You're probably on this page because you're curious about our privacy practices, or you want to exercise your privacy rights, like deleting your account. To make it simple for you:
The General Data Protection Regulation (GDPR) is European Union legislation to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on May 25, 2018.
We are also subject to the California Consumer Privacy Act of 2018 (CCPA).
As a company that values treating our users fairly and transparently, we welcome CCPA and GDPR's efforts to increase privacy across the board. We are a US business co-founded by an EU citizen, and we are fully committed to being compliant with data privacy laws.
This page outlines our commitment to complying with GDPR and CCPA and upholding our users' individual privacy and the privacy of the data they transmit to us. As best practices for implementing GDPR and CCPA evolve, we will make changes to this statement and to our product accordingly.
GDPR makes a distinction between “data controllers” and “data processors.” Geocodio is considered a “data controller” with regards to your account details and behavior on our website (such as your email address). We are a “data processor” with regards to the data you upload to our service (such as an API request or a file upload). Under CCPA, we are a Data Recipient, and you are a Data Provider. It is important to understand these distinctions so you can be better informed of your rights and the rights of the people whose data you transmit.
As a data controller when it comes to your personal account details, our service is GDPR-compliant by default, even for non-EU users. We believe this is in everyone’s best interest.
Note this only applies to your personal account details, such as your email address, physical address, and consent to receive product updates. It does not cover data you upload to Geocodio, such as data about your customers. That is covered below under "Geocodio as a data processor."
If you want to upload data for EU persons, GDPR requires that we have a signed Data Processing Agreement with each other. Users who need a signed Data Processing Agreement must be on the Geocodio Unlimited plan at the time of signing (one-month or recurring). All users transmitting data about EU persons are required to have this plan. That is, if you’d like to upload a file or use our API with data about EU persons, you must have a Data Processing Agreement with us. You can sign a Data Processing Agreement on the dashboard. You can cancel the plan at any time on the dashboard.
We use several third-party vendors to help us improve our customer experience. We have signed Data Processing Agreements with all of our vendors. These vendors are: Intercom (the little chat bubble you see on the bottom right and product email), Google Analytics (anonymized visit and traffic tracking), Ahrefs (anonymized traffic tracking), MailChimp (marketing email), Satismeter (customer happiness surveys), Stripe (payments), and QuickBooks (invoicing).
We have authorized these vendors collect several different kinds of data about our users, including:
Frequency at which this data is deleted:
We do not engage in psychographic profiling.
In compliance with the CCPA, we do not not (i) retain, use or disclose any Personal Information for any purpose other than for the specific purpose of providing services to our customers; and (ii) sell (as such term is defined under the CCPA) any Personal Information.
We may use your usage history to send you relevant messages, for example if you’ve used our Congressional district append in the past and we make changes or improvements to that append.
When you sign up, we ask for your email address, your country, whether you are an EU citizen, whether you are transmitting any data about EU persons, whether you are over the age of 16, and whether all person data is for persons over the age of 16. We store this data to ensure GDPR compliance.
When you register, we store your IP address. This is so we can prevent abuse from people attempting to register multiple accounts.
Our user database is encrypted and regularly backed up to Amazon S3 in the US. Our website is hosted on Amazon S3 and CloudFront.
We have no known breaches in our past.
If you sign up for a paid plan with a credit card, your information is stored with Stripe, a PCI-compliant payments processing vendor. This is our default option, and you will be invoiced and billed directly through Stripe. Your financial information is never stored on our servers. If you have paper billing, invoices are stored with Quickbooks and/or Stripe. If you pay an invoice through Quickbooks, it will route the payment through our Stripe account (unless you have paid via paper check or initiated ACH on your end). We have signed Data Processing Agreements with both vendors.
What we can see in Stripe and Quickbooks:
We cannot see your full credit card number.
For accounting and tax purposes, we keep records of customer payments.
If you would like to remove your credit card information, you can do so on the dashboard at any time. Note that you will be charged for any outstanding balance before your credit card is deleted.
We take data protection seriously and safeguard the data you transmit to us.
In compliance with the CCPA, we do not sell, share, or otherwise distribute data uploaded by customers.
Our API and spreadsheet upload tool are hosted on leased servers from Hetzner and are physically located in the EU. Our HIPAA-compliant service is hosted on AWS in the US. API requests are logged, and we occasionally analyze the logs as part of ongoing improvements or for billing purposes. To have a completely unlogged account, you will need to use our HIPAA-compliant version.
For the privacy of those whose data you are transmitting, we encourage you to only transmit location data through our services, and to remove any information that is not related to location.
Under no circumstances can sensitive data for EU persons be transmitted to Geocodio. This includes the following categories under Articles 9 and 10 of GDPR:
You can see our data retention policy here.
You can delete your account at any time through the dashboard, which will delete all account-related data except for that which we need to retain for accounting and tax compliance purposes.
If you have any questions, please email us at firstname.lastname@example.org.