PRIVACY NOTICE
Welcome to CARTO, owned and operated by CartoDB Inc. (“CARTO”, “us,” or “we”), a Delaware corporation. This Privacy Notice explains the information collected and stored at CARTO—including its wholly-owned New York subsidiary, Vizzuality, Inc.—and associated applications, web services, and other mechanisms associated with CARTO (collectively, the “Service”). The Privacy Notice also explains how we use the information collected on the Service.
HOW YOU ACCEPT THIS NOTICE
By visiting the CARTO website (the “Site”) or using the Service, including by registering, or by otherwise providing us with personal information (“PI”) (such as an email address), you agree to the terms and conditions of this Privacy Notice.
COOKIES
Cookies are small pieces of text that websites you visit can place on the device you’re using to make the visit—generally a computer or mobile device. Standing alone, cookies do not personally identify you—they merely recognize your web browser. When you visit CARTO's website for the first time, a cookie consent banner will pop up and ask you to customize your cookie preferences.
CARTO sets first-party cookies on our Site or the Services. Third-party cookies are set by the external providers whose services are used by our Site; these external providers also set their own cookies. Third-party cookies’ terms of use are governed by the external provider’s specific terms and conditions, which CARTO has no control over.
CARTO uses cookies to make interactions with the Site and Services easy and meaningful. When you use the Site and choose to accept analytics cookies, we use these to optimize the Site by collecting and reporting information on how you use it. When you use the Services and agree to our Terms, we employ analytics cookies for the same reason.
You can learn about the cookies CARTO would like to set, and manage your cookie preferences, by visiting our OneTrust cookie consent preference management center, which you can open by clicking on the little cookie icon at the corner of your browser. Please note that you cannot opt out of necessary cookies, and that your ability to use the Site may be impaired if you opt out of functional cookies.
Dnt/ gpc
You can also manage your cookie preferences by using a browser that offers a “do not track” (DNT) setting. DNT requests that a web application disable its tracking of an individual user. If you turn on your browser's DNT setting, it will send a special signal to websites like this one, and stop tracking your activity. For clarity, if your browser sends CARTO a DNT signal, we will automatically turn off all non-required cookies on the Site by default. To set up DNT, you can visit https://allaboutdnt.com/. Please note that this may impact the functionality of the Site.
Another way to manage your cookie preferences is through Global Privacy Control (GPC). GPC is a technical specification that lets websites know about your privacy preferences with respect to ad trackers. Should you choose to set up GPC, CARTO will automatically turn off all non-required cookies on the Site. To set up GPC, you can visit Global Privacy Control. Please note that this may impact the functionality of the Site.
INFORMATION WE COLLECT THAT IS NOT PI
We collect information that is not PI in connection with use of the Site or the Service, such as login and device-related information (e.g., browser type, your IP address, and the date and time of day of your use). Such information may be considered PI in your jurisdiction.
HOW WE USE INFORMATION THAT IS NOT PI
We may use collected information to enhance the visitor experience of the Site or the Service, to operate and maintain the Service, to investigate and understand how our Service is used, to monitor and protect the security and integrity of the Service, and to analyze our business.
We analyze traffic to the site in various ways, including using a service called Google Analytics. We use this information to generate statistics and to measure activity to improve the usefulness of the Site and the Service.
Google Analytics is subject to the privacy policy of Google. By visiting the Site or using the Service, you are agreeing to the terms of the Google Privacy Policy that apply to Google Analytics. These terms can be found at “How Google uses data when you use our partners’ sites or apps”, located at https://www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
We are not responsible for any changes made to the Google Privacy Policy or of advising you of such changes. We reserve the right to change analytical service providers at any time without notice.
WHAT WE COLLECT THAT IS PI
We collect the following PI from those who choose to purchase our paid plan: name, address, email address, phone number, credit card information and organization information.
For customers who use the free version of CARTO we collect the following information: name, email, password and some social media information (e.g. Twitter handle) that you may choose provide to us.
We may also collect other PI if you contact us or otherwise give it to us (e.g., in an email).
HOW WE USE AND DISCLOSE PI
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.
If you consent to marketing communications the Company may also use information you provide to send you information regarding CARTO.
We may disclose PI as required by law or in response to service of legal process, such as a court order, summons, subpoena, or the like.
We may share PI with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this PI for any purpose other than those related to the Service.
Information about our users, including PI, may be disclosed or transferred to entities now or in the future affiliated with CARTO or as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets. Such information may be used in the businesses of any entity so receiving it.
Except as provided above, we will not sell or transfer your PI to third parties.
HOW YOU CAN ACCESS OR CHANGE THE PI THAT YOU HAVE PROVIDED
Once you have registered with us, you can access your profile, review the information that is stored, and revise that information.
CUSTOMER DATA
Customer data is all the information including text, images, location data, other PI, or any other files that you provide, or are provided on their behalf, to us through your use of the Service. We inform you that you are responsible for the provision of any PI.
We will not collect customer data. CARTO only processes it for the provision of the Service, and it will not be processed for any other purposes.
CHILDREN
We do not target, market to, or knowingly collect PI from children under the age of thirteen.
DATA RETENTION
We retain your PI for up to 2 years, after which it is destroyed.
DATA SECURITY
We use industry standard physical, managerial, and technical safeguards to preserve the integrity and security of your PI. We cannot, however, ensure the security of any information you transmit to the Service, and you do so at your own risk. Depending on where you live, you may have a legal right to receive notice of a security breach in writing or by emailing us at legal@carto.com.
YOUR CALIFORNIA PRIVACY RIGHTS
CARTO collects the following categories of PI directly from those who choose to purchase our paid plan and from those who use the free version of CARTO: identifiers such as a real name, alias (CARTO username), online identifier Internet Protocol address, email address, CARTO account password; CARTO account type; CARTO account creation date; date and time of first visit; date and time of last session; number of pageviews; referral source; and social media information (e.g., Twitter or Disqus handle), job role, company name, phone number, website, location, description, billing address and/or credit card information that you may choose provide to us. The business purpose for collecting this PI is to provide you with the Service. The categories of third parties with whom CARTO may share your PI are entities we use for cloud hosting and storage, and those who provide us with technical support.
Residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of PI the business shares with third parties for those third parties’ direct marketing purposes and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at legal@carto.com. Your request should specify your full name and the email address you used when submitting PI to us.
Residents of California also have the right to direct a business that sells PI about the California resident to third parties not to do so, or to request access to or the deletion of their data. CARTO does not share your PI in a manner that would be considered a sale under California law. Although CARTO does not currently share PI in a manner that would be considered a sale under California law, you may still submit a request each year to opt out, or to request access to or the deletion of your data. You may do so through either of the following methods: (1) by calling +1.917.463.3232 Monday to Friday from 9 a.m. to 6 p.m. Eastern Time, or by writing to us at legal@carto.com.
Your European Economic Area (EEA) data protection rights
A. What we collect that is personal data in the EEA
We collect the following “personal data,” as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), from those who choose to purchase our paid plan and from those who have a free account: first and last names; business email address; CARTO account username; CARTO account password; phone number; job title; company name; CARTO account type; CARTO account creation date; IP address; date and time of first visit; date and time of last session; number of pageviews; and referral source; as well as social media information (e.g., Twitter or Disqus handle); avatar; number of employees at your company; industry; case studies you’re interested in; website; location; description; billing address; and/or credit card information that you may choose to provide to us.
In addition to the personal data you provide when downloading a resource or signing up for a webinar or demo—first and last names, business email address, job title, company name, country, industry, number of employees at your company, phone number, and the use cases you’re interested in—we collect the following personal data: IP address; date and time of first visit; date and time of last session; number of pageviews; and/or referral source.
We may also also collect other personal data if you contact us or otherwise give it to us (e.g., in an email).
B. How we use and disclose your personal data
We use personal data to provide you with the Service per the Terms and Conditions, to enhance the visitor experience of the Service, to operate and maintain the Service, to investigate and understand how the Service is used, to communicate with you about using the Service, to monitor and protect the security and integrity of the Service, and to analyze our business.We may share personal data with our corporate affiliates and with business partners who provide services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service. If a visitor to our website or an individual who signs up for a free account belongs to a region where CARTO has business partner resellers of the Services, we may share your personal data with these partners for the purpose of allowing them to help us develop our business through sales of the Services.
We may engage in automated decision-making to enhance the visitor experience and analyze and grow our business. For example, we may tailor mailing lists to certain industry groups or display certain information based on a user’s geographic location.
C. Legal basis for processing your personal data
The legal bases for processing your personal data is contract, consent, and/or legitimate interests, in particular to conduct business within CARTO, to develop our business, to market and sell our products and Service, and to maintain the accuracy of our databases and documentation. Where you have given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time.
D. Data subject rights
Data subjects protected by the GDPR have the right to make certain requests with respect to their personal data controlled by CARTO, and to lodge a complaint with a supervisory authority.
Right of Access
Each data subject protected by the GDPR has the right to obtain confirmation from CARTO as to whether personal data concerning her or him is being processed, as well as the information outlined in the GDPR’s Article 15 in the event this is the case. If you wish to exercise this right please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.Right to Rectification
Each data subject protected by the GDPR has the right to obtain from CARTO without undue delay the rectification of inaccurate personal data concerning her or him, as well as the right to have incomplete personal data completed. If you wish to exercise this right please contact us at legal@carto.com.Right to Erasure (Right to be Forgotten)
Each data subject protected by the GDPR has the right to obtain from CARTO the erasure of personal data concerning her or him without undue delay when one of the grounds listed in the GDPR’s Article 17 applies. If one of these conditions has been met and you wish to exercise this right, please contact us at legal@carto.com, using the email address you used when submitting personal data to us specifying your full name as well as the condition you believe has been met.Right to Restriction of Processing
Each data subject protected by the GDPR has the right to restrict the processing of her or his personal data where one of the grounds listed in GDPR Article 18 applies. If one of these conditions has been met and you wish to exercise this right, you may contact us at legal@carto.com, using the email address you used when submitting personal data to us, specifying your full name as well as the condition you believe has been met.Right to Data Portability
Each data subject protected by the GDPR has the right to to receive the personal data concerning her or him, and which was provided to CARTO, in a structured, commonly used and machine-readable format, where both of the conditions listed in GDPR Article 20 (1) apply. In addition, such data subject has the right to have her or his personal data transmitted directly from CARTO to another controller, where such transfer is technically feasible and when doing so does not adversely affect the rights and freedoms of others. If you wish to exercise your right to data portability, you may contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.Right to Object
Each data subject protected by the GDPR has the right to object, on grounds relating to her or his particular situation, at any time, to processing of personal data concerning her or him which is based on the GDPR’s Article 6(1) point (e) or (f). If you wish to exercise your right to object, please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.Automated, Individual Decision-Making
Each data subject protected by the GDPR has the right not to be subject to a decision based solely on automated processing which produces legal effects concerning her or him or similarly significantly affects her or him, and when one of the grounds listed in the GDPR’s Article 22 (2) does not apply. If you believe that none of these conditions has been met and wish to exercise this right, please contact us at legal@carto.com, using the email address you used when submitting personal data to us and specifying your full name.
E. Period for which personal data will be stored
Please see “Data Retention,” above
F. Hosting
This Service and/or your personal data may be hosted in the United States. By providing us with your personal data, you may be: (i) permitting the transfer of your personal data to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your personal data in accordance with this Privacy Notice. When CARTO engages in transfers of personal data from the EEA or the UK to the United States, it relies on i) adequacy decisions as adopted by European Commission on the basis of Regulation (EU) 2016/679 (GDPR)’s Article 45, or ii) Standard Contractual Clauses issued by the European Commission.
International Transfers
CARTO is a U.S. company that processes personal information in the United States. Because CARTO is also a global organization, and uses service providers located all around the world, CARTO may process, store, and transfer your personal information outside of the jurisdiction where you reside. CARTO’s Personal Data Processing Addendum which CARTO provides to all its customers—includes more detailed information about CARTO’s cross-border data transfers, ensuring CARTO upholds a uniform data protection standard regardless of the information’s origin or the location of its processing.
eu-us. data privacy framework
CARTO is officially certified under the EU-U.S. Data Privacy Framework, and relies on this certification as its primary transfer mechanism for transfers of personal data from the European Union to the United States. To the extent that transfers of personal information are not covered by the EU-U.S. Data Privacy Framework, or as otherwise set forth in an agreement with you, CARTO relies on the Standard Contractual Clauses, of which you may request a copy by contacting us.
CARTO (1.) has certified its adherence to the EU-U.S. Data Privacy Framework Principles of (a.) notice; (b.) choice; (c.) accountability for onward transfer; (d.) security; (e.) data integrity and purpose limitation; (f.) access; and (g.) recourse, enforcement, and liability for personal information (as this term is defined under the EU-U.S. Data Privacy Framework Principles) that is transferred from the European Union to the United States, and (2.) is committed to complying with these principles. If you would like to learn about the EU-U.S. Data Privacy Framework or view CARTO’s certification to it, please visit https://www.dataprivacyframework.gov/.
The third parties to which CARTO transfers personal information received pursuant to the EU-U.S. Data Privacy Framework enter into written agreements with CARTO. In these, the third parties agree to furnish a level of protection equal to that mandated by the EU-U.S. Data Privacy Framework. Under specific circumstances, CARTO may still retain legal responsibility for the personal information it transfers.
In conformity with the Notice Principle of the Data Privacy Framework (DPF), CARTO informs data subjects of the EU, Iceland, Liechtenstein, and Norway that:
CARTO collects the personal data outlined in section A, “What we collect that is personal data in the EEA,” above.
CARTO is fully committed to subject to the Data Privacy Framework (DPF) Principles all personal data received from the EU in reliance on the Data Privacy Framework (DPF).
The purposes for which CARTO collects and uses personal data are to enhance the visitor experience of the Service; to operate and maintain the Service; to investigate and understand how the Service is used; to monitor and protect the security and integrity of the Service; and to analyze our business. CARTO may also collect, store, and use personal data about your computer and/or your visits to and use of its Site, including your IP address, geographical location, browser type, referral source, length of visit, and number of page views.
CARTO may be contacted with any inquiries or complaints regarding non-compliance with the Data Privacy Framework (DPF) by writing to:
CARTO
Attention: Legal
307 Fifth Avenue, Floor 9 New York, NY 10016
United States of America
dpf@carto.comThe type of third parties to which CARTO discloses personal data are corporate affiliates and business partners, for the limited and specified purpose of providing services related to the Service (such as website hosting or technical support). These business partners do not have the right to use this personal data for any purpose other than those related to the Service, and onward transfers only occur on the basis of a contract. We may disclose personal data about our users to entities now or in the future affiliated with CARTO for the purpose of enhancing the visitor experience of the Service; operating and maintaining the Service; investigating and understanding how the Service is used; monitoring and protecting the security and integrity of the Service; and analyzing our business. We may also disclose personal data about our users as part of any merger, acquisition, change of control, debt financing, insolvency, bankruptcy or sale of our assets for the purpose of completing our contractual obligations. Except as provided above, we will not sell or transfer your personal data to third parties.
Anyone in the EU whose personal data has been transferred to the United States has a right to access their personal data.
The choices and means CARTO offers individuals for limiting the use and disclosure of their personal data are the following: writing to us at any of the physical or email addresses indicated above and requesting the limitation or disclosure of their personal data.
The independent dispute resolution bodies CARTO designates to address individuals’ complaints regarding our non-compliance with the Data Privacy Framework (DPF) are the EU data protection authorities (DPAs); CARTO voluntarily commits to cooperate with EU DPAs.
CARTO is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In cases where their complaints have not been resolved by any of these recourse or enforcement mechanisms, individuals in the EU also have a right to invoke binding arbitration under the Arbitration Panel.
CARTO is required to disclose personal data in response to lawful requests by public authorities, including to meet national security, law enforcement, or other public interest requirements.
CARTO is liable in cases of onward transfers to third parties. This privacy policy does not cover any applications, software, or web-based applications supported or created by CARTO or its partners.
In accordance with the Data Integrity and Purpose Limitation Principle of the Data Privacy Framework (DPF), CARTO will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.
In conformity with the Choice Principle of the Data Privacy Framework (DPF), CARTO offers data subjects of the EU, Iceland, Liechtenstein, and Norway the opportunity to opt out when their personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.
In accordance with the Security Principle of the Data Privacy Framework (DPF), CARTO shall take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data.
In conformity with the Access Principle of the Data Privacy Framework (DPF), CARTO acknowledges that data subjects of the EU, Iceland, Liechtenstein, and Norway have the right to obtain confirmation of whether CARTO is processing personal data related to them, have the data communicated within reasonable time, and may correct, amend or delete personal data where it is inaccurate or has been processed in violation of the Principles.
In accordance with the Recourse, Enforcement and Liability Principle of the Data Privacy Framework (DPF), CARTO has robust mechanisms to ensure compliance with the Principles and provides recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. CARTO complies with the Recourse, Enforcement and Liability Principle through a self-assessment system which includes internal procedures ensuring that employees receive training on the implementation of the organization’s privacy policies. Compliance is periodically reviewed in an objective manner.
In conformity with the Accountability for Onward Transfer Principle of the Data Privacy Framework (DPF), CARTO acknowledges that the onward transfer of the personal data of data subjects of the EU, Iceland, Liechtenstein, and Norway will only take place (i) for limited and specified purposes, (ii) on the basis of a contract or comparable arrangement within a corporate group and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.
OTHER INTERNATIONAL VISITORS
This Service may be hosted in the United States. If you are an international visitor, you should note that by providing your PI, you may be: (i) permitting the transfer of your PI to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your PI in accordance with this Privacy Notice.
CONTACT
Please contact us with any questions you may have at legal@carto.com or at: CARTO, 307 Fifth Avenue, Floor 9, New York, NY 10016.
Google API Services Usage Disclosure
CARTO Adheres to the Google API Services User Data Policy.
Some Authorized Users may choose to authenticate their access to the CARTO Platform via Google. When this happens, CARTO’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including to that policy’s Limited Use requirements.
Categories of Data CARTO Processes, and Why We Process It
Obligatory Authorized User Data
For folks who have access to their employers’ CARTO accounts, CARTO needs to process certain identity-, contact information-, and account use-related data for the purposes of (1.) providing Customers with their contracted subscription services and (2.) maintaining account security and integrity. We’ll call this data “Obligatory Authorized User Data”. Obligatory Authorized User Data consists of:
first name;
last name;
corporate / organization email address;
job title;
company/org. name (e.g., Your Employer, Inc.)
country;
user ID (generated by Auth0 or the applicable IdP)
CARTO account organization name (e.g., Customer Legal Name Data Science Department);
subscription type/plan (e.g., “trial”);
deployment region (e.g., gcp-us-east1) selected by Authorized User;
URL of any Authorized User-generated map that causes an error
URL of any Authorized User-generated map shared with CARTO staff to allow CARTO to provide contracted customer support services
Discretionary Authorized User Data
CARTO may also optionally process certain categories of personal data of folks who have access to their employers’ CARTO accounts, if they choose to provide this information at their sole discretion. We’ll call this data “Discretionary Authorized User Data”. Discretionary Authorized User Data consists of:
Authorized User’s phone number
No. of Employees at Authorized User’s company/org
Use cases Authorized User is interested in
Authorized User’s (professional) industry
Customer Content
In a nutshell, Customer Content is the data you’re analyzing and visualizing on the CARTO Platform. Processing this data is necessary to allow you to make use of your employer’s subscription to our services.Formally, “Customer Content” means all content of any type (including, without limitation, data, text, graphics, maps, logos, images, illustrations, software or source code, audio and video, and animations) that is owned or licensed by your employer or you, that is stored or processed using the services your employer has subscribed to, including any personal data forming part of such content.
Who CARTO Shares Your Data With, and Why We Share it with Them
CARTO Only Shares Data with its Subprocessors.
A subprocessor is a vendor of CARTO’s that is permitted to process data for which we are a processor—in other words, Obligatory Authorized User Data, Discretionary Authorized User Data, and Customer Content.
Which Data CARTO Shares with Which Subprocessors.
CARTO Shares Obligatory Authorized User Data and Discretionary Authorized User Data with certain subprocessors for maintaining account security and integrity, and providing the subscription services your employer has purchased: the vendor we use for our domain name system, the tool we use for software debugging, the vendor we use for identity management, the tools we use for the management of communications and alerts, and the vendor whose tool we use as a customer support portal, and for the management of customer support ticketing.
CARTO shares Customer Content with those of its subprocessors who have roles in providing aspects of the subscription services: our infrastructure provider, our CDN, and the tool we use for internal administration of accounts and software development.
An up-to-date list of CARTO’s sub-processors is located at carto.com/legal/subp.
CARTO and our Subprocessors Do Not Use Your Data to Train AI Models.
Neither CARTO nor its subprocessors use Obligatory Authorized User Data, Discretionary Authorized User Data, or Customer Content to train AI models.
THE CARTO PLATFORM DOES NOT SHARE USER DATA WITH AI MODELS.