded products and services).
- Certain functionality to instruct Dash branded products and services to process a question such as when the end user says “hey Dash” or touches the Dash branded products and services icon or starts typing a command. PicoVoice’s processing is subject to its published privacy practices available here: https://picovoice.ai/docs/privacy-policy/ (or successor link). Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Dash branded products and services.
- On-device speech-to-text (“STT”) vendor (which Mapbox has no control over and is selected by the end user based on their device) will transpose audio speech spoken to Dash branded products and services to a string of text and send it to Mapbox servers to answer the end users question. The on-device STT processing is subject to its respective published privacy practices, which you should review. Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
- Large language model providers (“LLMs”), such as OpenAI review the end users voice input text and formulate a response to the end user. OpenAI’s processing is subject to its published privacy practices available here: https://openai.com/policies/privacy-policy (or successor link). Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Dash branded products and services.
- Text-to-speech (“TTS”) vendors, such as Eleven labs transform the Mapbox appended LLM response to an audio MP3 file that is spoken (in audio form) to the requestor via Dash branded products and services. ElevenLabs processing is subject to its published privacy practices available here: https://elevenlabs.io/privacy (or successor link). Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
International Transfers
Personal data may be processed by one or more Mapbox affiliates, processors, or service providers in order to operate Mapbox’s business – for example, in the United States for account administration and billing. Therefore, personal data may be processed outside of the location from which it was received. Mapbox ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and certification certification under the EU-US, UK-US, Swiss-US Data Privacy Framework ("DPF"), and, if required, standard contractual clauses or alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.
Mapbox’s Notice of Certification under the DPF, is available here: https://www.mapbox.com/legal/notice-of-certification
ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
4.1 Legal bases for processing personal data:
Some countries require that companies only process personal data if they have a “legal basis” (or justifiable need) to process personal data. To the extent those laws apply, Mapbox’s legal bases to process personal data are as follows:
- To comply with a legal obligation to which Mapbox, as a controller, is subject.
- To protect the vital interests of an individual or of another natural person.
- For the purposes of the legitimate interests pursued by Mapbox as the controller or by an independent third party controller, except where the individual’s interests or fundamental rights and freedoms override such interests.
- Performance of the contract.
- Consent.
In all cases of data processing on the basis of legitimate interests, Mapbox considers the impact on the rights and freedoms of the individuals whose data may be part of the processing, and ensures that its processing activities do not contradict or place at unreasonable risk any such rights or freedoms. Mapbox has assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals. In all cases, Mapbox ensures that such processing is legal, fair, and reasonable.
Retention
Mapbox stores personal data for so long as Mapbox determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, Mapbox considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and Mapbox’s legitimate interests. The purposes for which Mapbox processes data may dictate different retention periods for the same types of data. For example, Mapbox retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.
Security
Mapbox takes steps designed to secure personal data in accordance with this product privacy policy. Unfortunately, no system is 100% secure, and Mapbox cannot ensure or warrant the security of any personal data it receives. To the fullest extent permitted by applicable law, Mapbox does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.
Children
Mapbox products and services are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and Mapbox does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided Mapbox with personal data without their consent, then they should contact Mapbox as set forth below in the Contact Mapbox section of this product privacy policy. If Mapbox learns that it has collected personal data in violation of applicable data protection laws and regulations, it will promptly take steps to delete such personal data.
Choices About Personal Data
To the fullest extent possible, Mapbox will fulfill data subject rights requests provided it can match a data subject (natural person to whom the personal data in question pertains) to personal data that Mapbox processes. Mapbox does not, and is not required to, collect additional personal data in order to positively identify a data subject.
As outlined in Section 1 above, Mapbox receives only minimal personal data and operates controls designed to promptly de-identify and anonymize such personal data. For example, Mapbox deletes IP addresses within 30 days of receipt (unless required for an investigation), so it is unlikely that Mapbox would have personal data capable of identifying a data subject after 30 days of receiving such data. However, if verifiable and detailed information is available, Mapbox will work with the data subject to determine if the request can reasonably be met. The data subject will need to provide a valid email address so that Mapbox can communicate and support the request, as well as any information that Mapbox determines may be needed to verify whether it holds any applicable personal data.
In accordance with applicable data protection laws and regulations and depending upon the data subject’s residency, the data subject to whom the personal data pertains may have the right to request the following regarding certain of their personal data:
- Access/view/know personal data
- Portability of personal data in a commonly machine readable format
- Correct personal data where it is inaccurate or incomplete
- Deletion of certain personal data
- Restrict or object to processing of personal data
- Opt-out of the “sale” or “share” or processing for “targeted advertising” (each as defined by applicable data protection laws and regulations) of personal data , if applicable, where such requests are permitted by law
To request deletion of certain personal data, please complete the form here. For any other request to exercise rights, please contact Mapbox at [email protected]. The requesting email must come from the data subject to whom the personal data pertains and include the data subject’s name, email address and specific request or question. To protect privacy, Mapbox will take steps to verify the identity of the requestor before fulfilling the request. Mapbox will process such requests in accordance with applicable data protection laws and regulations.
To the extent required in the state where the data subject resides and where Mapbox has denied such data subject’s earlier request, the data subject may file an appeal with Mapbox for reconsideration. To file an appeal, please contact Mapbox at [email protected]. The requesting email must come from the data subject to whom the personal data pertains and include the data subject’s name, email address and reference to the specific request and denial.
Mapbox encourages data subjects to contact it directly with any questions or complaints. However, Mapbox acknowledges and informs the data subject that they have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in the applicable jurisdiction; .; and in select United States states, to contact the respective state’s Attorney General’s Office, whose contact information may be identified here https://www.usa.gov/state-attorney-general (or successor link). In some cases, these rights may be subject to exceptions, as permitted by applicable law.
Additional Information For California Residents
9.1 California Notice At Collection:
Personal Data Mapbox May Receive
Mapbox applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that Mapbox may receive, outlined below, describes personal data categories and associated example data elements. Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.
Dash branded products and services: In addition to the above categories of personal data, Mapbox may also collect the following categories of personal data (specific to its Dash branded products and services).
How Mapbox Uses Personal Data
Mapbox does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, Mapbox processes personal data to:
- Provide, test, maintain, secure and improve Mapbox products and services,
- Provide customer requested support, including applying knowledge gained from individual customer support requests to benefit all Mapbox customers, to the extent such knowledge is de-identified,
- Prevent fraud, misuse and cyberattacks,
- Administer/bill customers (not end users),
- Calculate de-identified aggregate statistics,
- Train artificial intelligence models (to the extent personal data is first de-identified), which is a set of technologies and processes that allow computers to learn, reason, and assist in decision making; such models are used to improve Mapbox products and services,
- Anonymize such data so it is no longer considered personal data,
- Cooperate with public and government authorities, courts or regulators in accordance with Mapbox’s legal obligations, and
- Comply with applicable law.
Mapbox processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.
Dash branded products and services: In addition to the above uses of personal data, Mapbox may also use personal data in the following ways (specific to its Dash branded products and services).
- Mapbox uses personal data for purposes that are compatible with those stated above such as providing and supporting the service. For Dash branded products and services, machine learning to develop and improve and fine tune Mapbox’s models is one of those purposes.
- Third party independent controller vendors will process the data you provide to Dash branded products and services for their own purposes. For more information visit their respective privacy policies (linked in Section 3). Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
To Whom Mapbox May Disclose Personal Data
Mapbox may disclose personal data to:
- Mapbox service providers who need to access such personal data in order to process in accordance with Section 2 above.
- In response to a request, so long as Mapbox believes disclosure is required by any applicable law, regulation or legal process.
- If Mapbox has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of Mapbox, its customers or their end users, or the public as required or permitted by law.
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition or due diligence related thereto of all or a portion of Mapbox’s business by another company.
Dash branded products and services: In addition to the above parties that Mapbox may disclose personal data to, Mapbox may also disclose personal data to the following third party independent controllers (specific to its Dash branded products and services).
- Certain functionality to instruct Dash branded products and services to process a question such as when the end user says “hey Dash” or touches the Dash branded products and services icon or starts typing a command. PicoVoice’s processing is subject to its published privacy practices available here: https://picovoice.ai/docs/privacy-policy/ (or successor link). Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Dash branded products and services.
- On-device speech-to-text (“STT”) vendor (which Mapbox has no control over and is selected by the end user based on their device) will transpose audio speech spoken to Dash branded products and services to a string of text and send it to Mapbox servers to answer the end users question. The on-device STT processing is subject to its respective published privacy practices, which you should review. Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
- Large language model providers (“LLMs”), such as OpenAI review the end users voice input text and formulate a response to the end user. OpenAI’s processing is subject to its published privacy practices available here: https://openai.com/policies/privacy-policy (or successor link). Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Mapbox has no control over third party independent controllers’ processing of the data that the end user provides to Dash branded products and services.
- Text-to-speech (“TTS”) vendors, such as Eleven labs transform the Mapbox appended LLM response to an audio MP3 file that is spoken (in audio form) to the requestor via Dash branded products and services. ElevenLabs processing is subject to its published privacy practices available here: https://elevenlabs.io/privacy (or successor link). Mapbox has no control over third party independent controllers’ use of the data that the end user provides to Dash branded products and services.
Data Retention
Mapbox stores personal data for so long as Mapbox determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, Mapbox considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and Mapbox’s legitimate interests. The purposes for which Mapbox processes data may dictate different retention periods for the same types of data. For example, Mapbox retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.
Changes to this Product Privacy Policy
Mapbox will update this product privacy policy at its own discretion from time to time to reflect changes in Mapbox’s practices, technologies, legal requirements, and other factors.
Contact Mapbox
Mapbox would love to hear any questions, concerns, or feedback about this product privacy policy or Mapbox’s data protection practices. Please contact Mapbox at [email protected].
Privacy & Security FAQ
Last Updated: Aug 22, 2023
Mapbox provides a location data platform that powers maps and location services. Mapbox provides SDKs (software development kits) and APIs (application programming interfaces), which businesses and developers use to incorporate Mapbox mapping and navigation technologies into the licensed applications and websites they make. The SDKs contain libraries of software code which are incorporated into a customer’s licensed application or website. These libraries of software code facilitate API requests to Mapbox’s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer’s application or website.
In addition, Mapbox offers an on-premise version of its location data services, called Atlas.
No. Mapbox does not sell personal data.
No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.
Mapbox applies the principle of data minimization to product development and operations in an effort to collect only limited data from the outset. Mapbox operates a number of technical and organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. Mapbox deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability to track user requests over time. Billing IDs are not transmitted with unrelated events, further reducing the feasibility of correlating a user’s activities over time. In addition, Mapbox operates strict anonymization procedures, such as clipping traces, for telemetry events that send location data.
Communication through the Internet requires the presence of IP addresses, which specify each transmission’s origin and destination. When end users engage with applications that access Mapbox products/services through the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.
Mapbox receives location data when a Mapbox customer’s end users uses a licensed application that incorporates Mapbox mobile SDKs and the end user has authorized the licensed application’s use of the end user’s device location via their mobile phone or device operating system.
Location data includes fields such as latitude and longitude, altitude, horizontal and vertical accuracy, a session ID rotating every 24 hours, and origin IP address (as would any Internet communication). The IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023https://www.mapbox.com/legal/legal-faq Mapbox Customer FAQ, Page 3billing purposes and discarded after 30 days). This IP address is not forwarded to the location telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.
In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized location data is then used to improve Mapbox mapping products, including the Traffic and Movement data products.
In AWS in the United States. However, for performance purposes, Mapbox regularly caches content on its AWS content delivery network (“CDN”) located in various regions. Mapbox employees who work for Mapbox wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide Mapbox products/services.
No. Mapbox’s products/services store and serve source data from an AWS primary region in the US. As noted above, data is cached and served out of various regions outside the US for performance reasons, however Mapbox cannot serve its data from one limited geographic region. To comply with GDPR and safeguard transfers to the US and other countries, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.
Yes. Mapbox carefully scrutinizes the personal data it processes within its engineering lifecycle, which includes conducting a privacy review for new (or changed) processing activities. Mapbox follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.
Mapbox runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna, USA), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA), CPA (Colorado, USA), and APPI (Japan), among many other important jurisdictions.
Mapbox’s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; anonymization & pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.
Yes. Mapbox is SOC2 Type 2 certified with a summary SOC3 report available for customer review. In addition, Mapbox earned and maintains Trusted Information Security Assessment Exchange (“TISAX”) and ISO 9001 certifications. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.
Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at [email protected].
Want to receive updates on our sub-processors?
Please subscribe below: