Geocodio's privacy policies. How to exercise your rights, including deleting your Geocodio account.
Quick Links
You're probably on this page because you're curious about our privacy practices, or you want to exercise your privacy rights, like deleting your account. Here are a few quick links for self-service customers to do so:
To unsubscribe from emails, click unsubscribe at the bottom of our emails (unique URL for each user)
Agreements for Specific Privacy Laws
FERPA (SDPC NDPA): Geocodio will sign an NDPA for processing student data. Please contact us for more information.
HIPAA/HITECH (Business Associate Agreements): Geocodio can only sign BAAs for our Enterprise product. Please contact us for more information.
GDPR (Data Processing Agreement): If you want to upload data for EU persons, GDPR requires that we have a signed Data Processing Agreement. Users who need a signed Data Processing Agreement must be on the Geocodio Unlimited plan at the time of signing (one-month or recurring). All users transmitting data about EU persons are required to have this plan. That is, if you’d like to upload a file or use our API with data about EU persons, you must have a Data Processing Agreement with us. You can sign a Data Processing Agreement on the dashboard. You can cancel the plan at any time on the dashboard.
If your account has a signed agreement with Geocodio for one of the laws above, that agreement takes precedence over the policy on this page. Any conflicts are understood to be superceded by the signed agreement.
Privacy Laws We Follow
We are committed to complying with comprehensive data protection laws, including:
International and Federal Laws
General Data Protection Regulation (GDPR) - European Union legislation effective May 25, 2018
Children's Online Privacy Protection Act (COPPA) - US federal law with updated rules effective June 23, 2025
US State Privacy Laws
We comply with comprehensive privacy laws in all 20 states that have enacted them:
Relevant Laws:
California Privacy Rights Act (CPRA) - Enhanced California privacy law effective January 1, 2023
California Consumer Privacy Act (CCPA) - California law effective January 1, 2020
Colorado Privacy Act (CPA) - Effective July 1, 2023
Connecticut Data Protection Act (CTDPA) - Effective July 1, 2023
Delaware Personal Data Privacy Act (DPDPA) - Effective January 1, 2025
Florida Digital Bill of Rights - Effective July 1, 2024
Iowa Consumer Data Protection Act (ICDPA) - Effective January 1, 2025
Montana Consumer Data Privacy Act - Effective October 1, 2024
Nebraska Data Privacy Act - Effective January 1, 2025
New Hampshire Privacy Act (NHPA) - Effective January 1, 2025
New Jersey Data Privacy Act (NJDPA) - Effective January 15, 2025
Oregon Consumer Privacy Act (OCPA) - Effective July 1, 2024
Texas Data Privacy and Security Act (TDPSA) - Effective July 1, 2024
Utah Consumer Privacy Act (UCPA) - Effective December 31, 2023
Virginia Consumer Data Protection Act (VCDPA) - Effective January 1, 2023
Maryland Online Data Privacy Act (MODPA) - Effective October 1, 2025
Minnesota Consumer Data Privacy Act (MCDPA) - Effective July 31, 2025
Tennessee Information Protection Act (TIPA) - Effective July 1, 2025
Indiana Consumer Data Protection Act - Effective January 1, 2026
Kentucky Consumer Data Protection Act (KCDPA) - Effective January 1, 2026
Rhode Island Data Transparency and Privacy Protection Act - Effective January 1, 2026
We also provide HIPAA/HITECH-compliant geocoding via our Enterprise service.
As a company that values treating our users fairly and transparently, we welcome these privacy laws' efforts to increase privacy across the board. We are fully committed to being compliant with all applicable data privacy laws.
This page outlines our commitment to complying with these privacy laws and upholding our users' individual privacy and the privacy of the data they transmit to us. As best practices evolve, we will make changes to this statement and to our product accordingly.
Age Restriction and Children's Privacy (COPPA)
Our service is only available to individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18 years of age. By using our service, you confirm that you are at least 18 years old.
If we learn that we have collected personal information from someone under 18, we will delete that information immediately. If you believe we have collected information from someone under 18, please contact us at hello@geocod.io.
During registration, users must accept our Terms of Use, which stipulates that they must be at least 18 years old in order to create an account. This age restriction helps us comply with various state laws that have enhanced protections for minors under 18.
Your Privacy Rights
Depending on your location, you have the following rights regarding your personal information:
Universal Rights (Available to All Users)
Right to Know - Request information about what personal data we collect, use, and share
Right to Delete - Request deletion of your personal data (with some legal exceptions)
Right to Correct - Request correction of inaccurate personal information
Right to Opt-Out of Sales - We don't sell data, but you can confirm this applies to you
Right to Opt-Out of Targeted Advertising - We don't engage in targeted advertising
Right to Non-Discrimination - We won't deny services or charge different prices for exercising your rights
Enhanced Rights (Varies by Location)
Right to Data Portability - Request your data in a portable format (CA, CT, CO, DE, MD, MN, NJ, OR)
Right to Opt-Out of Profiling - Opt-out of automated decision-making that produces legal effects (CA, CT, CO, VA, MD, MN, TN, NH, DE, MT, RI)
Right to Limit Sensitive Data Use - Limit use of sensitive personal information (CA, CO, CT, TX, OR, NJ, NH, DE, MT)
Right to Question Profiling Results - Unique to Minnesota: question automated decisions and understand the rationale
Right to Third-Party Transparency - Request list of third parties who received your data (OR, MN) or categories of recipients (DE, MD)
If still unsatisfied, you may contact your state's attorney general
Global Privacy Control
We recognize Global Privacy Control (GPC) signals as valid opt-out requests for the sale and sharing of personal information where required by law.
What Personal Information We Collect
We collect the following categories of personal information:
Account Information
Identifiers: Email address, country, IP address (at registration only)
Commercial Information: Payment history, billing information, plan details, account usage
Usage Information
Internet Activity: Website behavior, feature usage, API calls, service interactions
Professional Information: How you use our service in a business context
Inferences: Usage patterns to send relevant service updates and improvements
Sensitive Personal Information
We may collect limited sensitive information:
Precise Geolocation: Only in data you upload for processing (not your device location)
Account Login Information: Encrypted credentials and authentication data
Payment Information: Stored securely with Stripe (we never see full card numbers)
We do NOT collect: Biometric identifiers, genetic data, health information, information about sexual orientation, racial or ethnic origin, religious beliefs, union membership, or data from anyone under 18.
How We Use Your Information
We use personal information only for these specific purposes:
Service Delivery: Providing geocoding services and API access
Account Management: Creating and maintaining your account
Billing and Payment: Processing payments and sending invoices
Customer Support: Responding to questions and providing help
Service Improvement: Analyzing usage to improve our service (without profiling individuals)
Legal Compliance: Meeting legal obligations and preventing fraud
Communication: Sending relevant service updates based on your usage patterns
We do NOT use your information for:
Targeted advertising or marketing to third parties
Psychographic profiling or behavioral analysis
Automated decision-making that produces legal or similarly significant effects
Cross-context behavioral advertising
Any purpose not explicitly listed above
Who We Share Information With
Third-Party Service Providers
We work with these vendors who have signed Data Processing Agreements with us:
Intercom (customer support) - Contact information, support conversations
Google Analytics (anonymized traffic tracking) - Anonymized website behavior data
You can delete your account and associated data at any time, except for information we must retain for legal compliance (such as payment records for tax purposes).
Our Role in Data Processing
For Your Account Information
We are a "data controller" (GDPR) or "business" (state laws) for your personal account details like email address, billing information, and service usage.
For Data You Upload
We are a "data processor" (GDPR) or "service provider" (state laws) for data you upload to our service. You are responsible for ensuring you have proper rights to process any personal data you upload and that such data complies with applicable privacy laws.
EU Data Processing
If you upload data about EU persons, GDPR requires a signed Data Processing Agreement. Users who need this must be on our Geocodio Unlimited plan. Sign a Data Processing Agreement on the dashboard.
Data Processing Assessments
We conduct data protection impact assessments for high-risk processing activities as required by applicable laws, including for:
Large-scale processing of sensitive data
Systematic monitoring of public areas
Processing that could result in high risk to individual rights
Security and Storage
User Database: Encrypted and regularly backed up to Amazon S3 in the US
Website Hosting: Amazon S3 and CloudFront with SSL/TLS encryption
API Services (including Spreadsheet Uploads):
Self-Serve customers: Hetzner servers physically located in the EU
Enterprise customers: AWS infrastructure in the US
Payment Security: All payment data handled by PCI-compliant Stripe
Data Encryption: All data encrypted in transit and at rest
Access Controls: Multi-factor authentication and role-based access controls
Security Monitoring: Continuous monitoring for security threats
No Known Breaches: We have no history of data breaches
Cookies and Tracking
We use cookies to:
Maintain your logged-in status
Provide core website functionality
Track basic website behavior for service improvement (anonymized)
Remember your privacy preferences
We do NOT use cookies for:
Cross-site tracking or advertising
Behavioral profiling for commercial purposes
Sharing data with advertising networks
Creating detailed user profiles for marketing
You can control cookie settings through your browser preferences.
International Data Transfers
US Users: Data processing in the EU (Self-Serve) or US (Enterprise)
EU Users: Data processing in the EU (Self-Serve) or US (Enterprise)
All Users: Account data may be stored in the EU or US with appropriate transfer mechanisms
For EU users, we rely on adequacy decisions, standard contractual clauses, or other approved transfer mechanisms as required by GDPR.
Your State-Specific Rights
California Residents (CCPA/CPRA)
You have enhanced rights including data portability and the right to limit use of sensitive personal information. We do not sell or share personal information as defined by California law. You can opt-out of automated decision-making and request information about our data practices.
Colorado, Connecticut, Virginia, Utah Residents
You have privacy rights including the right to opt-out of profiling for automated decision-making, correct inaccurate information, and receive portable copies of your data.
Delaware, Iowa, Nebraska, New Hampshire, New Jersey Residents
You have privacy rights including access, correction, deletion, and opt-out rights. New Jersey residents have enhanced protections and we recognize universal opt-out signals.
Florida, Montana, Oregon, Texas Residents
You have comprehensive privacy rights with some state-specific variations in thresholds and enforcement mechanisms.
Maryland, Minnesota, Tennessee Residents
Enhanced privacy rights including:
Maryland: Stricter data minimization requirements and enhanced transparency
Minnesota: Right to question profiling decisions and data inventory requirements
Tennessee: Comprehensive privacy protections with unique threshold requirements
Indiana, Kentucky, Rhode Island Residents (Effective 2026)
Comprehensive privacy rights will become available, including access, correction, deletion, and opt-out rights.
Enforcement and Cure Periods
Different states have varying enforcement timelines and cure periods:
30-day cure periods: Available in several states until specific expiration dates
60-day cure periods: Available in some states with discretionary extension by attorneys general
No cure periods: Some states provide immediate enforcement without cure opportunities
Penalties: Range from $2,500 to $25,000 per violation depending on the state
Data Minimization and Purpose Limitation
We collect only personal information that is:
Adequate: Sufficient for the stated purpose
Relevant: Directly related to our services
Limited: Not excessive for the purpose
Necessary: Required to provide the requested service
Proportionate: Reasonable in relation to the service provided (required by Maryland law)
We do not collect personal information for purposes unrelated to our geocoding services.
Changes to This Policy
We will notify users of material changes to this privacy policy via:
Prominent notice on our website
Updated effective date on this page
Changes become effective 30 days after notification unless otherwise required by law. For material changes that expand our use of personal information, we may require renewed consent.
Your State's Attorney General: For residents of other states with privacy laws
EU Residents: Your local data protection authority
Last Updated: 8/29/2025
Effective Date: 8/29/2025
This privacy policy applies to all users and services provided by Geocodio. We are committed to maintaining compliance with all applicable privacy laws and will update this policy as new laws take effect or existing laws are amended.