Mapbox and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Mapbox, they typically process web server log data, location, device and interaction data for the purpose of displaying interactive maps – usually on the basis of third-party content consent. This page on Mapbox data protection explains the data flow, Mapbox's role, the third-country issue and the mandatory information for the privacy policy.

A. Purpose and Functionality of Mapbox

Mapbox is a US-based provider of maps and geo services that delivers interactive maps, location search (geocoding), routing and navigation through web and mobile SDKs. Website operators typically embed Mapbox via the JavaScript SDK (e.g. mapbox-gl.js) or via embed snippets to display an interactive map at a particular spot, with markers, routes or store locators.

This article focuses on this integration function (map embedding via the Mapbox SDK on a website). Mapbox also offers mobile SDKs for native apps, routing APIs for logistics and platform services – these features lie outside the typical web embedding scenario and are not addressed in detail here.

When loading a page, the visitor's browser connects directly to Mapbox servers and fetches map tiles, styles, vector data and fonts. Mapbox states that it captures telemetry data unless this is disabled by the website operator or the user.

B. Mandatory Information in the Privacy Policy When Using Mapbox

The GDPR requires website operators to inform visitors transparently about data processing. In addition to general information on the controller, data subject rights and the supervisory authority, the following items are mandatory when using a tool such as Mapbox:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• and – where data is not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR).

These items are broken down for Mapbox in the following sections.

In practice, it is not necessary to list every individual tool – including Mapbox – with its own text block. While this practice has become widespread, it leads to long, formulaic texts that repeat themselves and make the privacy policy hard to maintain. A topic-oriented approach that describes processing such as third-party content across the board and names specific providers in a recipient list in the appendix is more appropriate. The matterius generator implements this method.

C. Provider of Mapbox

According to publicly available information from Mapbox, the contracting party for website operators is

Mapbox, Inc. 1633 Westlake Avenue North, Suite 200 Seattle, WA 98109, USA

Mapbox maintains subsidiaries and offices in Europe and elsewhere; the contracting party and data flows depend on the contract structure. Mapbox Inc. is a US company located outside the EU/EEA; the website operator should verify the current status under the EU-US Data Privacy Framework (DPF) at https://www.dataprivacyframework.gov/s/participant-search. Where DPF protection does not apply, data transfers can typically be based on Standard Contractual Clauses (SCC).

Mapbox's privacy notices are available at https://www.mapbox.com/legal/privacy; supplementary information on Mapbox telemetry and geo data is available at https://www.mapbox.com/telemetry.

D. Mapbox Data Processing – Step by Step

1. Collection: when a page with a Mapbox map embedded is loaded, the visitor's browser establishes a direct connection to Mapbox servers. Mapbox receives the IP address, user agent, referrer, technical request metadata and – depending on configuration – the map view, zoom level and interaction events.
2. Storage: Mapbox stores requests in web server logs and – where enabled – in telemetry databases for product improvement. Processing takes place on Mapbox infrastructure; server locations may be in the USA.
3. Use: Mapbox uses the data to deliver map tiles, styles and vector data, ensure operations, protect against abuse and – by its own account – improve the maps and navigation services (telemetry).
4. Disclosure: Mapbox may involve group-internal recipients and technical sub-processors (e.g. cloud infrastructure). The current sub-processor list is available via Mapbox's trust documentation.
5. Deletion: retention periods are set out in Mapbox's privacy notices. Website operators can disable telemetry via the SDK; end users have an additional opt-out via the telemetry toggle in the Mapbox map layer.

E. Data Collected When Using Mapbox

When a website with a Mapbox map embedded is loaded, the following data, in particular, is transmitted to Mapbox servers: IP address, date and time of the request, URL of the requested map tile, referrer URL, user agent, map view and zoom level, and additional technical metadata. With Mapbox telemetry enabled, additional anonymised device and movement data is collected.

This data falls into the following standardised data categories:

• Web server log data: data the third party's web server receives with each request, including IP address, date, time, URL of the requested content, referrer, browser/OS/device information, and additional technical metadata.
• Device data: information about the user's device, e.g. device type, operating system, screen resolution, touch support.
• Browser information: information about the browser used, e.g. browser name and version.
• Coarse location data: location derivable from the IP address or, where the user grants permission, precise geo coordinates.
• Interaction data: information about how the user interacts with the map, e.g. mouse movements, clicks, scroll and zoom actions, touch movements with date and time.
• Click paths: clicked markers or buttons within the map, where configured.
• Technical telemetry data: technical request data, e.g. load times, data volumes and status codes.

F. Purposes When Using Mapbox

The website operator primarily uses Mapbox to embed interactive maps, e.g. to visualise the location of stores, event venues or for route display. Additional functions include geocoding (address search) and routing.

The purposes fall into the following standardised categories:

• Functionality provision: providing the maps and navigation functionality, in particular displaying maps, markers and interactive content, including error detection and avoidance.
• Security and abuse protection: ensuring data security in map embedding, detecting and stopping attacks as well as bot and abuse defence by Mapbox.
• General product improvement: non-user-individual adjustments to maps and delivery infrastructure, e.g. optimisation based on frequently requested regions.

G. Legal Bases for Using Mapbox

Mapbox falls into the third-party content category (map embedding via third-party servers).

Possible legal bases include:

• Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG: with online embedding, web server log data – in particular the IP address – is transmitted to third-party servers in the USA on every page request. Third-party content consent obtained via the consent banner is generally regarded as the appropriate basis.
• Legitimate interest under Art. 6(1)(f) GDPR: in setups without cookies and telemetry, processing can in narrow limits rely on legitimate interests in functionality provision, efficiency and security. The viability of this basis must be assessed in each case, in particular against the backdrop of the third-country issue and Mapbox telemetry.

The legal basis is case-specific and must be assessed by the website operator on the merits.

H. Special Considerations and Notes on Mapbox

• Provider role: according to publicly available information, Mapbox generally acts as an independent controller for the server logs and telemetry data generated by map embedding, where this serves the improvement of its own services. For data passed to Mapbox by the website operator (e.g. self-uploaded datasets), Mapbox offers a data processing agreement. The classification must be assessed in each case.
• Third-country transfers / DPF: Mapbox Inc. is based in the USA. Website operators should verify the DPF status at https://www.dataprivacyframework.gov/s/participant-search. Where DPF protection does not apply, Standard Contractual Clauses (SCC) come into consideration.
• DPA: Mapbox provides a Data Processing Addendum for platform customers; this is particularly relevant where the website operator passes its own datasets or geocoding queries with personal data to Mapbox.
• Telemetry and opt-out: according to Mapbox, telemetry data is collected for product improvement. Website visitors can disable telemetry via the built-in Mapbox telemetry toggle in the map layer. Website operators can disable telemetry via the SDK.
• Cookies: according to the provider, the Mapbox map embed does not regularly set tracking cookies in the default configuration; this should be verified case by case.
• Sub-processors: Mapbox uses cloud infrastructure and group-internal entities; a sub-processor list is provided in Mapbox's trust documentation.
• Settings for the website operator: load Mapbox only after consent has been given (consent gating); disable telemetry as required; avoid geocoding requests with personal addresses where not strictly necessary.

This presentation is based on publicly available information from Mapbox and other publicly available sources; it does not replace a case-by-case assessment.

I. FAQ on Mapbox Data Protection

J. Conclusion on Mapbox Data Protection and Next Step

Mapbox provides powerful map and geo services that integrate flexibly into websites. From a data protection perspective, what matters is that every page load establishes a direct connection to Mapbox servers, transmitting the IP address and other web server log data to a US provider, and – depending on configuration – Mapbox telemetry on top. Website operators should embed Mapbox on a consent basis via the consent banner, verify DPF status, configure telemetry and cookies, and present purposes, data categories, recipients, third-country transfer and legal basis transparently in the privacy policy.

For the privacy policy: it is generally not useful to maintain a separate text block for Mapbox. Doing so makes the privacy policy long, unwieldy and hard to maintain and conflicts with the transparency principle in Art. 12(1) GDPR. A topic-oriented approach that describes third-party content across the board and only lists specific providers such as Mapbox in a "Recipients" appendix is more appropriate. This is exactly what the matterius generator delivers.

K. Curator