¶¶Òõ¶ÌÊÓƵ

¶¶Òõ¶ÌÊÓƵ Legal Portal

TermsPrivacySupportSuppliers

?¶¶Òõ¶ÌÊÓƵ Privacy Policies

?California Notices At Collection

?

*For all customers in Japan, please visit ¶¶Òõ¶ÌÊÓƵ's ¥¸¥ã¥Ñ¥ó¥×¥é¥¤¥Ð¥·©`¥Ý¥ê¥·©`.

Privacy Policy

This privacy policy describes the personal data ¶¶Òõ¶ÌÊÓƵ and/or its affiliates (hereinafter collectively referred to as ¡°¶¶Òõ¶ÌÊÓƵ¡±) may receive and why such personal data may be received in its capacity as a data controller, how such personal data may be used (including whom it may be shared with and for what purposes), and choices about such personal data.????

This privacy policy applies to the extent ¶¶Òõ¶ÌÊÓƵ processes personal data in its capacity as a data controller under the GDPR (or ¡°business¡± under the CCPA) when an individual: (a) visits and engages with any of ¶¶Òõ¶ÌÊÓƵ¡¯s websites, (b) attends a virtual or in-person ¶¶Òõ¶ÌÊÓƵ event, (c) provides contact information for the purposes of ¶¶Òõ¶ÌÊÓƵ contacting about ¶¶Òõ¶ÌÊÓƵ products/services, (d) uses third-party websites or applications that cite this privacy policy, (e) provide billing information for ¶¶Òõ¶ÌÊÓƵ products/services account administration, or (f) apply to or are contacted about possible employment with ¶¶Òõ¶ÌÊÓƵ. Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in the California Consumer Privacy Act, Cal. Civ. Code ¡ì 1798.100 et seq. and its implementing regulations (¡°CCPA¡±), or relating to an identified or identifiable natural person (hereinafter referred to as "personal data").

This Privacy Policy does not apply when ¶¶Òõ¶ÌÊÓƵ acts as a data processor.? Most ¶¶Òõ¶ÌÊÓƵ customer personal data is not governed by this policy. ¶¶Òõ¶ÌÊÓƵ operates in the capacity of a data processor for certain personal data when operating ¶¶Òõ¶ÌÊÓƵ¡¯s? products/services that are purchased by developers and businesses to develop their own licensed applications. As such, customers/prospective customers should read ¶¶Òõ¶ÌÊÓƵ¡¯s data processing addendum (¡°DPA¡±): /legal/dpa which governs certain customer personal data that may be processed through use of ¶¶Òõ¶ÌÊÓƵ products/services including creation of a ¶¶Òõ¶ÌÊÓƵ products/services account.?For other data not Processed by ¶¶Òõ¶ÌÊÓƵ as a Processor, e.g. billing and usage statistics data, see ¶¶Òõ¶ÌÊÓƵ's Product Privacy Policy.

Corporate Accounts: If any account created with ¶¶Òõ¶ÌÊÓƵ lists a corporate email address for a company with which an individual is currently (or was formerly) employed (a ¡°Corporate Email¡±), then the corporate entity to whom the Corporate Email pertains is responsible for privacy practices relating to use of Corporate Email. If Corporate Email is used within the scope of this privacy policy (as described at the top of this privacy policy), then this privacy policy applies.? For clarification, commonly known personal email account services (e.g., Gmail, Yahoo, Outlook) are not Corporate Email. ?

Personal Data ¶¶Òõ¶ÌÊÓƵ May Receive?????

  • ?Identifiers:?Such as, name, address, email, phone number, ¶¶Òõ¶ÌÊÓƵ account username.
  • Commercial information:?Such as, transaction data including billing contact¡¯s name, work phone number, work email, work address, professional title, and company name.?
  • Financial data:?Such as, credit card data is not processed by ¶¶Òõ¶ÌÊÓƵ. Instead, credit card data is processed by Stripe, a third-party PCI-certified payment service provider, in accordance with its .
  • Internet or other network or device activity:?When visiting any ¶¶Òõ¶ÌÊÓƵ websites, ¶¶Òõ¶ÌÊÓƵ automatically receives certain information such as: (a) browser and device type, (b) operating system, and (c) referring web pages including the pages visited on such sites.?And information such as, IP address, data collected via strictly necessary and accepted website cookies / similar technologies. For information about cookies on ¶¶Òõ¶ÌÊÓƵ¡¯s website, settings, and how to change browser cookie settings, please visit ¶¶Òõ¶ÌÊÓƵ¡¯s website here.
  • Employment data:?Such as, education and employment history and other relevant personal data provided in an employment application submitted to ¶¶Òõ¶ÌÊÓƵ, information from a background check including information provided from reference checks.
  • Location information:?Such as, the location of an event where an individual signed up to receive communication or interact with ¶¶Òõ¶ÌÊÓƵ.
  • User-generated content:?Such as, a public comment provided by an individual in a ¶¶Òõ¶ÌÊÓƵ hosted webinar, ¶¶Òõ¶ÌÊÓƵ blog, or like ¶¶Òõ¶ÌÊÓƵ forum. For avoidance of doubt, an individual¡¯s ¶¶Òõ¶ÌÊÓƵ product/service feedback does not constitute user-generated content.?
  • Inference data about an individual:?Such as, services ¶¶Òõ¶ÌÊÓƵ thinks an individual may be interested in based on prior purchases or website browsing, subject to the ¶¶Òõ¶ÌÊÓƵ cookie policy.?
  • Other information that identifies or can be reasonably associated with an individual:?Such as, contents of correspondence with: 1)?a ¶¶Òõ¶ÌÊÓƵ service provider in order to bill for items that may have been shipped upon an individual¡¯s request as a result of the individual¡¯s engagement with a ¶¶Òõ¶ÌÊÓƵ marketing campaign in person or virtually. 2)?¶¶Òõ¶ÌÊÓƵ, whether received through a form submitted on its website, conversation (in person, virtual, or phone call) with its staff, or via an email sent to an [at]mapbox email account. 3)?And such as, personal data from entities who provide personal data about individuals, their job functions, and the companies they work for. Such entities attests to ¶¶Òõ¶ÌÊÓƵ that they have obtained all necessary consents and have lawful grounds to share such personal data with ¶¶Òõ¶ÌÊÓƵ.

How ¶¶Òõ¶ÌÊÓƵ Uses Personal Data??????

¶¶Òõ¶ÌÊÓƵ uses personal data to:???????
  • Provide, test, maintain/support, secure and improve ¶¶Òõ¶ÌÊÓƵ¡¯s websites, to prevent fraud, misuse and cyberattacks, to calculate de-identified aggregate statistics, and for account administration/ billing purposes.?
  • Send marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS or push notifications, information about ¶¶Òõ¶ÌÊÓƵ products, news or events) about ¶¶Òõ¶ÌÊÓƵ, its affiliates and partners.
  • Plan or host virtual or in person events, contests, or other programs.
  • Create and manage the recruitment system, job applications and a database of interested individuals and leads (including verifying the information provided to ¶¶Òõ¶ÌÊÓƵ) and assess and evaluate applicants skills and qualifications against the position(s) applied for.
  • Cooperate with public and government authorities, courts or regulators in accordance with ¶¶Òõ¶ÌÊÓƵ¡¯s legal obligations.??
  • Comply with applicable law.

?To Whom ¶¶Òõ¶ÌÊÓƵ May Disclose Personal Data????

¶¶Òõ¶ÌÊÓƵ may disclose personal data to:
  • ¶¶Òõ¶ÌÊÓƵ service providers who need to access such personal data in order to provide any of the services, or related services to those, outlined in Section 2 of this privacy policy. However, prior to sharing personal data with such parties, ¶¶Òõ¶ÌÊÓƵ will have a written agreement consistent with the obligations outlined in applicable data protection laws and regulations.???????????????????????????????????????????????????????????????????????????
  • Advertising and analytics partners. Any secondary use or sharing of personal data obtained through the use of third party cookies by these third parties is subject to their respective privacy policies. For information about cookies on ¶¶Òõ¶ÌÊÓƵ¡¯s website and how to change browser cookie settings, please visit ¶¶Òõ¶ÌÊÓƵ¡¯s website here.
  • In response to a request so long as ¶¶Òõ¶ÌÊÓƵ believes disclosure is in accordance with, or required by, any applicable law, regulation or legal process.?
  • If ¶¶Òõ¶ÌÊÓƵ has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of ¶¶Òõ¶ÌÊÓƵ, its users, or the public as required or permitted by law.?
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of ¶¶Òõ¶ÌÊÓƵ¡¯s business by another company.?

?International Transfers

Personal data may be processed by one or more ¶¶Òõ¶ÌÊÓƵ affiliates, processors, or service providers in order to operate ¶¶Òõ¶ÌÊÓƵ¡¯s business ¨C for example, in the United States for account administration and billing. Therefore, personal data may be processed outside of the location from which it was received. ¶¶Òõ¶ÌÊÓƵ ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and certification certification under the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively, the ¡°Data Privacy Framework¡± or ¡°DPF¡±), and, if required, standard contractual clauses or alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.?

¶¶Òõ¶ÌÊÓƵ¡¯s Notice of Certification under the DPF, is available here: /legal/notice-of-certification

ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
4.1 Legal bases for processing personal data:?

Some countries require that companies only process personal data if they have a ¡°legal basis¡± (or justifiable need) to process personal data. To the extent those laws apply, ¶¶Òõ¶ÌÊÓƵ¡¯s legal bases to process personal data are as follows:

  • To comply with a legal obligation to which ¶¶Òõ¶ÌÊÓƵ, as a controller, is subject.
  • To protect the vital interests of an individual or of another natural person.
  • For the purposes of the legitimate interests pursued by ¶¶Òõ¶ÌÊÓƵ as the controller or by an independent third party controller, except where the individual¡¯s interests or fundamental rights and freedoms override such interests.
  • Performance of the contract.
  • Consent.

In all cases of data processing on the basis of legitimate interests, ¶¶Òõ¶ÌÊÓƵ considers the impact on the rights and freedoms of the individuals whose data may be part of the processing, and ensures that its processing activities do not contradict or place at unreasonable risk any such rights or freedoms. ¶¶Òõ¶ÌÊÓƵ has assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals. In all cases, ¶¶Òõ¶ÌÊÓƵ ensures that such processing is legal, fair, and reasonable.?

Retention?

¶¶Òõ¶ÌÊÓƵ stores personal data for so long as it is needed to fulfill the purposes for which it was collected, as described in Section 2 of this privacy policy.

Security

¶¶Òõ¶ÌÊÓƵ takes steps designed to secure personal data in accordance with this privacy policy. ?Unfortunately, no system is 100% secure, and ¶¶Òõ¶ÌÊÓƵ cannot ensure or warrant the security of any personal data it receives. ?To the fullest extent permitted by applicable law, ¶¶Òõ¶ÌÊÓƵ does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.?

Children

¶¶Òõ¶ÌÊÓƵ products/services, websites, events, and other communications are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and ¶¶Òõ¶ÌÊÓƵ does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided ¶¶Òõ¶ÌÊÓƵ with personal data without their consent, then they should contact ¶¶Òõ¶ÌÊÓƵ as set forth below in the Contact ¶¶Òõ¶ÌÊÓƵ section of this privacy policy. If ¶¶Òõ¶ÌÊÓƵ learns that it has collected personal data in violation of applicable law, it will promptly take steps to delete such personal data.

Choices About Personal Data

An individual may opt-out of processing of their personal data within the scope of this privacy policy at any time and prevent further ¶¶Òõ¶ÌÊÓƵ processing by contacting ¶¶Òõ¶ÌÊÓƵ as described below.?

  • Email and Telephone Communications:

Click the unsubscribe link found at the bottom of the email received from ¶¶Òõ¶ÌÊÓƵ to opt out of receiving future commercial emails. Note that for current customers, ¶¶Òõ¶ÌÊÓƵ will continue to send non-promotional communications which may not be opted out of (e.g., communications regarding products/services or updates to ¶¶Òõ¶ÌÊÓƵ Terms or this privacy policy). ¶¶Òõ¶ÌÊÓƵ processes requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.

  • Website logs and cookies:

Devices have settings to delete stored cookies and most browsers have the option to decline cookies. However, certain parts of ¶¶Òõ¶ÌÊÓƵ¡¯s website (including pages that require login) will not be accessible if ¶¶Òõ¶ÌÊÓƵ cookies (first party cookies) are not accepted. In contrast, third-party cookies set by third parties for marketing and analytics purposes on ¶¶Òõ¶ÌÊÓƵ¡¯s website can be disabled, in principle, without affecting access. For information about cookies on ¶¶Òõ¶ÌÊÓƵ¡¯s website and how to change browser cookie settings, please visit the ¶¶Òõ¶ÌÊÓƵ website here.?

  • In accordance with applicable law, the individual to whom the personal data pertains may have the following rights regarding their personal data:
  • Access/view personal data ?
  • Portability of personal data in a commonly machine readable format?
  • Correct personal data where it is inaccurate or incomplete
  • Deletion of personal data
  • Restrict or object to processing of personal data
  • Opt-out of the sale of personal data, if applicable, where such requests are permitted by law and as defined in the CCPA.

To exercise your right to deletion of personal data, please complete the form here. For any other rights, please contact ¶¶Òõ¶ÌÊÓƵ at privacy@mapbox.com. In your email include ?name, and request or question. To protect privacy, ¶¶Òõ¶ÌÊÓƵ will take steps to verify the identity of the requestor before fulfilling the request. ¶¶Òõ¶ÌÊÓƵ will process such requests in accordance with applicable laws. Although we encourage you to contact us if you have questions or complaints, you also have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in your jurisdiction. In some cases, these rights may be subject to exceptions, as permitted by applicable law.?

Additional Information For California Residents

9.1 California Notice At Collection:

Personal Data ¶¶Òõ¶ÌÊÓƵ May Receive

  • ?Identifiers:?Such as, name, address, email, phone number, ¶¶Òõ¶ÌÊÓƵ account username.
  • Commercial information:?Such as, transaction data including billing contact¡¯s name, work phone number, work email, work address, professional title, and company name.?
  • Financial data:?Such as, credit card data is not processed by ¶¶Òõ¶ÌÊÓƵ. Instead, credit card data is processed by Stripe, a third-party PCI-certified payment service provider, in accordance with its .
  • Internet or other network or device activity:?When visiting any ¶¶Òõ¶ÌÊÓƵ websites, ¶¶Òõ¶ÌÊÓƵ automatically receives certain information such as: (a) browser and device type, (b) operating system, and (c) referring web pages including the pages visited on such sites.?And information such as, IP address, data collected via strictly necessary and accepted website cookies / similar technologies. For information about cookies on ¶¶Òõ¶ÌÊÓƵ¡¯s website, settings, and how to change browser cookie settings, please visit ¶¶Òõ¶ÌÊÓƵ¡¯s website here.
  • Employment data:?Such as, education and employment history and other relevant personal data provided in an employment application submitted to ¶¶Òõ¶ÌÊÓƵ, information from a background check including information provided from reference checks.
  • Location information:?Such as, the location of an event where an individual signed up to receive communication or interact with ¶¶Òõ¶ÌÊÓƵ.
  • User-generated content:?Such as, a public comment provided by an individual in a ¶¶Òõ¶ÌÊÓƵ hosted webinar, ¶¶Òõ¶ÌÊÓƵ blog, or like ¶¶Òõ¶ÌÊÓƵ forum. For avoidance of doubt, an individual¡¯s ¶¶Òõ¶ÌÊÓƵ product/service feedback does not constitute user-generated content.?
  • Inference data about an individual:?Such as, services ¶¶Òõ¶ÌÊÓƵ thinks an individual may be interested in based on prior purchases or website browsing, subject to the ¶¶Òõ¶ÌÊÓƵ cookie policy.?
  • Other information that identifies or can be reasonably associated with an individual:?Such as, contents of correspondence with: 1)?a ¶¶Òõ¶ÌÊÓƵ service provider in order to bill for items that may have been shipped upon an individual¡¯s request as a result of the individual¡¯s engagement with a ¶¶Òõ¶ÌÊÓƵ marketing campaign in person or virtually. 2)?¶¶Òõ¶ÌÊÓƵ, whether received through a form submitted on its website, conversation (in person, virtual, or phone call) with its staff, or via an email sent to an [at]mapbox email account. 3)?And such as, personal data from entities who provide personal data about individuals, their job functions, and the companies they work for. Such entities attests to ¶¶Òõ¶ÌÊÓƵ that they have obtained all necessary consents and have lawful grounds to share such personal data with ¶¶Òõ¶ÌÊÓƵ.

How ¶¶Òõ¶ÌÊÓƵ Uses Personal Data?

  • Provide, test, maintain/support, secure and improve ¶¶Òõ¶ÌÊÓƵ¡¯s websites, to prevent fraud, misuse and cyberattacks, to calculate de-identified aggregate statistics, and for account administration/ billing purposes.?
  • Send marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS or push notifications, information about ¶¶Òõ¶ÌÊÓƵ products, news or events) about ¶¶Òõ¶ÌÊÓƵ, its affiliates and partners.
  • Plan or host virtual or in person events, contests, or other programs.
  • Create and manage the recruitment system, job applications and a database of interested individuals and leads (including verifying the information provided to ¶¶Òõ¶ÌÊÓƵ) and assess and evaluate applicants skills and qualifications against the position(s) applied for.
  • Cooperate with public and government authorities, courts or regulators in accordance with ¶¶Òõ¶ÌÊÓƵ¡¯s legal obligations.??
  • Comply with applicable law.

To Whom ¶¶Òõ¶ÌÊÓƵ May Disclose Personal Data??

  • ¶¶Òõ¶ÌÊÓƵ service providers who need to access such personal data in order to provide any of the services, or related services to those, outlined in Section 2 of this privacy policy. However, prior to sharing personal data with such parties, ¶¶Òõ¶ÌÊÓƵ will have a written agreement consistent with the obligations outlined in applicable data protection laws and regulations.???????????????????????????????????????????????????????????????????????????
  • Advertising and analytics partners. Any secondary use or sharing of personal data obtained through the use of third party cookies by these third parties is subject to their respective privacy policies. For information about cookies on ¶¶Òõ¶ÌÊÓƵ¡¯s website and how to change browser cookie settings, please visit ¶¶Òõ¶ÌÊÓƵ¡¯s website here.
  • In response to a request so long as ¶¶Òõ¶ÌÊÓƵ believes disclosure is in accordance with, or required by, any applicable law, regulation or legal process.?
  • If ¶¶Òõ¶ÌÊÓƵ has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of ¶¶Òõ¶ÌÊÓƵ, its users, or the public as required or permitted by law.?
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of ¶¶Òõ¶ÌÊÓƵ¡¯s business by another company.?

Data Retention

  • Only for so long as ¶¶Òõ¶ÌÊÓƵ has a business purpose to retain and process such personal data.??????????????????????????????????????????????????????

Changes To This Privacy Policy

¶¶Òõ¶ÌÊÓƵ will update this privacy policy at its own discretion from time to time to reflect changes in ¶¶Òõ¶ÌÊÓƵ¡¯s practices, technologies, legal requirements, and other factors.??

Contact ¶¶Òõ¶ÌÊÓƵ?

¶¶Òõ¶ÌÊÓƵ would love to hear any questions, concerns, or feedback about this privacy policy or ¶¶Òõ¶ÌÊÓƵ¡¯s data protection practices. Please contact ¶¶Òõ¶ÌÊÓƵ at privacy@mapbox.com.

?

¶¶Òõ¶ÌÊÓƵ Product Privacy Policy

See Section 9 below for "California Notice At Collection"

¶¶Òõ¶ÌÊÓƵ provides a location data platform that powers map and location services in a wide variety of web, mobile, game and embedded device applications. ¶¶Òõ¶ÌÊÓƵ customers are developers/companies who embed ¶¶Òõ¶ÌÊÓƵ software development kits (SDKs) or integrate with ¶¶Òõ¶ÌÊÓƵ application program interfaces (APIs) (collectively, ¡°¶¶Òõ¶ÌÊÓƵ materials¡±) in their licensed applications to enable maps and location features.??

This product privacy policy applies when ¶¶Òõ¶ÌÊÓƵ is processing personal data (sometimes referred to as personal information), from an end user of a licensed application (provided by ¶¶Òõ¶ÌÊÓƵ or one of its customers) that contains ¶¶Òõ¶ÌÊÓƵ materials, in its capacity (where legally applicable) as an independent data controller. For example, when ¶¶Òõ¶ÌÊÓƵ determines the purpose and means of processing such as making decisions about how to process personal data that benefits ¶¶Òõ¶ÌÊÓƵ customers generally, not just a single customer, ¶¶Òõ¶ÌÊÓƵ is processing as an independent data controller. In all cases, ¶¶Òõ¶ÌÊÓƵ¡¯s processing of personal data continues to be controlled by its contracts with ¶¶Òõ¶ÌÊÓƵ customers, this product privacy policy and applicable data protection laws and regulations.?

Personal data is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, or relating to an identified or identifiable natural person, or data defined as personal information or personal data under applicable data protection laws and regulations (in this policy, referred to as "personal data¡±).

Additional Privacy Policy:?¶¶Òõ¶ÌÊÓƵ also processes as a data controller when individuals use any ¶¶Òõ¶ÌÊÓƵ website or engage with ¶¶Òõ¶ÌÊÓƵ marketing programs, including attending live or virtual events or applying for a job with ¶¶Òõ¶ÌÊÓƵ. Please see the applicable ¶¶Òõ¶ÌÊÓƵ privacy policy, available here.

Personal Data ¶¶Òõ¶ÌÊÓƵ May Receive

¶¶Òõ¶ÌÊÓƵ applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that ¶¶Òõ¶ÌÊÓƵ may receive, outlined below, describes personal data categories and associated example data elements.? Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.

Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP
address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the ¶¶Òõ¶ÌÊÓƵ customer
to identify its application), ¶¶Òõ¶ÌÊÓƵ customer¡¯s account ID (so that ¶¶Òõ¶ÌÊÓƵ knows which company to bill)
and ¶¶Òõ¶ÌÊÓƵ product name(s) and version(s).
Internet or other
electronic network activity		 Such as timestamp accompanying received data elements, and an end user¡¯s abandonment of a
given navigation route/use of an alternate navigation route.
Geolocation Data - Such as latitude and longitude, altitude, horizontal and vertical accuracy
(the session ID association is broken within 24 hours.)
- Applies only to Navigation SDK: If ¶¶Òõ¶ÌÊÓƵ Copilot is enabled, ¶¶Òõ¶ÌÊÓƵ receives detailed full trip trace files and search
results of navigation sessions. ¶¶Òõ¶ÌÊÓƵ Copilot is disabled by default and may only be enabled by ¶¶Òõ¶ÌÊÓƵ Navigation
customers (not end users) in their licensed applications.
- At any time, end users may change their location permissions for a given licensed application through their mobile
device and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.

?

AI powered beta products and services: In addition to the above categories of personal data, ¶¶Òõ¶ÌÊÓƵ may also collect the following categories of personal data (specific to its MapGPT?&?Location Agent branded products and services).

Data Category Examples
Identifiers MapGPT: The end users¡¯ requests are associated with a randomly generated identifier in order for MapGPT branded products and services to create a short-term and temporary profile required for contextual conversations such as ¡°Hey MapGPT, remember the cafe you gave me directions to yesterday? ¡­¡±
Inferences MapGPT: Inferences based on microphone (including voice inputs) and location data. For example, if the end user asks about cafe¡¯s, MapGPT branded products and services will infer that the end user would like to know about cafes close to their location.

Location Agent: Inferences based on text input to Location Agent, such as aggregate metrics.
Conversation Data MapGPT: Microphone data (including voice inputs).
Do not provide any sensitive information such as social security number, bank account or other financial details, or special categories of Personal Data such as, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.

Location Agent: Written text inputs.
Do not provide any sensitive information such as social security number, bank account or other financial details, or special categories of Personal Data such as, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.

?

How ¶¶Òõ¶ÌÊÓƵ Uses Personal Data

¶¶Òõ¶ÌÊÓƵ does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, ¶¶Òõ¶ÌÊÓƵ processes personal data to:???????

  • Provide, test, maintain, secure and improve ¶¶Òõ¶ÌÊÓƵ products and services,?
  • Provide customer requested support, including applying knowledge gained from individual customer support requests to benefit all ¶¶Òõ¶ÌÊÓƵ customers, to the extent such knowledge is de-identified,
  • Prevent fraud, misuse and cyberattacks,
  • Administer/bill customers (not end users),
  • Calculate de-identified aggregate statistics,
  • Train artificial intelligence models (to the extent personal data is first de-identified), which is a set of technologies and processes that allow computers to learn, reason, and assist in decision making; such models are used to improve ¶¶Òõ¶ÌÊÓƵ products and services,
  • Anonymize such data so it is no longer considered personal data,
  • Cooperate with public and government authorities, courts or regulators in accordance with ¶¶Òõ¶ÌÊÓƵ¡¯s legal obligations, and?
  • Comply with applicable law.

¶¶Òõ¶ÌÊÓƵ processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.

AI?powered beta products and services: In addition to the above uses of personal data, ¶¶Òõ¶ÌÊÓƵ may also use personal data in the following ways (specific to its MapGPT and Location Agent branded products and services).

  • ¶¶Òõ¶ÌÊÓƵ uses personal data for purposes that are compatible with those stated above such as providing and supporting the service. Machine learning to develop, improve, and fine tune ¶¶Òõ¶ÌÊÓƵ¡¯s models is one of those purposes.
  • Third party independent controller suppliers will process the data you provide for their own purposes as outline in their respective privacy policies (linked in Section 3). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that you provide.

?

To Whom ¶¶Òõ¶ÌÊÓƵ May Disclose Personal Data?

¶¶Òõ¶ÌÊÓƵ may disclose personal data to:

  • ¶¶Òõ¶ÌÊÓƵ service providers who need to access such personal data in order to process in accordance? with Section 2 above.?
  • In response to a request, so long as ¶¶Òõ¶ÌÊÓƵ believes disclosure is required by any applicable law, regulation or legal process.?
  • If ¶¶Òõ¶ÌÊÓƵ has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of ¶¶Òõ¶ÌÊÓƵ, its customers or their end users, or the public as required or permitted by law.?
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition or due diligence related thereto of all or a portion of ¶¶Òõ¶ÌÊÓƵ¡¯s business by another company.?

AI?powered beta products and services: In addition to the above parties that ¶¶Òõ¶ÌÊÓƵ may disclose personal data to, ¶¶Òõ¶ÌÊÓƵ may also disclose personal data to the following third party independent controllers (specific to its MapGPT &?Location Agent branded products and services).

  • Certain functionality to instruct MapGPT branded products and services to process a question such as when the end user says ¡°hey MapGPT¡± or touches the MapGPT branded products and services icon or starts typing a command. PicoVoice¡¯s processing is subject to its published privacy practices available here: https://picovoice.ai/docs/privacy-policy/ ?(or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to MapGPT branded products and services.
  • On-device speech-to-text (¡°STT¡±) vendor (which ¶¶Òõ¶ÌÊÓƵ has no control over and is selected by the end user based on their device) will transpose audio speech spoken to MapGPT branded products and services to a string of text and send it to ¶¶Òõ¶ÌÊÓƵ servers to answer the end users question. The on-device STT processing is subject to its respective published privacy practices, which you should review. ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that the end user provides to MapGPT branded products and services.
  • Large language model providers (¡°LLMs¡±), such as OpenAI review the input text and formulate a response. OpenAI¡¯s processing is subject to its published privacy practices available here: https://openai.com/policies/privacy-policy (or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to MapGPT or Location Agent branded products and services.
  • Text-to-speech (¡°TTS¡±) vendors, such as Eleven labs transform the ¶¶Òõ¶ÌÊÓƵ appended LLM response to an audio MP3 file that is spoken (in audio form) to the requestor via MapGPT branded products and services. ElevenLabs processing is subject to its published privacy practices available here: https://elevenlabs.io/privacy (or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that the end user provides to MapGPT branded products and services.

?

International Transfers

Personal data may be processed by one or more ¶¶Òõ¶ÌÊÓƵ affiliates, processors, or service providers in order to operate ¶¶Òõ¶ÌÊÓƵ¡¯s business ¨C for example, in the United States for account administration and billing. Therefore, personal data may be processed outside of the location from which it was received. ¶¶Òõ¶ÌÊÓƵ ensures that the transfer of personal data offers an adequate level of protection and security, for instance by entering into the appropriate agreements that continuously ensure the same level of protective measures as set forth in applicable data protection laws and regulations and certification certification under the EU-US, UK-US, Swiss-US Data Privacy Framework ("DPF"), and, if required, standard contractual clauses or alternative mechanism for the transfer of data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators.?

¶¶Òõ¶ÌÊÓƵ¡¯s Notice of Certification under the DPF, is available here: /legal/notice-of-certification

ADDITIONAL INFORMATION FOR INDIVIDUALS OUTSIDE THE UNITED STATES
4.1 Legal bases for processing personal data:?

Some countries require that companies only process personal data if they have a ¡°legal basis¡± (or justifiable need) to process personal data. To the extent those laws apply, ¶¶Òõ¶ÌÊÓƵ¡¯s legal bases to process personal data are as follows:

  • To comply with a legal obligation to which ¶¶Òõ¶ÌÊÓƵ, as a controller, is subject.
  • To protect the vital interests of an individual or of another natural person.
  • For the purposes of the legitimate interests pursued by ¶¶Òõ¶ÌÊÓƵ as the controller or by an independent third party controller, except where the individual¡¯s interests or fundamental rights and freedoms override such interests.
  • Performance of the contract.
  • Consent.

In all cases of data processing on the basis of legitimate interests, ¶¶Òõ¶ÌÊÓƵ considers the impact on the rights and freedoms of the individuals whose data may be part of the processing, and ensures that its processing activities do not contradict or place at unreasonable risk any such rights or freedoms. ¶¶Òõ¶ÌÊÓƵ has assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals. In all cases, ¶¶Òõ¶ÌÊÓƵ ensures that such processing is legal, fair, and reasonable.?

Retention?

¶¶Òõ¶ÌÊÓƵ stores personal data for so long as ¶¶Òõ¶ÌÊÓƵ determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, ¶¶Òõ¶ÌÊÓƵ considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and ¶¶Òõ¶ÌÊÓƵ¡¯s legitimate interests. The purposes for which ¶¶Òõ¶ÌÊÓƵ processes data may dictate different retention periods for the same types of data. For example, ¶¶Òõ¶ÌÊÓƵ retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.

Security

¶¶Òõ¶ÌÊÓƵ takes steps designed to secure personal data in accordance with this product privacy policy. ?Unfortunately, no system is 100% secure, and ¶¶Òõ¶ÌÊÓƵ cannot ensure or warrant the security of any personal data it receives. ?To the fullest extent permitted by applicable law, ¶¶Òõ¶ÌÊÓƵ does not accept liability for unintentional or accidental destruction, loss, alteration, unauthorized disclosure or access.

Children

¶¶Òõ¶ÌÊÓƵ products and services are not intended or directed to children under the age of 18 (or other age of majority as required by local law), and ¶¶Òõ¶ÌÊÓƵ does not knowingly collect personal data from children. If the parent or legal guardian learns that their child has provided ¶¶Òõ¶ÌÊÓƵ with personal data without their consent, then they should contact ¶¶Òõ¶ÌÊÓƵ as set forth below in the Contact ¶¶Òõ¶ÌÊÓƵ section of this product privacy policy. If ¶¶Òõ¶ÌÊÓƵ learns that it has collected personal data in violation of applicable data protection laws and regulations, it will promptly take steps to delete such personal data.

Choices About Personal Data?

To the fullest extent possible, ¶¶Òõ¶ÌÊÓƵ will fulfill data subject rights requests provided it can match a data subject (natural person to whom the personal data in question pertains) to personal data that ¶¶Òõ¶ÌÊÓƵ processes. ¶¶Òõ¶ÌÊÓƵ does not, and is not required to, collect additional personal data in order to positively identify a data subject.?

As outlined in Section 1 above, ¶¶Òõ¶ÌÊÓƵ receives only minimal personal data and operates controls designed to promptly de-identify and anonymize such personal data. For example, ¶¶Òõ¶ÌÊÓƵ deletes IP addresses within 30 days of receipt (unless required for an investigation), so it is unlikely that ¶¶Òõ¶ÌÊÓƵ would have personal data capable of identifying a data subject after 30 days of receiving such data. However, if verifiable and detailed information is available, ¶¶Òõ¶ÌÊÓƵ will work with the data subject to determine if the request can reasonably be met. The data subject will need to provide a valid email address so that ¶¶Òõ¶ÌÊÓƵ can communicate and support the request, as well as any information that ¶¶Òõ¶ÌÊÓƵ determines may be needed to verify whether it holds any applicable personal data.?

In accordance with applicable data protection laws and regulations and depending upon the data subject¡¯s residency, the data subject to whom the personal data pertains may have the right to request the following regarding certain of their personal data:

  • Access/view/know personal data ?
  • Portability of personal data in a commonly machine readable format?
  • Correct personal data where it is inaccurate or incomplete
  • Deletion of certain personal data
  • Restrict or object to processing of personal data
  • Opt-out of the ¡°sale¡± or ¡°share¡± or processing for ¡°targeted advertising¡± (each as defined by applicable data protection laws and regulations) of personal data , if applicable, where such requests are permitted by law

To request deletion of certain personal data, please complete the form here. For any other request to exercise rights, please contact ¶¶Òõ¶ÌÊÓƵ at privacy@mapbox.com. The requesting email must come from the data subject to whom the personal data pertains and include the data subject¡¯s name, email address and specific request or question. To protect privacy, ¶¶Òõ¶ÌÊÓƵ will take steps to verify the identity of the requestor before fulfilling the request. ¶¶Òõ¶ÌÊÓƵ will process such requests in accordance with applicable data protection laws and regulations.?

To the extent required in the state where the data subject resides and where ¶¶Òõ¶ÌÊÓƵ has denied such data subject¡¯s earlier request, the data subject may file an appeal with ¶¶Òõ¶ÌÊÓƵ for reconsideration. To file an appeal, please contact ¶¶Òõ¶ÌÊÓƵ at privacy@mapbox.com. The requesting email must come from the data subject to whom the personal data pertains and include the data subject¡¯s name, email address and reference to the specific request and denial.

¶¶Òõ¶ÌÊÓƵ encourages data subjects to contact it directly with any questions or complaints. However, ¶¶Òõ¶ÌÊÓƵ acknowledges and informs the data subject that they have the right to lodge a complaint in the EU and UK with the appropriate supervisory authority in the applicable jurisdiction; .; and in select United States states, to contact the respective state¡¯s Attorney General¡¯s Office, whose contact information may be identified here https://www.usa.gov/state-attorney-general (or successor link). In some cases, these rights may be subject to exceptions, as permitted by applicable law.

Additional Information For California Residents

9.1 California Notice At Collection:

Personal Data ¶¶Òõ¶ÌÊÓƵ May Receive

¶¶Òõ¶ÌÊÓƵ applies the principle of data minimization to its product development and operations in an effort to collect the least amount of personal data from the outset. The limited personal dataset that ¶¶Òõ¶ÌÊÓƵ may receive, outlined below, describes personal data categories and associated example data elements.? Please note, many data elements are only classified as personal data when combined with an associated IP address, other persistent identifier or data element capable of identifying or being reasonably linked to a natural person.

Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP
address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the ¶¶Òõ¶ÌÊÓƵ customer
to identify its application), ¶¶Òõ¶ÌÊÓƵ customer¡¯s company name (so that ¶¶Òõ¶ÌÊÓƵ knows which company to bill)
and ¶¶Òõ¶ÌÊÓƵ product name.
Internet or other
electronic network activity		 Such as timestamp accompanying received data elements, and an end user¡¯s abandonment of a
given navigation route/use of an alternate navigation route.
Geolocation Data - Such as latitude and longitude, altitude, horizontal and vertical accuracy
(an IP address is not associated with such geolocation data and the session ID association is broken within 24 hours.)
- Applies only to Navigation SDK: If ¶¶Òõ¶ÌÊÓƵ Copilot is enabled, ¶¶Òõ¶ÌÊÓƵ receives detailed full trip trace files and search
results of navigation sessions. ¶¶Òõ¶ÌÊÓƵ Copilot is disabled by default and may only be enabled by ¶¶Òõ¶ÌÊÓƵ Navigation
customers (not end users) in their licensed applications.
- At any time, end users may change their location permissions for a given licensed application through their mobile
device and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.

?

AI powered beta products and services: In addition to the above categories of personal data, ¶¶Òõ¶ÌÊÓƵ may also collect the following categories of personal data (specific to its MapGPT?&?Location Agent branded products and services).

Data Category Examples
Identifiers MapGPT: The end users¡¯ requests are associated with a randomly generated identifier in order for MapGPT branded products and services to create a short-term and temporary profile required for contextual conversations such as ¡°Hey MapGPT, remember the cafe you gave me directions to yesterday? ¡­¡±
Inferences MapGPT: Inferences based on microphone (including voice inputs) and location data. For example, if the end user asks about cafe¡¯s, MapGPT branded products and services will infer that the end user would like to know about cafes close to their location.

Location Agent: Inferences based on text input to Location Agent, such as aggregate metrics.
Conversation Data MapGPT: Microphone data (including voice inputs).
Do not provide any sensitive information such as social security number, bank account or other financial details, or special categories of Personal Data such as, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.

Location Agent: Written text inputs.
Do not provide any sensitive information such as social security number, bank account or other financial details, or special categories of Personal Data such as, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.
How ¶¶Òõ¶ÌÊÓƵ Uses Personal Data?

¶¶Òõ¶ÌÊÓƵ does not process personal data for the purposes of identifying an individual or creating or maintaining records about an individual. Instead, ¶¶Òõ¶ÌÊÓƵ processes personal data to:???????

  • Provide, test, maintain, secure and improve ¶¶Òõ¶ÌÊÓƵ products and services,?
  • Provide customer requested support, including applying knowledge gained from individual customer support requests to benefit all ¶¶Òõ¶ÌÊÓƵ customers, to the extent such knowledge is de-identified,
  • Prevent fraud, misuse and cyberattacks,
  • Administer/bill customers (not end users),
  • Calculate de-identified aggregate statistics,
  • Train artificial intelligence models (to the extent personal data is first de-identified), which is a set of technologies and processes that allow computers to learn, reason, and assist in decision making; such models are used to improve ¶¶Òõ¶ÌÊÓƵ products and services,
  • Anonymize such data so it is no longer considered personal data,
  • Cooperate with public and government authorities, courts or regulators in accordance with ¶¶Òõ¶ÌÊÓƵ¡¯s legal obligations, and?
  • Comply with applicable law.

¶¶Òõ¶ÌÊÓƵ processes de-identified data only in a de-identified form and does not permit attempts to re-identify such data or associate with a natural person.

AI?powered beta products and services: In addition to the above uses of personal data, ¶¶Òõ¶ÌÊÓƵ may also use personal data in the following ways (specific to its MapGPT and Location Agent branded products and services).

  • ¶¶Òõ¶ÌÊÓƵ uses personal data for purposes that are compatible with those stated above such as providing and supporting the service. Machine learning to develop, improve, and fine tune ¶¶Òõ¶ÌÊÓƵ¡¯s models is one of those purposes.
  • Third party independent controller suppliers will process the data you provide for their own purposes as outline in their respective privacy policies (linked in Section 3). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that you provide.
To Whom ¶¶Òõ¶ÌÊÓƵ May Disclose Personal Data??

¶¶Òõ¶ÌÊÓƵ may disclose personal data to:

  • ¶¶Òõ¶ÌÊÓƵ service providers who need to access such personal data in order to process in accordance? with Section 2 above.
  • In response to a request, so long as ¶¶Òõ¶ÌÊÓƵ believes disclosure is required by any applicable law, regulation or legal process.?
  • If ¶¶Òõ¶ÌÊÓƵ has a good-faith belief that access, use, preservation, or disclosure of the personal data is reasonably necessary to enforce its terms of service, detect, prevent, or otherwise address threats to its platform, or protect against harm to the rights, property or safety of ¶¶Òõ¶ÌÊÓƵ, its customers or their end users, or the public as required or permitted by law.?
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition or due diligence related thereto of all or a portion of ¶¶Òõ¶ÌÊÓƵ¡¯s business by another company.?

AI?powered beta products and services: In addition to the above parties that ¶¶Òõ¶ÌÊÓƵ may disclose personal data to, ¶¶Òõ¶ÌÊÓƵ may also disclose personal data to the following third party independent controllers (specific to its MapGPT &?Location Agent branded products and services).

  • Certain functionality to instruct MapGPT branded products and services to process a question such as when the end user says ¡°hey MapGPT¡± or touches the MapGPT branded products and services icon or starts typing a command. PicoVoice¡¯s processing is subject to its published privacy practices available here: https://picovoice.ai/docs/privacy-policy/ ?(or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to MapGPT branded products and services.
  • On-device speech-to-text (¡°STT¡±) vendor (which ¶¶Òõ¶ÌÊÓƵ has no control over and is selected by the end user based on their device) will transpose audio speech spoken to MapGPT branded products and services to a string of text and send it to ¶¶Òõ¶ÌÊÓƵ servers to answer the end users question. The on-device STT processing is subject to its respective published privacy practices, which you should review. ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that the end user provides to MapGPT branded products and services.
  • Large language model providers (¡°LLMs¡±), such as OpenAI review the input text and formulate a response. OpenAI¡¯s processing is subject to its published privacy practices available here: https://openai.com/policies/privacy-policy (or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ processing of the data that the end user provides to MapGPT or Location Agent branded products and services.
  • Text-to-speech (¡°TTS¡±) vendors, such as Eleven labs transform the ¶¶Òõ¶ÌÊÓƵ appended LLM response to an audio MP3 file that is spoken (in audio form) to the requestor via MapGPT branded products and services. ElevenLabs processing is subject to its published privacy practices available here: https://elevenlabs.io/privacy (or successor link). ¶¶Òõ¶ÌÊÓƵ has no control over third party independent controllers¡¯ use of the data that the end user provides to MapGPT branded products and services.

?Data Retention

¶¶Òõ¶ÌÊÓƵ stores personal data for so long as ¶¶Òõ¶ÌÊÓƵ determines it is needed to fulfill the purposes for which it was collected, as described in Section 2 above. In determining how long to retain personal data, ¶¶Òõ¶ÌÊÓƵ considers the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which personal data is processed, applicable legal requirements, and ¶¶Òõ¶ÌÊÓƵ¡¯s legitimate interests. The purposes for which ¶¶Òõ¶ÌÊÓƵ processes data may dictate different retention periods for the same types of data. For example, ¶¶Òõ¶ÌÊÓƵ retains IP addresses for 30 days and after such time, in select instances, may need to extend such retention period for an investigation based on its legitimate interests to secure its products and services, prevent fraud and for legal compliance purposes.

Changes to this Product Privacy Policy

¶¶Òõ¶ÌÊÓƵ will update this product privacy policy at its own discretion from time to time to reflect changes in ¶¶Òõ¶ÌÊÓƵ¡¯s practices, technologies, legal requirements, and other factors.?

Contact ¶¶Òõ¶ÌÊÓƵ?

¶¶Òõ¶ÌÊÓƵ would love to hear any questions, concerns, or feedback about this product privacy policy or ¶¶Òõ¶ÌÊÓƵ¡¯s data protection practices. Please contact ¶¶Òõ¶ÌÊÓƵ at privacy@mapbox.com.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Bold text

Emphasis

Superscript

Subscript

Privacy & Security FAQ

Last Updated: ?Aug 22, 2023

¶¶Òõ¶ÌÊÓƵ provides a location data platform that powers maps and location services. ¶¶Òõ¶ÌÊÓƵ provides SDKs (software development kits) and APIs (application programming interfaces), which businesses and developers use to incorporate ¶¶Òõ¶ÌÊÓƵ mapping and navigation technologies into the licensed applications and websites they make. The SDKs contain libraries of software code which are incorporated into a customer¡¯s licensed application or website. These libraries of software code facilitate API requests to ¶¶Òõ¶ÌÊÓƵ¡¯s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer¡¯s application or website.

In addition, ¶¶Òõ¶ÌÊÓƵ offers an on-premise version of its location data services, called Atlas.

No. ¶¶Òõ¶ÌÊÓƵ does not sell personal data.

No. For customers on a monthly active user (¡°MAU¡±) billing model, ¶¶Òõ¶ÌÊÓƵ maintains counts of MAUs for billing purposes only. ¶¶Òõ¶ÌÊÓƵ does not (and cannot) track an end user¡¯s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.

Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the ¶¶Òõ¶ÌÊÓƵ customer to identify its application), ¶¶Òõ¶ÌÊÓƵ customer¡¯s account ID (so that ¶¶Òõ¶ÌÊÓƵ knows which company to bill) and ¶¶Òõ¶ÌÊÓƵ product name(s) and version(s). Such as data that an individual may upload to ¶¶Òõ¶ÌÊÓƵ products/services or otherwise provide to ¶¶Òõ¶ÌÊÓƵ in connection with support, or feedback that end users voluntarily contribute to ¶¶Òõ¶ÌÊÓƵ along with their associated contact information.
Internet or other electronic network activity Such as timestamp accompanying received data elements, an end user¡¯s abandonment of a given navigation route / use of an alternate navigation route;
Such as connectivity and device data including device model and browser information, operating system, and contents of an API or SDK request.
Geolocation Data Such as latitude and longitude, altitude, horizontal and vertical accuracy (the session ID association is broken within 24 hours.)Applies only to Navigation SDK: If ¶¶Òõ¶ÌÊÓƵ Copilot is enabled, ¶¶Òõ¶ÌÊÓƵ receives detailed full trip trace files and searchresults of navigation sessions. ¶¶Òõ¶ÌÊÓƵ Copilot is disabled by default and may only be enabled by ¶¶Òõ¶ÌÊÓƵ Navigationcustomers (not end users) in their licensed applications.At any time, end users may change their location permissions for a given licensed application through their mobiledevice and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.

¶¶Òõ¶ÌÊÓƵ applies the principle of data minimization to product development and operations in an effort to collect only limited ?data ?from ?the ?outset. ¶¶Òõ¶ÌÊÓƵ ?operates ?a ?number ?of ?technical ?and ?organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. ¶¶Òõ¶ÌÊÓƵ deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability ?to ?track ?user ?requests over time. Billing ?IDs ?are ?not ?transmitted with ?unrelated ?events, ?further reducing ?the ?feasibility ?of ?correlating ?a ?user¡¯s ?activities ?over ?time. ?In ?addition, ¶¶Òõ¶ÌÊÓƵ?operates ?strict anonymization procedures, such as clipping traces, for telemetry events that send location data.

Communication through the Internet requires the presence of IP addresses, which specify each transmission¡¯s origin and destination. When end users engage with applications that access ¶¶Òõ¶ÌÊÓƵ products/services through the Internet, the end user necessarily discloses their current IP address to one or more ¶¶Òõ¶ÌÊÓƵ servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.

¶¶Òõ¶ÌÊÓƵ receives location data when a ¶¶Òõ¶ÌÊÓƵ customer¡¯s end users uses a licensed application that incorporates ¶¶Òõ¶ÌÊÓƵ mobile SDKs and the end user has authorized the licensed application¡¯s use of the end user¡¯s device location via their mobile phone or device operating system.

Location data includes fields such as latitude and longitude, altitude, horizontal and vertical accuracy, a session ID rotating every 24 hours, and origin IP address (as would any Internet communication). The IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023/legal/legal-faq ¶¶Òõ¶ÌÊÓƵ Customer FAQ, Page 3billing purposes and discarded after 30 days). This IP address is not forwarded to the location telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.

In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized location data is then used to improve ¶¶Òõ¶ÌÊÓƵ mapping products, including the Traffic and Movement data products.

In AWS in the United States. However, for performance purposes, ¶¶Òõ¶ÌÊÓƵ regularly caches content on its AWS content delivery network (¡°CDN¡±) located in various regions. ¶¶Òõ¶ÌÊÓƵ employees who work for ¶¶Òõ¶ÌÊÓƵ wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide ¶¶Òõ¶ÌÊÓƵ products/services.

No. ¶¶Òõ¶ÌÊÓƵ¡¯s products/services store and serve source data from an AWS primary region in the US. As noted above, data is cached and served out of various regions outside the US for performance reasons, however ¶¶Òõ¶ÌÊÓƵ cannot serve its data from one limited geographic region. To comply with GDPR and safeguard transfers to the US and other countries, please see ¶¶Òõ¶ÌÊÓƵ's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.

Yes. ¶¶Òõ¶ÌÊÓƵ carefully scrutinizes the personal data it processes within its engineering lifecycle, which includes conducting a privacy review for new (or changed) processing activities. ¶¶Òõ¶ÌÊÓƵ follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.

¶¶Òõ¶ÌÊÓƵ runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna, USA), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA), CPA (Colorado, USA), and APPI (Japan), among many other important jurisdictions.
?
¶¶Òõ¶ÌÊÓƵ¡¯s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; anonymization & pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.

Yes. ¶¶Òõ¶ÌÊÓƵ is SOC2 Type 2 certified with a summary SOC3 report available for customer review. In addition, ¶¶Òõ¶ÌÊÓƵ earned and maintains Trusted Information Security Assessment Exchange (¡°TISAX¡±) and ISO 9001 certifications. Upon request and execution of an NDA, ¶¶Òõ¶ÌÊÓƵ may share a copy of its latest SOC2 report.

¶¶Òõ¶ÌÊÓƵ welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact ¶¶Òõ¶ÌÊÓƵ¡¯s privacy office at privacy@mapbox.com.

Want to receive updates on our sub-processors?

Please subscribe below:

Stay tuned for updates!
Please enter an email address that includes @.