Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The CARTO Data Observatory is a geospatial data marketplace and enrichment service built into the CARTO platform. It lets analysts subscribe to curated location datasets (demographics, points of interest, mobility, weather) and join them inside their cloud data warehouse via SQL.
The CARTO Data Observatory is a catalogue and delivery layer for geospatial datasets, embedded in the CARTO platform. Users browse hundreds of curated datasets covering demographics, points of interest, human mobility, real estate, weather, and administrative boundaries, then subscribe and run spatial joins directly inside their cloud data warehouse (BigQuery, Snowflake, Redshift, or Databricks). Data flows server side through CARTO APIs without leaving the customer warehouse perimeter, which makes it primarily a back office analytics tool rather than a website tracker. The CARTO marketing site and product UI are the only web surfaces that load classic cookies.
On the CARTO website and platform UI, cookies are set for authentication (session, CSRF), for product analytics (Mixpanel or Amplitude), for support chat (Intercom), and for marketing on the public site (Google Analytics 4, HubSpot, LinkedIn Insight Tag). Inside the Data Observatory itself, the data exchanged is mostly aggregated statistical or geographic data, not personal data. Personal data appears only in account profiles, billing, support tickets, and audit logs of who subscribed to which dataset and when.
For paid customers, the lawful basis is contract performance under Article 6(1)(b) GDPR. Strictly necessary session cookies are exempt under Article 5(3) ePrivacy. All marketing, analytics, and support cookies on the carto.com website and on dashboards require prior, freely given, specific, informed, and unambiguous consent. CARTO acts as a processor for customer account data and as a controller for its own marketing site. Customers must sign the CARTO DPA and review the sub-processor list.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most datasets in the Data Observatory are aggregated to administrative units (NUTS regions, postal codes, hexagons, census blocks) and contain no directly identifiable personal data. Some mobility, telco, or geomarketing datasets may be derived from personal data and licensed under specific terms. Customers must read each dataset licence, identify whether the source is GDPR personal data, and document the lawful basis for combining it with their own data, especially when joining customer level identifiers.
CARTO operates from Spain and the United States and uses AWS and Google Cloud as infrastructure providers. EU customers can request EU only deployment for the platform tenant, but support and corporate functions involve US staff and tools. Transfers rely on Standard Contractual Clauses, the EU US Data Privacy Framework where the partner is certified, and supplementary measures (encryption, role based access). A Transfer Impact Assessment is required for the operational metadata flow.
Sign the CARTO DPA, attach the SCC and DPF documentation, and pick the EU region for sensitive deployments. Configure SSO, role based access, and audit logging. Enforce a cookie banner on your CARTO dashboards if exposed to end users, and treat the carto.com marketing site cookies as opt in. Read each Data Observatory dataset licence, document the lawful basis for any join with personal data, and align retention with internal policies.
Websites using CARTO Data Observatory must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required because the Data Observatory mainly delivers aggregated geospatial datasets server side. A DPIA becomes necessary if customers join the data with personal data of EU individuals at scale, especially mobility, telco, or sociodemographic feeds. The AEPD and EDPB consider large scale geolocation analytics as DPIA prone activities. Document data flows, sub-processors, retention, and a Transfer Impact Assessment.
Sample consent text
We use CARTO and the CARTO Data Observatory to enrich our analytics with curated geospatial data. Strictly necessary cookies keep your session secure. Analytics, marketing, and chat cookies are only set with your consent and you can change your preferences at any time.
Third-party domains contacted
carto.comapp.carto.comauth.carto.comdata.carto.comgoogleapis.comamazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| carto_session | first_party | Session | Authenticated session cookie for the CARTO platform UI. |
| carto_csrf | first_party | Session | Cross site request forgery protection token for the CARTO web application. |
| _ga | third_party | 2 years | Google Analytics 4 measurement on the CARTO marketing website (loaded only after consent). |
| intercom-id | third_party | 9 months | Identifies returning users in the Intercom support widget on the CARTO website. |
CARTO Data Observatory collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No. The Data Observatory is a server side data delivery service that runs inside your cloud data warehouse. Cookies are only set on the CARTO marketing site and on the CARTO platform UI used by your analysts.
Authenticated session cookies on the CARTO platform are strictly necessary. Analytics, marketing, and support cookies on the marketing site or in dashboards require prior consent under Article 5(3) ePrivacy.
Contract performance under Article 6(1)(b) for the paid subscription, legitimate interest under 6(1)(f) for security logs, and consent under 6(1)(a) for non essential cookies on the marketing site.
Yes. Account metadata and support data may be processed in the US. Transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework certification of CARTO sub-processors. Sensitive deployments can be pinned to an EU region.
A DPIA is generally not required for aggregated geospatial datasets but becomes recommended when joining mobility, telco, or fine grained sociodemographic data with personal data of EU residents at scale.
Enforce SSO, MFA, role based access, and audit logging. Pick the EU region for the platform tenant when possible, encrypt warehouse credentials, and review CARTO SOC 2 / ISO 27001 documentation annually.
Yes. The CARTO platform itself can be deployed in EU regions. Alternatives include Mapbox (with EU options), HERE Technologies, or open source stacks (Geoserver, PostGIS) hosted in the EU, although dataset breadth is generally smaller.
List CARTO as a processor, describe the platform UI, the dataset catalogue, the cloud warehouse delivery model, the EU US transfers, and the safeguards (SCCs, DPF, EU region option, encryption). Link to the CARTO privacy policy and DPA.