The General Data Protection Regulation (GDPR) is European Union legislation to strengthen and unify data protection laws for all individuals within the European Union. The regulation becomes effective and enforceable on May 25, 2018.
As a company that values treating our users fairly and transparently, we welcome GDPR's efforts to increase privacy across the board. We are a US business co-founded by an EU citizen, and we are fully committed to being compliant with GDPR.
This page outlines our commitment to complying with GDPR and upholding our users' individual privacy and the privacy of the data they transmit to us. As best practices for implementing GDPR evolve, we will make changes to this statement and to our product accordingly.
GDPR makes a distinction between “data controllers” and “data processors.” Geocodio is considered a “data controller” with regards to your account details and behavior on our website (such as your email address). We are a “data processor” with regards to the data you upload to our service (such as an API request or a file upload). It is important to understand this distinction so you can be better informed of your rights and the rights of the people whose data you transmit.
As a data controller when it comes to your personal account details, our service is GDPR-compliant by default, even for non-EU users. We believe this is in everyone’s best interest.
Note this only applies to your personal account details, such as your email address, physical address, and consent to receive product updates. It does not cover data you upload to Geocodio, such as data about your customers. That is covered below under "Geocodio as a data processor."
If you want to upload data for EU persons, GDPR requires that we have a signed Data Processing Agreement with each other. Users who need a signed Data Processing Agreement must be on the Geocodio Unlimited plan at the time of signing (one-month or recurring). All users transmitting data about EU persons are required to have this plan. That is, if you’d like to upload a file or use our API with data about EU persons, you must have a Data Processing Agreement with us. This applies to users whose usage would normally fall under the free tier. You can cancel the plan at any time by emailing us.
We use several third-party vendors to help us improve our customer experience. We have signed Data Processing Agreements with all of our vendors. These vendors are: Intercom (the little chat bubble you see on the bottom right), Google Analytics (anonymized visit and traffic tracking), Satismeter (customer happiness surveys), and QuickBooks (invoicing).
We have authorized these vendors collect several different kinds of data about our users, including:
Frequency at which this data is deleted:
We do not engage in psychographic profiling or sell your information to advertisers.
We may use your usage history to send you relevant messages, for example if you’ve used our Congressional district append in the past and we make improvements to that append.
You can request to have your account data deleted at any time by emailing email@example.com.
When you sign up, we ask for your email address, your country, whether you are an EU citizen, whether you are transmitting any data about EU persons, whether you are over the age of 16, and whether all person data is for persons over the age of 16. We store this data to ensure GDPR compliance.
When you register, we store your IP address. This is so we can prevent abuse from people attempting to register multiple accounts.
Our user database is encrypted and regularly backed up to Amazon S3 in the US. Our website is hosted on Amazon S3 and CloudFront.
We have no known breaches in our past.
If you sign up for a paid plan with a credit card, your information is stored with Stripe, our payments processing vendor. This is our default option, and you will be invoiced and billed directly through Stripe. Your financial information is never stored on our servers. If you have paper billing, invoices are stored with Quickbooks. If you pay an invoice through Quickbooks, it will route the payment through our Stripe account (unless you have paid via paper check or ACH). We have signed Data Processing Agreements with both vendors.
What we can see in Stripe and Quickbooks:
We cannot see your full credit card number.
For accounting and tax purposes, we keep records of customer payments.
If you would like to remove your credit card information, please email us. Note we will need to receive payment for any outstanding charges before removing the card.
We take data protection seriously and safeguard the data you transmit to us.
Our API and spreadsheet upload tool are hosted on leased servers from Hetzner and are physically located in the EU. API requests on plans other than the Unlimited plan are logged, and we occasionally analyze the logs as part of ongoing improvements. Geocodio Unlimited usage is not logged. You can opt-out of this by emailing us.
For the privacy of those whose data you are transmitting, we encourage you to only transmit location data through our services.
Under no circumstances can sensitive data for EU persons be transmitted to Geocodio. This includes the following categories under Articles 9 and 10 of GDPR:
You can delete your account data at any time by emailing us.
If you have any questions, please email us at firstname.lastname@example.org.