Last Updated: November 12, 2025
1. Introduction & Scope
At GeoServer, we recognize that trust is foundational to geospatial infrastructure. This Data Protection Policy outlines how we handle your personal information, account credentials, usage telemetry, and proprietary spatial datasets. We are committed to transparency, security, and compliance with applicable data protection regulations, including the GDPR, CCPA, and ISO/IEC 27001 standards.
By using GeoServer's platforms, APIs, or managed services, you acknowledge and agree to the data practices described herein. We encourage you to review this policy periodically for updates.
2. Data We Collect
We collect and process only the data necessary to deliver, secure, and improve our geospatial services. Categories include:
- Account & Identity Data: Name, email, organization, role, authentication tokens, and billing information.
- Geospatial & Spatial Data: Layers, vector/raster datasets, coordinate reference systems, metadata, and custom styling rules uploaded or generated via our platform.
- Usage & Telemetry Data: API requests, render logs, layer performance metrics, feature utilization, and error reports (anonymized where possible).
- Communication Data: Support tickets, email correspondence, feedback, and survey responses.
3. How We Use Your Data
Your data is processed strictly for the following purposes:
- Provisioning and securing your GeoServer account and workspace
- Rendering, caching, and distributing map layers and spatial queries
- Performing infrastructure monitoring, load balancing, and failover protection
- Delivering customer support, technical assistance, and service updates
- Conducting aggregated, anonymized analytics to improve platform stability
- Complying with legal obligations, fraud prevention, and security auditing
4. Security & Encryption
We implement enterprise-grade safeguards to protect your data against unauthorized access, alteration, disclosure, or destruction:
- Encryption: AES-256 at rest; TLS 1.3 in transit. All spatial payloads and API keys are encrypted end-to-end.
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege internal policies.
- Infrastructure: Isolated tenant environments, automated vulnerability scanning, WAF protection, and DDoS mitigation.
- Backups & Recovery: Geo-redundant backups with encrypted snapshots, tested quarterly for integrity and restoration speed.
5. Third-Party Sharing & Processors
We do not sell, rent, or trade your personal or geospatial data. We only share data with trusted service providers essential to platform operations, including:
- Cloud hosting & CDN providers (for layer delivery and caching)
- Authentication & identity management services
- Payment processors and financial compliance partners
- Customer support & analytics tools (configured for data minimization)
All third-party processors are bound by strict data processing agreements (DPAs) and undergo regular security audits.
6. Your Rights & Choices
Depending on your jurisdiction, you may have the right to:
- Access & Portability: Request a machine-readable export of your account and spatial data.
- Rectification: Update or correct inaccurate personal information at any time.
- Erasure: Request deletion of your account and associated datasets (subject to legal retention requirements).
- Restriction & Objection: Limit processing or opt out of non-essential communications and telemetry.
To exercise these rights, submit a request via our privacy portal or contact our Data Protection Officer (Section 8). We will respond within 30 days.
7. Data Retention
We retain data only as long as necessary to fulfill the purposes outlined in this policy:
- Active Accounts: Data is retained for the duration of your subscription.
- Deleted Accounts: Personal data is securely erased within 30 days of account closure, unless retention is required for billing, security, or legal compliance.
- Logs & Telemetry: Aggregated, anonymized usage logs are retained for up to 12 months for platform optimization.
8. Contact & Data Protection Officer
If you have questions about this policy, wish to exercise your data rights, or need to report a security concern, please reach out:
- Data Protection Officer: dpo@geoserver.io
- Security Team: security@geoserver.io
- Mailing Address: GeoServer Inc., Attn: Privacy & Compliance, 1200 Spatial Way, Suite 400, San Francisco, CA 94107, USA
We treat all privacy and security inquiries with urgency and confidentiality.