Does MapBox require disclosure in our privacy policy?

Yes. MapBox collects user data including location information and map interaction telemetry, making privacy policy disclosure mandatory under GDPR, CCPA, and similar regulations. You must inform users that MapBox processes their data and explain what information is collected when they interact with maps on your site.

What specific data does MapBox collect?

MapBox collects location data (GPS coordinates and derived location information), map interaction data (pan, zoom, and click events), and telemetry data (performance metrics and usage analytics). This data is gathered whenever users interact with embedded MapBox maps on your website or application.

Does MapBox require a cookie consent banner?

MapBox does not rely on cookies for its core functionality. However, depending on your jurisdiction and how MapBox is configured on your site, you may still need consent mechanisms under GDPR or CCPA if you're tracking user interactions or location data. Review your specific implementation and local regulations to determine consent requirements.

Who processes MapBox data and where is it stored?

MapBox Inc., headquartered in the United States, acts as the data processor for MapBox services. User data collected through MapBox may be transferred to and processed in the United States. If you operate under GDPR, ensure you have appropriate data transfer mechanisms (Standard Contractual Clauses) in place with MapBox.

Maps

Privacy policy clauses for MapBox

MapBox is a mapping and location services platform that enables custom interactive maps and location-based features in web and mobile applications. Websites use MapBox to display maps, enable location searches, and provide geographic navigation functionality to users.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data MapBox collects

Your privacy policy must disclose each of the following data types when you use MapBox.

Location data

Map interaction data

Telemetry

When does MapBox trigger privacy obligations?

Installation triggers immediate data flows

The moment you embed MapBox into your app or website, location data and map interaction telemetry begin flowing to Mapbox Inc, a US-based processor. This is not lazy-loaded or opt-in by default—the SDK transmits data on map render, user pan/zoom, and geocoding queries.

Which regulations activate

GDPR (EU/EEA users): If your app has any EU traffic, MapBox's collection of location data and interaction telemetry constitutes processing of personal data (GDPR Article 4). Location data is often special category data under Article 9 if it reveals user movement patterns. You must establish a lawful basis (Article 6)—consent or legitimate interest—*before* the SDK fires. You also need a Data Processing Agreement (DPA) with Mapbox Inc under Article 28.

CCPA (California users): Location data and interaction logs qualify as "personal information" under CCPA Section 1798.100. You must disclose MapBox's collection in your privacy notice and honor user opt-out rights (CCPA Section 1798.120).

Privacy policy clauses for MapBox

What data MapBox collects

When does MapBox trigger privacy obligations?

Installation triggers immediate data flows

Which regulations activate

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Forgetting the DPA, then claiming GDPR compliance

Pitfall 2: Miscategorizing MapBox as "non-tracking" and omitting from consent flows

Pitfall 3: Not updating privacy policy after adding MapBox, or using boilerplate that hides specifics

Sample privacy policy clause

What regulators look for

Enforcement priorities

Frequently asked questions

Does MapBox require disclosure in our privacy policy?

What specific data does MapBox collect?

Does MapBox require a cookie consent banner?

Who processes MapBox data and where is it stored?

Don't ship without Bandit.