Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mappedin is a Canadian indoor mapping platform that provides interactive 3D maps and wayfinding for shopping malls, airports, hospitals, universities and large venues. It is embedded through a JavaScript SDK or REST API that loads map tiles, location data and search functionality. The default operation is largely cookieless, but the SDK fetches resources from third party servers, so Article 5(3) of the ePrivacy Directive still applies in most cases.
Mappedin is a Canadian indoor mapping platform headquartered in Waterloo, Ontario that provides interactive 3D maps and turn by turn wayfinding for indoor venues such as shopping malls, airports, hospitals, universities and large retail stores. The service is embedded through the @mappedin/mappedin-js JavaScript SDK or a REST API, which load vector map tiles, point of interest data, search responses and rendering assets. When a visitor asks for directions from their current location, the SDK can call the browser geolocation API to estimate their position inside the venue.
By default Mappedin does not set persistent tracking cookies. The SDK uses session storage and in memory state to remember the current map view, the selected floor and the active route. Optional analytics modes may set session cookies and collect interaction events such as zooms, searches and wayfinding requests. In all cases the service receives the visitor IP address, user agent and venue identifier when it loads tiles and search APIs, plus the geolocation coordinates when the user actively requests a route from their position.
Although Mappedin is largely cookieless, the SDK is a third party script that stores and reads information from the user terminal (cache entries, session storage, possibly a session cookie) and transmits personal data such as the IP address to Mappedin servers. Article 5(3) of the ePrivacy Directive and the German TDDDG therefore apply, alongside the GDPR obligations of transparency, purpose limitation and data minimisation. Joint controllership questions can arise where analytics features are activated.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For maps strictly necessary to deliver a service the user has actively requested (find a shop, get directions inside an airport), the strictly necessary exemption of Article 5(3) ePrivacy can apply and the legal basis is contract performance or legitimate interest. For maps that load automatically on every page, are decorative or are coupled with analytics, prior opt in consent is required. The information notice should name Mappedin, describe the data, mention transfers to Canada and the US and offer a clear refusal option.
Mappedin processes data in Canada and in AWS US East, with a global CDN. Transfers to Canada are covered by the EU adequacy decision adopted in 2001, limited to organisations subject to PIPEDA. Transfers to the United States rely on Standard Contractual Clauses and, where applicable, on the EU US Data Privacy Framework. Practical steps: sign a Data Processing Agreement, document the transfers in your record of processing, block the SDK behind your consent tool when analytics are enabled, update the privacy policy and disable optional analytics where they are not necessary.
Websites using Mappedin must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA is generally not mandatory for a purely functional indoor map. A DPIA should be considered when Mappedin is combined with real time positioning, persistent user accounts, behavioural analytics, geolocation tracking of visitors inside sensitive venues (hospitals, government buildings) or when it processes data about vulnerable users such as patients or minors.
Sample consent text
We use Mappedin to display interactive indoor maps and provide wayfinding inside our venue. The service loads map tiles and search data from Mappedin servers in Canada and the United States and may use your approximate location if you ask for directions from your current position. Do you accept the loading of Mappedin?
Third-party domains contacted
mappedin.comcdn.mappedin.comapi.mappedin.comtiles.mappedin.comassets.mappedin.comweb.mappedin.comapp.mappedin.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mappedin_session | first_party | session | Session cookie used by some analytics configurations to group map interactions within a single visit. Not set in the default cookieless mode. |
| mi_visitor | third_party | 1 year | Optional visitor identifier set when the analytics layer is enabled, used to recognise returning visitors and measure repeat usage of the map. |
| mi_consent | first_party | 6 months | Stores the visitor consent choice for the Mappedin analytics layer when the embedding website uses the Mappedin consent helper. |
| mi_locale | first_party | 1 year | Stores the language preference selected inside the indoor map UI so the interface and search reopen in the same language. |
| mi_map_state | first_party | session | Session storage entry remembering the current floor, zoom level and selected point of interest, used to keep map state across page reloads. |
| AWSALB | third_party | 7 days | AWS Application Load Balancer cookie used by Mappedin infrastructure for sticky session routing to backend servers. Exact names depend on the venue configuration. |
Mappedin uses cookies for user preferences — inform visitors with a consent banner.
By default Mappedin does not set persistent tracking cookies. The SDK uses session storage and in memory state for the map view and active route. Optional analytics modes may add a session cookie and a visitor ID. Exact names depend on the configuration chosen by the venue operator.
For functional indoor maps requested by the user (find a shop, get directions) consent is usually not required and the strictly necessary exemption of Article 5(3) ePrivacy applies. For maps that load automatically, are decorative or are paired with analytics, prior opt in consent is required.
For strictly functional maps, the legal basis is contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). When optional analytics are activated, the legal basis is consent (Art. 6(1)(a)) combined with consent under Article 5(3) of the ePrivacy Directive.
Yes. Mappedin processes data in Canada and in AWS US East with a global CDN. Transfers to Canada are covered by the EU adequacy decision adopted in 2001 (limited to organisations subject to PIPEDA). Transfers to the United States rely on Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework.
A formal DPIA is generally not mandatory for a purely functional indoor map. It is recommended when Mappedin is paired with real time positioning, persistent user accounts, behavioural analytics, geolocation in sensitive venues (hospitals, government) or processes data of vulnerable users such as patients or minors.
Disable optional analytics when not strictly required, block the SDK behind your consent tool if analytics are enabled, sign a DPA with Mappedin, include the service in your record of processing, document the transfers to Canada and the US and provide a clear notice on the page where the map is loaded.
Yes. Functional alternatives include Google Maps Indoor, Apple Indoor Maps, Esri ArcGIS Indoors and Pointr. EU based alternatives include MazeMap (Norway), Situm (Spain) and Indoor Atlas (Finland), which may simplify cross border data transfer questions inside the EEA.
Add a Mappedin entry naming the provider (Mappedin Inc., Canada), the purpose (interactive indoor maps and wayfinding), the data categories (IP address, user agent, optional geolocation), the retention, the third country transfers (Canada, US) and the legal basis (contract or legitimate interest for functional maps, consent for analytics).