Welcome to CARTO, owned and operated by CartoDB Inc. (“CARTO”, “us,” or “we”), a Delaware corporation. This Privacy Notice explains the information collected and stored at CARTO—including its wholly-owned New York subsidiary, Vizzuality, Inc.—and associated applications, web services, and other mechanisms associated with CARTO (collectively, the “Service”). The Privacy Notice also explains how we use the information collected on the Service.
By visiting the CARTO website (the “Site”) or using the Service, including by registering, or by otherwise providing us with personal information (“PI”) (such as an email address), you agree to the terms and conditions of this Privacy Notice.
Cookies are small pieces of text that websites you visit can place on the device you’re using to make the visit—generally a computer or mobile device. Standing alone, cookies do not personally identify you—they merely recognize your Web browser.
First-party cookies are cookies set by us on our Site or the Services. Third-party cookies are set by the external providers whose services are used by our Site; these external providers also set their own cookies. Third-party cookies’ terms of use are governed by the external provider’s specific terms and conditions, which we have no control over.
We use cookies to make interactions with the Site and Services easy and meaningful. When you use the Site and choose to accept analytics cookies, we use these to optimize the Site by collecting and reporting information on how you use it. When you use the Services and agree to our Terms, we employ analytics cookies for the same reason.
We use Albacross, Google, HotJar, and Hubspot on the Site for the purpose of gathering analytics and/or lead identification, and additionally use TrackJS on the Services for analytics. Albacross, HotJar, and Hubspot each set Third-Party cookies when you use the Site and choose to accept analytics cookies, or when you use the Services and agree to our Terms; the remaining providers set only First-Party Cookies.
We use the following external providers’ services on the Site: Twitter, Vimeo, and YouTube. These external providers may change their terms of service, as well as purpose and use of cookies at any time. No third-party cookies will be installed on your device by these providers if you do not view the content they service.
We may update the external providers we use periodically.
We collect information that is not PI in connection with use of the Site or the Service, such as login and device-related information (e.g., browser type, your IP address, and the date and time of day of your use). Such information may be considered PI in your jurisdiction.
We may use collected information to enhance the visitor experience of the Site or the Service, to operate and maintain the Service, to investigate and understand how our Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.
We analyze traffic to the site in various ways, including using a service called Google Analytics. We use this information to generate statistics and to measure activity to improve the usefulness of the Site and the Service.
Google Analytics is subject to the privacy policy of Google. By visiting the Site or using the Service, you are agreeing to the terms of the Google Privacy Policy that apply to Google Analytics. These terms can be found at “How Google uses data when you use our partners’ sites or apps”, located at https://www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
We are not responsible for any changes made to the Google Privacy Policy or of advising you of such changes. We reserve the right to change analytical service providers at any time without notice.
We collect the following PI from those who choose to purchase our paid plan: name, address, email address, phone number, credit card information and organization information.
For customers who use the free version of CARTO we collect the following information: name, email, password and some social media information (e.g. Twitter handle) that you may choose provide to us.
We may also collect other PI if you contact us or otherwise give it to us (e.g., in an email).
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.
If you consent to marketing communications the Company may also use information you provide to send you information regarding CARTO.
We may disclose PI as required by law or in response to service of legal process, such as a court order, summons, subpoena, or the like.
We may share PI with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this PI for any purpose other than those related to the Service.
Information about our users, including PI, may be disclosed or transferred to entities now or in the future affiliated with CARTO or as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets. Such information may be used in the businesses of any entity so receiving it.
Except as provided above, we will not sell or transfer your PI to third parties.
Currently, various browsers offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. We do not currently commit to responding to browsers’ DNT signals with respect to the Site, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. However, we will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
Once you have registered with us, you can access your profile, review the information that is stored, and revise that information.
Customer data is all the information including text, images, location data, other PI, or any other files that you provide, or are provided on their behalf, to us through your use of the Service. We inform you that you are responsible for the provision of any PI.
We will not collect customer data. CARTO only processes it for the provision of the Service, and it will not be processed for any other purposes.
We do not target, market to, or knowingly collect PI from children under the age of thirteen.
We retain your PI for up to 2 years, after which it is destroyed.
We use industry standard physical, managerial, and technical safeguards to preserve the integrity and security of your PI. We cannot, however, ensure the security of any information you transmit to the Service, and you do so at your own risk. Depending on where you live, you may have a legal right to receive notice of a security breach in writing or by emailing us at legal@carto.com.
CARTO collects the following categories of PI directly from those who choose to purchase our paid plan and from those who use the free version of CARTO: identifiers such as a real name, alias (CARTO username), online identifier Internet Protocol address, email address, CARTO account password; CARTO account type; CARTO account creation date; date and time of first visit; date and time of last session; number of pageviews; referral source; and social media information (e.g., Twitter or Disqus handle), job role, company name, phone number, website, location, description, billing address and/or credit card information that you may choose provide to us. The business purpose for collecting this PI is to provide you with the Service. The categories of third parties with whom CARTO may share your PI are entities we use for cloud hosting and storage, and those who provide us with technical support.
Residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of PI the business shares with third parties for those third parties’ direct marketing purposes and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at legal@carto.com. Your request should specify your full name and the email address you used when submitting PI to us.
Residents of California also have the right to direct a business that sells PI about the California resident to third parties not to do so, or to request access to or the deletion of their data. CARTO does not share your PI in a manner that would be considered a sale under California law. Although CARTO does not currently share PI in a manner that would be considered a sale under California law, you may still submit a request each year to opt out, or to request access to or the deletion of your data. You may do so through either of the following methods: (1) by calling +1.917.463.3232 Monday to Friday from 9 a.m. to 6 p.m. Eastern Time, or by writing to us at legal@carto.com.
A. What we collect that is personal data in the EEA
We collect the following “personal data,” as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), from those who choose to purchase our paid plan and from those who have a free account: first and last names; business email address; CARTO account username; CARTO account password; phone number; job title; company name; CARTO account type; CARTO account creation date; IP address; date and time of first visit; date and time of last session; number of pageviews; and referral source; as well as social media information (e.g., Twitter or Disqus handle); avatar; number of employees at your company; industry; case studies you’re interested in; website; location; description; billing address; and/or credit card information that you may choose to provide to us.
In addition to the personal data you provide when downloading a resource or signing up for a webinar or demo—first and last names, business email address, job title, company name, country, industry, number of employees at your company, phone number, and the use cases you’re interested in—we collect the following personal data: IP address; date and time of first visit; date and time of last session; number of pageviews; and/or referral source.
We may also also collect other personal data if you contact us or otherwise give it to us (e.g., in an email).
B. How we use and disclose your personal data
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.
We may share personal data with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service. If a visitor to our website or an individual who signs up for a free account belongs to a region where CARTO has business partner resellers of the Services, we may share your personal data with these partners for the purpose of allowing them to help us develop our business through sales of the Services.
We may engage in automated decision-making to enhance the visitor experience and analyze and grow our business. For example, we may tailor mailing lists to certain industry groups or display certain information based on a user’s geographic location.
C. Legal basis for processing your personal data
The legal bases for processing your personal data is contract, consent, and/or legitimate interests, in particular to conduct business within CARTO, to develop our business, to market and sell our products and Service, and to maintain the accuracy of our databases and documentation. Where you have given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time.
D. Data subject rights
Data subjects protected by the GDPR have the right to make certain requests with respect to their personal data controlled by CARTO, and to lodge a complaint with a supervisory authority.
Right of Access
Each data subject protected by the GDPR has the right to obtain confirmation from CARTO as to whether personal data concerning her or him is being processed, as well as the information outlined in the GDPR’s Article 15 in the event this is the case. If you wish to exercise this right please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
Right to Rectification
Each data subject protected by the GDPR has the right to obtain from CARTO without undue delay the rectification of inaccurate personal data concerning her or him, as well as the right to have incomplete personal data completed. If you wish to exercise this right please contact us at legal@carto.com.
Right to Erasure (Right to be Forgotten)
Each data subject protected by the GDPR has the right to obtain from CARTO the erasure of personal data concerning her or him without undue delay when one of the grounds listed in the GDPR’s Article 17 applies. If one of these conditions has been met and you wish to exercise this right, please contact us at legal@carto.com, using the email address you used when submitting personal data to us specifying your full name as well as the condition you believe has been met.
Right to Data Portability
Each data subject protected by the GDPR has the right to to receive the personal data concerning her or him, and which was provided to CARTO, in a structured, commonly used and machine-readable format, where both of the conditions listed in GDPR Article 20 (1) apply. In addition, such data subject has the right to have her or his personal data transmitted directly from CARTO to another controller, where such transfer is technically feasible and when doing so does not adversely affect the rights and freedoms of others. If you wish to exercise your right to data portability, you may contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
E. Period for which personal data will be stored
Please see “Data Retention,” above
F. Hosting
This Service and/or your personal data may be hosted in the United States. By providing us with your personal data, you may be: (i) permitting the transfer of your personal data to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your personal data in accordance with this Privacy Notice. When CARTO engages in transfers of personal data from the EEA or the UK to the United States, it relies on i) adequacy decisions as adopted by European Commission on the basis of Regulation (EU) 2016/679 (GDPR)’s Article 45, or ii) Standard Contractual Clauses issued by the European Commission.
G. Privacy Shield
Following the Court of Justice of the European Union’s invalidation of the EU-U.S. Privacy Shield Framework on July 16, 2020, and until further notice, CARTO no longer relies on the EU-U.S. Privacy Shield as a mechanism of international data transfer. CARTO does, however, remain committed to maintaining its self-certification under the EU-U.S. Privacy Shield Principles and to respecting these principles, as an additional measure of protection of your privacy. Please visit https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update for more information one the U.S. Department of Commerce’s continued administration of the Privacy Shield program.
In conformity with the Notice Principle of the EU-U.S. Privacy Shield Framework, CARTO informs data subjects of the EU, Iceland, Liechtenstein, and Norway that:
In accordance with the Data Integrity and Purpose Limitation Principle of the EU-U.S. Privacy Shield, CARTO will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.
In conformity with the Choice Principle of the EU-U.S. Privacy Shield, CARTO offers data subjects of the EU, Iceland, Liechtenstein, and Norway the opportunity to opt out when their personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.
In accordance with the Security Principle of the EU-U.S. Privacy Shield, CARTO shall take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data.
In conformity with the Access Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that data subjects of the EU, Iceland, Liechtenstein, and Norway have the right to obtain confirmation of whether CARTO is processing personal data related to them, have the data communicated within reasonable time, and may correct, amend or delete personal data where it is inaccurate or has been processed in violation of the Principles.
In accordance with the Recourse, Enforcement and Liability Principle of the EU-U.S. Privacy Shield, CARTO has robust mechanisms to ensure compliance with the Principles and provides recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. CARTO complies with the Recourse, Enforcement and Liability Principle through a self-assessment system which includes internal procedures ensuring that employees receive training on the implementation of the organization’s privacy policies. Compliance is periodically reviewed in an objective manner.
In conformity with the Accountability for Onward Transfer Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that the onward transfer of the personal data of data subjects of the EU, Iceland, Liechtenstein, and Norway will only take place (i) for limited and specified purposes, (ii) on the basis of a contract or comparable arrangement within a corporate group and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.
This Service may be hosted in the United States. If you are an international visitor, you should note that by providing your PI, you may be: (i) permitting the transfer of your PI to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your PI in accordance with this Privacy Notice.
Please contact us with any questions you may have at legal@carto.com or at: CARTO, 307 Fifth Avenue, Floor 9, New York, NY 10016.
Please fill out the below form and we'll be in touch real soon.