Legal
This Privacy Policy explains how Mapwright handles information across three distinct contexts, which differ significantly:
For the website and the managed cloud, the controller is Mapwright. For managed-cloud customer content we generally act as a processor on your behalf; for account, billing and security data we act as a controller.
We collect the categories below. We aim to minimize what we collect and to keep it only as long as needed (§14).
| Category | Examples | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Identity & contact | Name, email, organization | Accounts, support, communications | Contract; Legitimate interests | Account life + 90 days |
| Authentication | Password hash, sessions, API keys | Secure access to the Service | Contract | Account life |
| Billing | Plan, transaction status, last-4 | Billing, fraud prevention | Contract; Legal obligation | 7 years (tax/accounting) |
| Usage data | Request counts, quotas, operational logs | Metering, security, reliability | Contract; Legitimate interests | Raw 30–90 days; aggregates longer |
| Map/API request content | Coordinates, search terms | Return results you requested | Contract | Minimized; transient logs only |
| Website & device | IP, browser, pages viewed | Security and aggregate analytics | Legitimate interests; Consent | 12 months |
We may also receive limited data from third parties, such as our payment processor (transaction status) and infrastructure providers (abuse and security signals).
The website and console use a small number of cookies. Where consent is required, we ask before setting non-essential cookies; you can withdraw consent or block cookies via your browser at any time.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| mapwright_session | Essential | Console authentication | Session / up to 7 days |
| Preferences | Functional | Remember settings (e.g. theme) | 12 months |
| Analytics | Analytics (if enabled) | Aggregate, privacy-respecting usage | 12 months |
We do not sell personal data, and we do not use it for advertising.
Where the GDPR/UK GDPR applies, we rely on contract, legitimate interests (operating, securing and improving the Service, balanced against your rights), consent (where required, e.g. some cookies and marketing), and legal obligation. You may withdraw consent at any time without affecting prior processing.
We send service and transactional messages necessary to operate your account. We send marketing only where permitted, and you can opt out at any time via the unsubscribe link or by contacting us.
We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human involvement. Automated abuse and rate-limit controls protect the Service and do not profile you.
When you run Mapwright yourself, your data — customer content, keys, and the map/geocoding/routing requests your users make — stays on your infrastructure. We receive no telemetry from self-hosted installs by default and have no access to that data. You are the controller for it; this Policy does not govern your own processing.
If you use the managed cloud to process other people’s personal data, you are the controller for that data and are responsible for having a lawful basis, providing notices, and honoring data-subject requests. We will assist as your processor and, where applicable, under a data-processing addendum.
We disclose data only:
We engage vetted providers and bind them by contract to appropriate protections. Our current sub-processors include:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting & compute | us-east-1 |
| Amazon CloudFront | Content delivery / edge cache | Global edge |
We will update this list for material changes and, where required, offer a way to object.
We may process data in countries other than yours. Where required, we use appropriate safeguards (such as Standard Contractual Clauses and, for the UK, the IDTA/UK Addendum) for cross-border transfers, and we make transfer details available on request.
We keep personal data only as long as needed for the purposes above, to meet legal duties, or to resolve disputes — then delete or anonymize it. Indicative periods:
| Data | Retention |
|---|---|
| Account data | Account life, then deleted within 90 days |
| Billing records | 7 years to meet legal/accounting duties |
| Operational logs | 30–90 days, then purged |
| Request-content logs | Minimized; retained only transiently |
| Backups | Rolling 35 days, then overwritten |
We use reasonable technical and organizational measures — encryption in transit, access controls, least-privilege credentials, network controls, and logging — to protect data. No method is perfectly secure; we cannot guarantee absolute security. We periodically review our controls.
We maintain procedures to detect and respond to security incidents. Where a breach is likely to affect you, we will notify affected users and, where required, regulators within the timeframes set by applicable law.
Depending on where you live, you may have rights to access, correct, delete, restrict or port your personal data, to object to certain processing, and to withdraw consent. To exercise them, contact us (§23); we may need to verify your identity and will respond within the period required by law (generally within 30–45 days). We do not charge for most requests, will not discriminate against you for exercising rights, and offer an appeal path if we decline. You may also complain to your supervisory authority.
Because there is no common standard, we do not respond to browser “Do Not Track” signals. Where required by law, we honor recognized opt-out preference signals such as Global Privacy Control (GPC).
See §6 (legal bases), §13 (transfers) and §17 (rights). Our EU/UK representative and data-protection contact are listed in §23.
We do not “sell” or “share” personal information as defined under California law. California residents may exercise rights to know, delete, correct and limit, and may use an authorized agent.
Residents of states with comprehensive privacy laws (e.g. Virginia, Colorado, Connecticut, Utah) may have similar rights to access, delete, correct and opt out; contact us to exercise them.
The Service is intended for businesses and developers and is not directed to children under 16. We do not knowingly collect their personal data; contact us if you believe a child has provided data and we will delete it.
Our site and docs may link to third-party sites and services whose privacy practices are their own. Review their policies; we are not responsible for them.
We may update this Policy. We will post the new version and effective date here and, for material changes, provide additional notice where required. Your continued use after changes take effect constitutes acceptance where permitted by law.
Privacy questions or requests: privacy@mapwright.io. You may also lodge a complaint with your local supervisory authority.