Effective date: 2026-06-05 · Version 1.2
The English version of this document is the legally authoritative version; translations are provided for convenience.
GlobMaps ("we", "us", "our") operates globmaps.com and climate.globmaps.com, providing climate intelligence APIs and geospatial data products including the Multi-index Drought Indicator (MDI). For privacy inquiries, contact us at privacy@globmaps.com. For enterprise Data Processing Agreement (DPA) requests, contact legal@globmaps.com.
We collect: (a) Account data — name, email address, company name, and password hash when you register; (b) Billing data — payment method details processed by Stripe (we do not store raw card numbers); (c) Usage data — API request logs including country queried, timestamp, endpoint called, response code, and quota consumption (anonymised at 90 days); (d) API credentials — hashed API keys and associated metadata retained for 90 days after revocation; (e) Technical data — IP address, browser type, operating system, and referring URLs collected automatically; (f) Consent records — timestamps and method of acceptance of these policies.
We use your data to: provide and operate the platform; process payments and manage subscriptions; enforce rate limits and detect abuse; send transactional emails (account confirmations, invoices, service notices); improve platform performance through aggregated analytics; comply with legal obligations; respond to data subject requests; and support data licensing activities where applicable under separate agreement.
For users in the European Economic Area and UK, our legal bases are: Contract — processing necessary to provide the service you signed up for; Legitimate Interests — fraud prevention, security, and product improvement; Legal Obligation — compliance with applicable law including GDPR, PDPA, and financial regulations; Consent — analytics and marketing cookies, which you may withdraw at any time.
We share data only with trusted subprocessors required to deliver the service. Current subprocessors include: Stripe, Inc. (payment processing and billing records); DigitalOcean, LLC (cloud hosting and infrastructure); Resend, Inc. (transactional email delivery). We do not sell personal data to any third party. A full and up-to-date subprocessor list is available on request at privacy@globmaps.com.
Your data is processed primarily in servers located in Singapore and the United States. Where transfers occur from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognised transfer mechanisms. Enterprise clients requiring a Data Processing Agreement (DPA) should contact legal@globmaps.com.
We retain data for the following periods: Account data — for the duration of your subscription and 30 days after account deletion, after which it is permanently erased; API request logs — 90 days from the date of the request, then purged automatically; API keys (hashed) — 90 days after revocation or account deletion; Billing records — 7 years as required by financial regulations (retained by Stripe under their own policy); Consent records — 5 years. You may request earlier deletion of account data subject to legal retention requirements.
Depending on your jurisdiction, you may have the right to: access a copy of your personal data; correct inaccurate data; request erasure of your data (we respond within 30 days); object to or restrict processing; data portability (we provide export in JSON format on request); and withdraw consent at any time without affecting prior processing. To exercise any right, email privacy@globmaps.com. We will acknowledge within 5 business days and respond fully within 30 days.
For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (PDPA). You have the right to access, correct, delete, object to, and port your personal data. You may also withdraw consent for non-essential processing at any time by contacting us at privacy@globmaps.com. Our Data Protection contact for PDPA purposes is privacy@globmaps.com.
California residents have the right to know what personal information we collect and how it is used, request deletion of personal information, opt out of sale of personal information (we do not sell personal information), and non-discrimination for exercising these rights. To submit a request, contact privacy@globmaps.com.
Enterprise clients who process personal data through the GlobMaps API may require a Data Processing Agreement (DPA) to satisfy GDPR Article 28 obligations. GlobMaps acts as a Data Processor with respect to any personal data contained in API queries submitted by enterprise clients. To request a DPA, contact legal@globmaps.com. Standard DPA terms include: TLS 1.3 encryption in transit, AES-256 encryption at rest, 90-day API log purge, breach notification within 72 hours (GDPR Article 33), and annual security reporting rights.
We use cookies for authentication, security, and analytics. For full details see our Cookie Policy. You can manage your cookie preferences at any time via the consent banner.
We implement industry-standard security measures including encryption in transit (TLS 1.3), AES-256 encryption at rest, hashed passwords (bcrypt), Redis authentication, HTTPS-only access, and regular security reviews. No system is completely secure; please notify us immediately at security@globmaps.com if you discover a vulnerability.
GlobMaps services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.
We may update this Privacy Policy periodically. For material changes, we will notify registered users by email at least 14 days before the change takes effect. The effective date at the top of this page reflects the current version.
For privacy inquiries and data subject requests: privacy@globmaps.com. For enterprise DPA requests: legal@globmaps.com. If you are in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU).