Privacy Notice

Welcome to CARTO, owned and operated by CartoDB Inc. (“CARTO”, “us,” or “we”), a Delaware corporation. This Privacy Notice explains the information collected and stored at CARTO and associated applications, web services, and other mechanisms associated with CARTO (collectively, the “Service”). The Privacy Notice also explains how we use the information collected on the Service.

How you accept this Notice

By visiting the CARTO website (the “Site”) or using the Service, including by registering, or by otherwise providing us with personal information (“PI”) (such as an email address), you agree to the terms and conditions of this Privacy Notice.

Cookies

We use cookies to make interactions with the Site easy and meaningful. When you visit the Site, our servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself by opening an account, or filling out a form, you remain anonymous to us.

Information we collect that is not PI

We collect information that is not PI in connection with use of the Site or the Service, such as login and device-related information (e.g., browser type, your IP address, and the date and time of day of your use). Such information may be considered PI in your jurisdiction.

How we use information that is not PI

We may use collected information to enhance the visitor experience of the Site or the Service, to operate and maintain the Service, to investigate and understand how our Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.

We analyze traffic to the site in various ways, including using a service called Google Analytics. We use this information to generate statistics and to measure activity to improve the usefulness of the Site and the Service.

Google Analytics is subject to the privacy policy of Google. By visiting the Site or using the Service, you are agreeing to the terms of the Google Privacy Policy that apply to Google Analytics. These terms can be found at “How Google uses data when you use our partners’ sites or apps”, located at https://www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.

We are not responsible for any changes made to the Google Privacy Policy or of advising you of such changes. We reserve the right to change analytical service providers at any time without notice.

What we collect that is PI

We collect the following PI from those who choose to purchase our paid plan: name, address, email address, phone number, credit card information and organization information.

For customers who use the free version of CARTO we collect the following information: name, email, password and some social media information (e.g. Twitter handle) that you may choose provide to us.

We may also collect other PI if you contact us or otherwise give it to us (e.g., in an email).

How we use and disclose PI

We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.

If you consent to marketing communications the Company may also use information you provide to send you information regarding CARTO.

We may disclose PI as required by law or in response to service of legal process, such as a court order, summons, subpoena, or the like.

We may share PI with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this PI for any purpose other than those related to the Service.

Information about our users, including PI, may be disclosed or transferred to entities now or in the future affiliated with CARTO or as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets. Such information may be used in the businesses of any entity so receiving it.

Except as provided above, we will not sell or transfer your PI to third parties.

Do not track

Currently, various browsers offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. We do not currently commit to responding to browsers’ DNT signals with respect to the Site, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. However, we will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.

How you can access or change the PI that you have provided

Once you have registered with us, you can access your profile, review the information that is stored, and revise that information.

Customer data

Customer data is all the information including text, images, location data, other PI, or any other files that you provide, or are provided on their behalf, to us through your use of the Service. We inform you that you are responsible for the provision of any PI.

We will not collect customer data. CARTO only processes it for the provision of the Service, and it will not be processed for any other purposes.

Children

We do not target, market to, or knowingly collect PI from children under the age of thirteen.

Data retention

We retain your PI for 2 years, after which it is destroyed.

Data security

We use industry standard physical, managerial, and technical safeguards to preserve the integrity and security of your PI. We cannot, however, ensure the security of any information you transmit to the Service, and you do so at your own risk. Depending on where you live, you may have a legal right to receive notice of a security breach in writing or by emailing us at legal@carto.com.

Your California privacy rights

Residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of PI the business shares with third parties for those third parties’ direct marketing purposes and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at legal@carto.com. Your request should specify your full name and the email address you used when submitting PI to us.

Your European Economic Area (EEA) data protection rights

A. What we collect that is personal data in the EEA
We collect the following “personal data,” as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), from those who choose to purchase our paid plan and from those who use the free version of CARTO: name, email address, CARTO username, CARTO account password, CARTO account type; CARTO account creation date; IP address; date and time of first visit; date and time of last session; number of pageviews; referral source; and social media information (e.g., Twitter or Disqus handle), job role, company name, phone number, website, location, description, billing address and/or credit card information that you may choose provide to us.
In addition to the personal data you provide when downloading a resource or signing up for a webinar or demo—name, email address, phone number, your job role, and company name—we collect the following personal data: IP address; date and time of first visit; date and time of last session; number of pageviews; and/or referral source.
We may also also collect other personal data if you contact us or otherwise give it to us (e.g., in an email).

B. How we use and disclose your personal data
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business. We may share personal data with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service. We may engage in automated decision-making to enhance the visitor experience and analyze and grow our business. For example, we may tailor mailing lists to certain industry groups or display certain information based on a user’s geographic location.

C. Legal basis for processing your personal data
The legal bases for processing your personal data is contract, consent, and/or legitimate interests, in particular to conduct business within CARTO, to develop our business, to market and sell our products and Service, and to maintain the accuracy of our databases and documentation. Where you have given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time.

D. Data subject rights
Data subjects protected by the GDPR have the right to make certain requests with respect to their personal data controlled by CARTO, and to lodge a complaint with a supervisory authority.

  1. Right of Access
    Each data subject protected by the GDPR has the right to obtain confirmation from CARTO as to whether personal data concerning her or him is being processed, as well as the information outlined in the GDPR’s Article 15 in the event this is the case. If you wish to exercise this right please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
  2. Right to Rectification
    Each data subject protected by the GDPR has the right to obtain from CARTO without undue delay the rectification of inaccurate personal data concerning her or him, as well as the right to have incomplete personal data completed. If you wish to exercise this right please contact us at legal@carto.com.
  3. Right to Erasure (Right to be Forgotten)
    Each data subject protected by the GDPR has the right to obtain from CARTO the erasure of personal data concerning her or him without undue delay when one of the grounds listed in the GDPR’s Article 17 applies. If one of these conditions has been met and you wish to exercise this right, please contact us at legal@carto.com, using the email address you used when submitting personal data to us specifying your full name as well as the condition you believe has been met.
  4. Right to Restriction of Processing
    Each data subject protected by the GDPR has the right to restrict the processing of her or his personal data where one of the grounds listed in GDPR Article 18 applies. If one of these conditions has been met and you wish to exercise this right, you may contact us at legal@carto.com, using the email address you used when submitting personal data to us, specifying your full name as well as the condition you believe has been met.
  5. Right to Data Portability
    Each data subject protected by the GDPR has the right to to receive the personal data concerning her or him, and which was provided to CARTO, in a structured, commonly used and machine-readable format, where both of the conditions listed in GDPR Article 20 (1) apply. In addition, such data subject has the right to have her or his personal data transmitted directly from CARTO to another controller, where such transfer is technically feasible and when doing so does not adversely affect the rights and freedoms of others. If you wish to exercise your right to data portability, you may contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
  6. Right to Object
    Each data subject protected by the GDPR has the right to object, on grounds relating to her or his particular situation, at any time, to processing of personal data concerning her or him which is based on the GDPR’s Article 6(1) point (e) or (f). If you wish to exercise your right to object, please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
  7. Automated, Individual Decision-Making
    Each data subject protected by the GDPR has the right not to be subject to a decision based solely on automated processing which produces legal effects concerning her or him or similarly significantly affects her or him, and when one of the grounds listed in the GDPR’s Article 22 (2) does not apply. If you believe that none of these conditions has been met and wish to exercise this right, please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.

E. Period for which personal data will be stored
Please see “Data Retention,” above

F. Hosting
This Service and/or your personal data may be hosted in the United States, a country with an adequacy decision by the European Commission (Privacy Shield). By providing us with your personal data, you may be: (i) permitting the transfer of your personal data to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your personal data in accordance with this Privacy Notice. In some instances we may transfer personal pursuant to the Model Clauses, a copy of which you can download from the Commission’s website.

G. Privacy Shield
In conformity with the Notice Principle of the EU-U.S. Privacy Shield Framework, CARTO informs data subjects of the EU, Iceland, Liechtenstein, and Norway that:

  1. CARTO is a company that participates in the Privacy Shield Framework and declares its commitment to comply with the Privacy Shield Principles. The Privacy Shield list is located at the following web address: https://www.privacyshield.gov/list
  2. CARTO collects the personal data outlined in section A, “What we collect that is personal data in the EEA,” above.
  3. CARTO is fully committed to subject to the Privacy Principles all personal data received from the EU in reliance on the Privacy Shield.
  4. The purposes for which CARTO collects and uses personal data are to enhance the visitor experience of the Service; to operate and maintain the Service; to investigate and understand how the Service is used; to monitor and protect the security and integrity of the Service; and to analyze our business. CARTO may also collect, store, and use personal data about your computer and/or your visits to and use of its Site, including your IP address, geographical location, browser type, referral source, length of visit, and number of page views.
  5. CARTO may be contacted with any inquiries or complaints regarding non-compliance with the EU-U.S. Privacy Shield by writing to:
    CARTO
    Attention: Legal
    201 Moore Street
    Brooklyn, NY 11206
    United States of America
    privacyshield@carto.com
  6. The type of third parties to which CARTO discloses personal data are corporate affiliates and business partners, for the limited and specified purpose of providing services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service, and onward transfers only occur on the basis of a contract. We may disclose personal data about our users to entities now or in the future affiliated with CARTO for the purpose of enhancing the visitor experience of the Service; operating and maintaining the Service; investigating and understanding how the Service is used; monitoring and protecting the security and integrity of the Service; and analyzing our business. We may also disclose personal data about our users as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets for the purpose of completing our contractual obligations. Except as provided above, we will not sell or transfer your personal data to third parties.
  7. Anyone in the EU whose personal data has been transferred to the United States has a right to access their personal data.
  8. The choices and means CARTO offers individuals for limiting the use and disclosure of their personal data are the following: writing to us at any of the physical or email addresses indicated above and requesting the limitation or disclosure of their personal data.
  9. The independent dispute resolution bodies CARTO designates to address individuals’ complaints regarding our non-compliance with the EU-U.S. Privacy Shield are the EU data protection authorities (DPAs); CARTO voluntarily commits to cooperate with EU DPAs.
  10. CARTO is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
  11. In cases where their complaints have not been resolved by any of these recourse or enforcement mechanisms, individuals in the EU also have a right to invoke binding arbitration under the Privacy Shield Panel.
  12. CARTO is required to disclose personal data in response to lawful requests by public authorities, including to meet national security, law enforcement, or other public interest requirements.
  13. CARTO is liable in cases of onward transfers to third parties. This privacy policy does not cover any applications, software, or web-based applications supported or created by CARTO or its partners.

In accordance with the Data Integrity and Purpose Limitation Principle of the EU-U.S. Privacy Shield, CARTO will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.

In conformity with the Choice Principle of the EU-U.S. Privacy Shield, CARTO offers data subjects of the EU, Iceland, Liechtenstein, and Norway the opportunity to opt out when their personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.

In accordance with the Security Principle of the EU-U.S. Privacy Shield, CARTO shall take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data.

In conformity with the Access Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that data subjects of the EU, Iceland, Liechtenstein, and Norway have the right to obtain confirmation of whether CARTO is processing personal data related to them, have the data communicated within reasonable time, and may correct, amend or delete personal data where it is inaccurate or has been processed in violation of the Principles.

In accordance with the Recourse, Enforcement and Liability Principle of the EU-U.S. Privacy Shield, CARTO has robust mechanisms to ensure compliance with the Principles and provides recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. CARTO complies with the Recourse, Enforcement and Liability Principle through a self-assessment system which includes internal procedures ensuring that employees receive training on the implementation of the organization’s privacy policies. Compliance is periodically reviewed in an objective manner.

In conformity with the Accountability for Onward Transfer Principle of the EU-U.S. Privacy Shield, CARTO acknowledges that the onward transfer of the personal data of data subjects of the EU, Iceland, Liechtenstein, and Norway will only take place (i) for limited and specified purposes, (ii) on the basis of a contract or comparable arrangement within a corporate group and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.

Other international visitors

This Service may be hosted in the United States. If you are an international visitor, you should note that by providing your PI, you may be: (i) permitting the transfer of your PI to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your PI in accordance with this Privacy Notice.

Contact

Please contact us with any questions you may have at legal@carto.com or at: CARTO, 201 Moore Street, Brooklyn, NY 11206.

Contact us

Please fill out the below form and we'll be in touch real soon.

Contact us

Please fill out the below form and we'll be in touch real soon.