Welcome to CARTO, owned and operated by CartoDB Inc. (“CARTO”, “us,” or “we”), a Delaware corporation. This Privacy Notice explains the information collected and stored at CARTO and associated applications, web services, and other mechanisms associated with CARTO (collectively, the “Service”). The Privacy Notice also explains how we use the information collected on the Service.
By visiting the CARTO website (the “Site”) or using the Service, including by registering, or by otherwise providing us with personal information (“PI”) (such as an email address), you agree to the terms and conditions of this Privacy Notice.
We use cookies to make interactions with the Site easy and meaningful. When you visit the Site, our servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself by opening an account, or filling out a form, you remain anonymous to us.
We collect information that is not PI in connection with use of the Site or the Service, such as login and device-related information (e.g., browser type, your IP address, and the date and time of day of your use). Such information may be considered PI in your jurisdiction.
We may use collected information to enhance the visitor experience of the Site or the Service, to operate and maintain the Service, to investigate and understand how our Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.
We analyze traffic to the site in various ways, including using a service called Google Analytics. We use this information to generate statistics and to measure activity to improve the usefulness of the Site and the Service.
Google Analytics is subject to the privacy policy of Google. By visiting the Site or using the Service, you are agreeing to the terms of the Google Privacy Policy that apply to Google Analytics. These terms can be found at “How Google uses data when you use our partners’ sites or apps”, located at https://www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
We are not responsible for any changes made to the Google Privacy Policy or of advising you of such changes. We reserve the right to change analytical service providers at any time without notice.
We collect the following PI from those who choose to purchase our paid plan: name, address, email address, phone number, credit card information and organization information.
For customers who use the free version of CARTO we collect the following information: name, email, password and some social media information (e.g. Twitter handle) that you may choose provide to us.
We may also collect other PI if you contact us or otherwise give it to us (e.g., in an email).
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.
If you consent to marketing communications the Company may also use information you provide to send you information regarding CARTO.
We may disclose PI as required by law or in response to service of legal process, such as a court order, summons, subpoena, or the like.
We may share PI with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this PI for any purpose other than those related to the Service.
Information about our users, including PI, may be disclosed or transferred to entities now or in the future affiliated with CARTO or as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets. Such information may be used in the businesses of any entity so receiving it.
Except as provided above, we will not sell or transfer your PI to third parties.
Currently, various browsers offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. We do not currently commit to responding to browsers’ DNT signals with respect to the Site, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. However, we will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
Once you have registered with us, you can access your profile, review the information that is stored, and revise that information.
Customer data is all the information including text, images, location data, other PI, or any other files that you provide, or are provided on their behalf, to us through your use of the Service. We inform you that you are responsible for the provision of any PI.
We will not collect customer data. CARTO only processes it for the provision of the Service, and it will not be processed for any other purposes.
We do not target, market to, or knowingly collect PI from children under the age of thirteen.
We retain your PI for 2 years, after which it is destroyed.
We use industry standard physical, managerial, and technical safeguards to preserve the integrity and security of your PI. We cannot, however, ensure the security of any information you transmit to the Service, and you do so at your own risk. Depending on where you live, you may have a legal right to receive notice of a security breach in writing or by emailing us at legal@carto.com.
Residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of PI the business shares with third parties for those third parties’ direct marketing purposes and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at legal@carto.com. Your request should specify your full name and the email address you used when submitting PI to us.
A. What we collect that is personal data in the EEA
We collect the following “personal data,” as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), from those who choose to purchase our paid plan and from those who use the free version of CARTO: name, email address, CARTO username, CARTO account password, CARTO account type; CARTO account creation date; IP address; date and time of first visit; date and time of last session; number of pageviews; referral source; and social media information (e.g., Twitter or Disqus handle), job role, company name, phone number, website, location, description, billing address and/or credit card information that you may choose provide to us.
In addition to the personal data you provide when downloading a resource or signing up for a webinar or demo—name, email address, phone number, your job role, and company name—we collect the following personal data: IP address; date and time of first visit; date and time of last session; number of pageviews; and/or referral source.
We may also also collect other personal data if you contact us or otherwise give it to us (e.g., in an email).
B. How we use and disclose your personal data
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business. We may share personal data with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service. We may engage in automated decision-making to enhance the visitor experience and analyze and grow our business. For example, we may tailor mailing lists to certain industry groups or display certain information based on a user’s geographic location.
C. Legal basis for processing your personal data
The legal bases for processing your personal data is contract, consent, and/or legitimate interests, in particular to conduct business within CARTO, to develop our business, to market and sell our products and Service, and to maintain the accuracy of our databases and documentation. Where you have given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time.
D. Data subject rights
Data subjects protected by the GDPR have the right to make certain requests with respect to their personal data controlled by CARTO, and to lodge a complaint with a supervisory authority.
E. Period for which personal data will be stored
Please see “Data Retention,” above
F. Hosting
This Service and/or your personal data may be hosted in the United States, a country with an adequacy decision by the European Commission (Privacy Shield). By providing us with your personal data, you may be: (i) permitting the transfer of your personal data to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your personal data in accordance with this Privacy Notice. In some instances we may transfer personal pursuant to the Model Clauses, a copy of which you can download from the Commission’s website.
G. Privacy Shield
In conformity with the Notice Principle of the EU-U.S. Privacy Shield Framework, CARTO informs data subjects of the EU, Iceland, Liechtenstein, and Norway that:
In accordance with the Data Integrity and Purpose Limitation Principle of the EU-U.S. Privacy Shield, CARTO will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.
In conformity with the Choice Principle of the EU-U.S. Privacy Shield, CARTO offers data subjects of the EU, Iceland, Liechtenstein, and Norway the opportunity to opt out when their personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.
In accordance with the Security Principle of the EU-U.S. Privacy Shield, CARTO shall take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data.
In conformity with the Access Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that data subjects of the EU, Iceland, Liechtenstein, and Norway have the right to obtain confirmation of whether CARTO is processing personal data related to them, have the data communicated within reasonable time, and may correct, amend or delete personal data where it is inaccurate or has been processed in violation of the Principles.
In accordance with the Recourse, Enforcement and Liability Principle of the EU-U.S. Privacy Shield, CARTO has robust mechanisms to ensure compliance with the Principles and provides recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. CARTO complies with the Recourse, Enforcement and Liability Principle through a self-assessment system which includes internal procedures ensuring that employees receive training on the implementation of the organization’s privacy policies. Compliance is periodically reviewed in an objective manner.
In conformity with the Accountability for Onward Transfer Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that the onward transfer of the personal data of data subjects of the EU, Iceland, Liechtenstein, and Norway will only take place (i) for limited and specified purposes, (ii) on the basis of a contract or comparable arrangement within a corporate group and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.
This Service may be hosted in the United States. If you are an international visitor, you should note that by providing your PI, you may be: (i) permitting the transfer of your PI to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your PI in accordance with this Privacy Notice.
Please contact us with any questions you may have at legal@carto.com or at: CARTO, 201 Moore Street, Brooklyn, NY 11206.
Please fill out the below form and we'll be in touch real soon.