Mapbox Legal Portal

TermsPrivacySupportSuppliers

MAPBOX – Navigation SDK Core and UX Framework (with MapGPT) Evaluation Terms of Service

Last Revised: January 3, 2024

Copyright (c) 2024 Mapbox, Inc. All rights reserved.

The beta software above is licensed only on the following terms:

For sixty days from the date of first installation, which may be extended by Mapbox in writing (including email) at its sole discretion (the “Term”), Mapbox hereby grants the enterprise receiving the software above from Mapbox (“Customer”) a limited, non-exclusive, revocable, royalty-free, non-transferable, non-sublicensable license to access and use, by Customer’s employees and contractors, the software above and related services named above and any accompanying documentation and content (collectively, the “Service”) for the sole purpose of evaluating whether to enter into a commercial agreement with Mapbox to purchase the Service (the “Permitted Purpose”), subject to Customer’s continued compliance with the following terms and conditions in addition to (i) the Mapbox Terms of Service (available at https://www.mapbox.com/legal/tos); (ii) the Mapbox Privacy Policies available at https://www.mapbox.com/legal/privacy; and (iii) the Product Terms (available at https://www.mapbox.com/legal/product-terms) (collectively, these “Terms”).  

IF CUSTOMER DOES NOT AGREE TO THESE TERMS, CUSTOMER MAY NOT USE THE SERVICE!

  1. Beta Product. Customer acknowledges that the Service is an unreleased and experimental beta product unsuitable for use in a production environment.  The Service may include bugs, errors, and unexpected behaviors and may otherwise be “feature incomplete” and not available in all areas.  The Service is an “Beta Service Offering” as defined in the Mapbox Product Terms.
  2. Privacy Terms.  Customer shall only submit personal data of their employees or contracted professional drivers (“end users”) to the Service solely for the Permitted Purpose. Mapbox processes such personal data for the Permitted Purpose as an independent data controller in accordance with its product privacy policy, available here: https://www.mapbox.com/legal/privacy#product-privacy-policy.  Customer shall display Mapbox’s privacy notice (Mapbox product privacy policy) to end users and shall not interfere with or disable Mapbox’s collection of required end user consent prior to such user’s use of the Service. 
  3. MapGPT and AI Features.  The Service includes an experimental personal-assistant feature powered by artificial intelligence (AI) systems (“MapGPT”) that responds conversationally to voice and text inputs Customer submits through the Service (“Inputs”), such as questions and requests.  By using the Service and providing Inputs, Customer grants Mapbox, our affiliates, and our third-party partners, at no cost, a nonexclusive, transferable, sublicensable, worldwide, perpetual, irrevocable, royalty-free license to freely exploit (i) all Inputs (which may include voice recordings), (ii) associated information and data Mapbox collects along with Inputs, and (iii) responses Mapbox generates based on (i) and (ii) (“Outputs”).  Inputs and Customer’s use of mapGPT and Outputs must comply with these Terms.  Customer may use Outputs only in furtherance of the Permitted Purpose.  Customer represents and warrants that Customer owns or otherwise controls all the necessary rights to provide Mapbox with Inputs as described in these Terms including, without limitation, all the rights, consents, and lawful bases necessary to submit Inputs through the Service.
  4. IP Rights.  As between the parties, and except for the licenses Mapbox grants to Customer per these Terms, Mapbox owns all right, title and interest in and to the Service.  Customer acknowledges that the Service will send inputs (excluding Inputs) and identifiers, diagnostic, usage, location, and other data back to Mapbox (“Beta Data”). Customer will not prevent the Service from sending Beta Data to Mapbox and will ensure that it has all rights necessary to provide the Beta Data to Mapbox for the uses contemplated hereunder. Customer acknowledges and agrees that Mapbox may freely exploit all Beta Data.  Customer may voluntarily provide Mapbox with feedback with respect to Customer’s use of the Service (e.g., feedback related to usability, performance, interactivity, bug reports and test results) and other suggestions, information or materials relating to the Service (collectively, “Feedback”). Customer acknowledges and agrees that Mapbox may freely exploit all Feedback.
  5. Integrations with Third-Party Products.  The Service may enable Customer to integrate Customer’s Applications with third-party products and services, including music-streaming platforms.  Customer is solely responsible for entering into any agreements necessary to obtain rights to use and integrate Customer’s Applications with such third-party products and services.  Mapbox is not and will not be a party to such agreements.  If Customer does not have the necessary rights to use such third-party products and services, Customer may not use them with the Service.
  6. Confidentiality. The Service, its associated documentation, any information related to the Service that either party generates (such as problem reports, analysis and performance information), the fact that Customer has access to the Service, and all Beta Data are “Confidential Information” of Mapbox. Customer will keep Confidential Information in strict confidence, will only use the Confidential Information for the Permitted Purpose, will only provide Confidential Information to those of Customer’s and Customer’s affiliates’ employees (collectively, “Representatives”) who need such information for the Permitted Purpose and who agree to confidentiality terms at least as restrictive as those set forth herein.  Customer is responsible for any actions or omissions of anyone with whom Customer shares Confidential Information that would be a breach of these Terms if done by Customer. Except as permitted by the preceding sentence, Customer shall not, without the prior written consent of Mapbox, use, disclose or otherwise make available the Confidential Information to any third party. Customer acknowledges and agrees that due to the unique nature of the Confidential Information, there can be no adequate remedy at law for any breach of Customer’s obligations hereunder, that any such breach may allow Customer or third parties to unfairly compete with Mapbox resulting in irreparable harm to Mapbox, and that therefore, upon any such breach or threat thereof, Mapbox shall be entitled to seek injunctions and other appropriate equitable relief in addition to whatever remedies it may have at law. This clause survives termination or expiration of these Terms.
  7. Miscellaneous. With respect to the subject matter hereof, these Terms (i) are intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and (ii) supersede all prior agreements and understandings (whether oral or written) between the parties as to the subject matter described in these Terms.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Privacy & Security FAQ

Last Updated:  Aug 22, 2023

1. What is Mapbox?

Mapbox provides a location data platform that powers maps and location services. Mapbox provides SDKs (software development kits) and APIs (application programming interfaces), which businesses and developers use to incorporate Mapbox mapping and navigation technologies into the licensed applications and websites they make. The SDKs contain libraries of software code which are incorporated into a customer’s licensed application or website. These libraries of software code facilitate API requests to Mapbox’s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer’s application or website.

In addition, Mapbox offers an on-premise version of its location data services, called Atlas.

2. Does Mapbox sell personal data?

No. Mapbox does not sell personal data.

3. Does Mapbox track end users or build end user profiles?

No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.

4. What types of personal data does Mapbox collect from end users and why?
Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the Mapbox customer to identify its application), Mapbox customer’s account ID (so that Mapbox knows which company to bill) and Mapbox product name(s) and version(s). Such as data that an individual may upload to Mapbox products/services or otherwise provide to Mapbox in connection with support, or feedback that end users voluntarily contribute to Mapbox along with their associated contact information.
Internet or other electronic network activity Such as timestamp accompanying received data elements, an end user’s abandonment of a given navigation route / use of an alternate navigation route;
Such as connectivity and device data including device model and browser information, operating system, and contents of an API or SDK request.
Geolocation Data Such as latitude and longitude, altitude, horizontal and vertical accuracy (the session ID association is broken within 24 hours.)Applies only to Navigation SDK: If Mapbox Copilot is enabled, Mapbox receives detailed full trip trace files and searchresults of navigation sessions. Mapbox Copilot is disabled by default and may only be enabled by Mapbox Navigationcustomers (not end users) in their licensed applications.At any time, end users may change their location permissions for a given licensed application through their mobiledevice and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.
5. What measures does Mapbox take to minimize and protect personal data?

Mapbox applies the principle of data minimization to product development and operations in an effort to collect only limited  data  from  the  outset. Mapbox  operates  a  number  of  technical  and  organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. Mapbox deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability  to  track  user  requests over time. Billing  IDs  are  not  transmitted with  unrelated  events,  further reducing  the  feasibility  of  correlating  a  user’s  activities  over  time.  In  addition, Mapbox operates  strict anonymization procedures, such as clipping traces, for telemetry events that send location data.

6. Why are IP addresses collected?

Communication through the Internet requires the presence of IP addresses, which specify each transmission’s origin and destination. When end users engage with applications that access Mapbox products/services through the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.

7. Why (and when) is location data collected?

Mapbox receives location data when a Mapbox customer’s end users uses a licensed application that incorporates Mapbox mobile SDKs and the end user has authorized the licensed application’s use of the end user’s device location via their mobile phone or device operating system.

Location data includes fields such as latitude and longitude, altitude, horizontal and vertical accuracy, a session ID rotating every 24 hours, and origin IP address (as would any Internet communication). The IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023https://www.mapbox.com/legal/legal-faq Mapbox Customer FAQ, Page 3billing purposes and discarded after 30 days). This IP address is not forwarded to the location telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.

In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized location data is then used to improve Mapbox mapping products, including the Traffic and Movement data products.

8. Where (geographically) does Mapbox process personal data?

In AWS in the United States. However, for performance purposes, Mapbox regularly caches content on its AWS content delivery network (“CDN”) located in various regions. Mapbox employees who work for Mapbox wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide Mapbox products/services.

9. Can Mapbox limit its geographic processing to Europe (or another specific region)?

No. Mapbox’s products/services store and serve source data from an AWS primary region in the US. As noted above, data is cached and served out of various regions outside the US for performance reasons, however Mapbox cannot serve its data from one limited geographic region. To comply with GDPR and safeguard transfers to the US and other countries, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.

10. Does Mapbox conduct data processing impact assessments (DPIA)?

Yes. Mapbox carefully scrutinizes the personal data it processes within its engineering lifecycle, which includes conducting a privacy review for new (or changed) processing activities. Mapbox follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.

11. How does Mapbox manage compliance with global privacy laws?

Mapbox runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna, USA), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA), CPA (Colorado, USA), and APPI (Japan), among many other important jurisdictions.

Mapbox’s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; anonymization & pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.

12. Does Mapbox have information security credentials?

Yes. Mapbox is SOC2 Type 2 certified with a summary SOC3 report available for customer review. In addition, Mapbox earned and maintains Trusted Information Security Assessment Exchange (“TISAX”) and ISO 9001 certifications. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.

13. More questions?

Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at privacy@mapbox.com.

Want to receive updates on our sub-processors?

Please subscribe below:

Stay tuned for updates!
Please enter an email address that includes @.