OpenStreetMap with Leaflet and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses OpenStreetMap with Leaflet to embed interactive maps in their website, they regularly process web server log data, device data, browser information and coarse location data for the purpose of map display when the map is loaded. The legal basis – depending on the integration variant – is typically the user's third-party content consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG) or, in the case of local or proxy-based integration, a legitimate interest (Art. 6(1)(f) GDPR). This page concisely explains which data OpenStreetMap with Leaflet processes and what website operators must include in their privacy notices.

A. Purpose and Functionality of OpenStreetMap with Leaflet

OpenStreetMap (OSM) is a free geodata project maintained by a worldwide community. The associated OpenStreetMap Foundation (OSMF), based in Cambridge, United Kingdom, operates – among other things – the public map tile server tile.openstreetmap.org, which delivers pre-rendered map tiles.

Leaflet is a lightweight, open-source JavaScript library (MIT license) for displaying interactive maps in the browser. According to the project's information, Leaflet itself does not collect any personal data and does not communicate with any of its own servers; the library is usually delivered locally from the website operator's web server or obtained via a CDN.

From a data protection perspective, a strict distinction must therefore be made:

• Leaflet library (passive): If the JavaScript file is delivered locally, the map functions themselves do not trigger any third-party server requests.
• Tile server (active): As soon as Leaflet retrieves map tiles from the OSM tile server (or from an alternative tile provider such as MapTiler, Mapbox, Carto, Stadia Maps, Geoapify), the user's browser establishes a direct connection to this third-party server. Only this step is, from a data protection standpoint, the actual "third-party content".

This page focuses on the typical integration function: embedding an interactive map with Leaflet whose tiles are loaded from the OSM tile server. Other functions of the OSM ecosystem (e.g. contributing map data as an OSM mapper, routing services, Nominatim geocoding) are not covered here.

B. Mandatory Information in the Privacy Policy when Using OpenStreetMap with Leaflet

In addition to general information about the website operator, data subject rights and the supervisory authority, the GDPR prescribes specific mandatory information in connection with the use of tools such as OpenStreetMap with Leaflet: the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR) and – where processing is based on a balancing of interests – the specific legitimate interests pursued (Art. 13(1)(d) GDPR).

This is supplemented by the recipients or categories of recipients (Art. 13(1)(e) GDPR), the question whether data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR), the storage period or the criteria for determining it (Art. 13(2)(a) GDPR), and – where data is not collected directly from the data subject – the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are spelled out specifically for OpenStreetMap with Leaflet in the following sections.

It is not necessary to list every individual tool – including OpenStreetMap with Leaflet – with its own dedicated text module in the privacy policy, even though precisely this practice has become widespread. The "text-module-per-tool" approach has established itself as bad practice: it leads to long, repetitive texts that make the privacy policy unwieldy, hard to maintain and barely readable for users – contrary to the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is topic-oriented: processing activities are described across themes (server operation, newsletter, tracking, third-party content …), and the actually used service providers – including OSMF or an alternative tile provider – are listed in an Annex: Recipients. This is exactly the methodology pursued by the matterius generator.

C. Provider of OpenStreetMap with Leaflet

In the standard integration discussed here, two actors must be distinguished:

1. Leaflet library

• Project: Leaflet (open-source project under MIT license, maintained by Volodymyr Agafonkin and contributors)
• Source: https://leafletjs.com
• If the library is delivered locally from the website operator's web server, no third-party server requests arise. If it is obtained via a public CDN (e.g. unpkg, jsDelivr, cdnjs), the respective CDN qualifies as an additional recipient and must be treated like third-party content.

2. Tile server (default: OpenStreetMap Foundation)

• Legal name: OpenStreetMap Foundation (OSMF)
• Address: St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom
• Country of seat: United Kingdom
• Privacy Policy: https://osmfoundation.org/wiki/Privacy_Policy
• Tile Usage Policy: https://operations.osmfoundation.org/policies/tiles/

The United Kingdom is recognised as a safe third country within the meaning of Art. 45 GDPR by virtue of the EU Commission's adequacy decision of 28 June 2021. An additional certification (e.g. under the EU-US Data Privacy Framework) is not relevant here.

If the website operator uses an alternative tile provider (e.g. MapTiler AG/Switzerland, Mapbox Inc./USA, Carto, Stadia Maps Inc./USA, Geoapify GmbH/Germany) instead of the OSM tile server, that provider's privacy notices apply, and any additional safeguards (e.g. SCCs, DPF) must be reviewed separately.

D. Data Processing in OpenStreetMap with Leaflet – Step by Step

E. Data Collected by OpenStreetMap with Leaflet

When a Leaflet-embedded map with tiles from the OSM tile server is loaded, the following data is, according to OSMF's privacy policy, in particular transmitted to the tile server: IP address of the user device, user-agent string (browser and operating system information), referrer (URL of the page from which the map was called), date and time of the request, requested tile URL (typically encoded via zoom level and x/y coordinates and thus a technical indicator of the displayed map section) as well as technical metadata of the request.

These data items can be classified in the following standardised data categories:

• Web server log data: data which the tile server receives from the user device with each tile request, in particular IP address, date and time of the request, URL of the requested tile, referrer (URL of the embedding website), information about the browser, operating system and device used, and supplementary technical metadata.
• Device data: information derivable from the user agent about the user's device, e.g. device type and operating system.
• Browser information: browser name and browser version derived from the user agent.
• Coarse location data: based on the IP address, the tile provider can determine the user's coarse location at city or municipality level; in addition, the requested tile coordinates provide a technical indication of the displayed map section – not necessarily of the user's actual whereabouts.

If Leaflet is integrated locally only and the tiles are self-hosted or delivered via a server-side proxy, data flows to the website operator's own web server; in this case, only the web server log data that arises anyway is processed.

F. Purposes of Use when Employing OpenStreetMap with Leaflet

Website operators typically embed OpenStreetMap with Leaflet to display locations interactively (e.g. branches, event venues, directions), to allow users to zoom and pan the map, or to visualise markers, routes and polygons.

The purposes typically pursued by using OpenStreetMap with Leaflet can be classified under the following standardised purpose categories:

• Function provision: providing the map function on the website, in particular the display of maps and interactive content, presentation of locations and markers, zoom and pan controls, error detection and prevention while loading tiles.
• Security and abuse prevention: protection of the tile server against excessive use, scraping and attacks (carried out by the tile provider); on the website operator's side, where applicable, detection of suspicious request patterns.
• General product improvement: optimisation of the website on the basis of frequently accessed map content and the devices used.

G. Legal Bases for OpenStreetMap with Leaflet

OpenStreetMap with Leaflet falls primarily into the tool category third-party content (maps) insofar as tiles are loaded from a third-party server. If, on the other hand, the Leaflet library is delivered locally and the tiles are also self-hosted or made available via a proxy, the operation is, from a focus point of view, attributable to server operation/hosting.

The following legal bases typically come into consideration:

• Standard integration with tiles from the OSM tile server (or another third-party provider): Since the user's browser establishes a direct connection to a third-party server and at least transmits the IP address, the user's third-party content consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG regularly applies. In practice, this means: the map is only loaded after active consent (e.g. via a consent banner or a click-to-load placeholder).
• Self-hosting the tiles or proxy solution: If the tiles are delivered from the website operator's web server, processing can be based on the legitimate interest under Art. 6(1)(f) GDPR – with the interests of function provision, efficiency and security.
• Local embedding of the Leaflet library: The library itself does not trigger any third-party server requests; its delivery takes place as part of regular server operation (legitimate interest).

H. Particularities and Notes regarding OpenStreetMap with Leaflet

• Self-hosting of tiles: Anyone wishing to avoid the third-party server request can render tiles themselves (e.g. via tileserver-gl, Mapnik, openmaptiles) or use a server-side proxy. Processing then remains with the website operator and the third-party content consent is not required.
• Click-to-load solutions: A common practice is to display the map initially as a placeholder and only reload the tiles from the third-party server after a click or consent. This effectively avoids data outflow before consent.
• OSMF Tile Usage Policy: According to the Tile Usage Policy, the public OSM tile server is intended only for applications with moderate traffic. For higher-traffic websites, switching to a commercial tile provider or self-hosting is recommended – independently of data protection considerations.
• Third-country transfer: OSMF is based in Cambridge/UK. The United Kingdom is a safe third country under the EU adequacy decision of 28 June 2021; recourse to SCCs or the DPF is therefore not necessary in this respect. For alternative tile providers based in the USA (e.g. Mapbox, Stadia Maps), the DPF status or an SCC basis must be reviewed separately.
• Subprocessors / recipients: OSMF lists the main subprocessors and infrastructure partners in its privacy policy. With commercial tile providers, a separate subprocessor list must be consulted.
• DPA: For the use of the public OSM tile server, no classic data processing agreement under Art. 28 GDPR is typically concluded; OSMF, according to publicly available information, acts as an independent controller in this respect. With commercial tile providers (e.g. Mapbox, MapTiler), a DPA is generally offered – its conclusion and the role (processor or independent controller) must be assessed in each individual case.
• Leaflet plugins: Individual Leaflet plugins may trigger third-party server requests (e.g. geocoding plugins, routing plugins, heatmap layers). Such plugins must be assessed separately.
• CDN delivery: If Leaflet is obtained via a public CDN, the CDN is treated as an additional third-party provider; self-hosting the library is the more privacy-friendly option.

I. FAQ on OpenStreetMap with Leaflet

J. Conclusion on OpenStreetMap with Leaflet and the Privacy Policy

OpenStreetMap with Leaflet is an established combination for embedding interactive maps: the Leaflet library itself does not collect personal data; the data protection impact only arises through the tile requests to the OSM tile server or an alternative tile provider. Website operators must therefore clearly distinguish between the locally delivered library and the third-party server request when loading tiles – only the latter typically triggers the obligations relating to third-party content consent.

For website operators, it usually makes little sense to include a separate text module for every individual tool – including OpenStreetMap with Leaflet – in the privacy policy. Such tool-specific modules repeat themselves in substance, make the privacy policy long, unclear and hard to maintain – and run counter to the transparency requirement of Art. 12(1) GDPR.

Instead, a structured, topic-oriented approach is recommended: processing activities are explained across topic blocks (server operation, third-party content, newsletter, tracking, sales …), and the Annex: Recipients lists the specific service providers used – such as the OpenStreetMap Foundation or an alternative tile provider. This is the methodology of the matterius generator.

K. Curator of this Page

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com