Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MaxMind is a US company providing IP geolocation and fraud detection services through the GeoIP2 product family and the minFraud platform. It is widely used by websites and applications to localise content, detect fraudulent transactions, enforce geographic restrictions, and pre-fill country selectors. MaxMind can be deployed as a downloadable database (server-side, no per-visit transfer) or as a web service (per-visit lookup to US servers).
MaxMind, Inc. is a US company that has provided IP geolocation data since 2002. Its flagship product, GeoIP2, maps IP addresses to country, region, city, postal code, latitude/longitude, ISP, and connection type. The minFraud platform builds on this geographic data to score the risk of online transactions in real time. MaxMind is one of the most widely used geolocation providers across Europe, embedded in WordPress plugins, e-commerce platforms, CDN edge logic, and fraud detection stacks.
The minimum input is the visitor IP address. For minFraud, additional inputs include email address (hashed), billing/shipping address, device identifiers, payment information, and behavioural signals such as session duration or order velocity. The output of GeoIP2 is essentially location and network metadata; minFraud outputs a risk score and a list of warnings. MaxMind does not set cookies in the visitor browser; the integration is entirely server side.
IP addresses are personal data under GDPR (CJEU Breyer C, 582/14). Because MaxMind is purely server side, the ePrivacy cookie consent requirement does not apply: there is no client-side storage or read. The relevant questions are therefore the GDPR lawful basis (typically legitimate interest under Art. 6(1)(f) for fraud prevention, security, and content localisation) and the international transfer if the web service mode is used.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The deployment mode is decisive. In GeoIP2 database mode, the binary database is downloaded periodically and lookups happen entirely on the EU server. There is no per, request transfer of personal data to the US. In web service mode (GeoIP2 Precision, minFraud), each lookup sends the IP (and any extra context) to MaxMind in the United States; transfers rely on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. For EU websites optimising for data minimisation, the database mode is the recommended default.
Prefer GeoIP2 database mode for non-fraud use cases. Document MaxMind in the RoPA as a legitimate interest processing for security and localisation. If the web service or minFraud is used, sign the MaxMind DPA, capture the SCCs, and run a Transfer Impact Assessment. Mention MaxMind and the country-level data inferred from the IP in the privacy notice. Truncate or hash IP addresses in your own application logs where possible, and avoid storing the full minFraud response longer than necessary for dispute resolution.
Websites using MaxMind must obtain user consent under GDPR regulations.
DPIA considerations
MaxMind processes visitor IP addresses, which are personal data under GDPR. Key DPIA considerations: (1) sensitivity of the use case: simple country-level lookups for content localisation are low risk, while fraud scoring (minFraud) involves richer profiling and may require a DPIA; (2) deployment mode: GeoIP2 database (local lookup) means no per-request transfer to MaxMind, while the web service involves a transfer of each visitor IP to the US; (3) data retention: MaxMind logs queries by default but offers a no-logs option for web service customers under the privacy commitment; (4) combination with other identifiers: pairing GeoIP data with persistent user IDs increases the profiling risk; (5) minFraud scores can include device, email, and behavioural signals, which warrants a more thorough impact analysis.
Sample consent text
Our website uses MaxMind GeoIP2 to determine the approximate location of visitors based on their IP address. This information is used to localise content, comply with geographic restrictions, and detect fraudulent activity. When the web service mode is used, your IP address is sent to MaxMind servers in the United States; in database mode, the lookup happens on our EU servers and no transfer occurs. The processing is based on our legitimate interest in security and content localisation (Art. 6(1)(f) GDPR).
Third-party domains contacted
maxmind.comwww.maxmind.comgeoip.maxmind.comminfraud.maxmind.comupdates.maxmind.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set by MaxMind | N/A | N/A | MaxMind is a server-side service and does not write cookies to the visitor browser. Any cookie linked to a geolocation flow is set by the host application itself. |
MaxMind is an essential service, but transparency matters. Manage all your consent with FlowConsent.
No. MaxMind is a server-side service. GeoIP2 lookups happen on your server (in database mode) or via a server-to-server API call (in web service mode). No cookies are written to the visitor browser by MaxMind itself. Any cookie set in connection with a geolocation flow is set by your own application.
Cookie consent under the ePrivacy Directive is not required because MaxMind does not store or read information on the device. Under GDPR, the processing of IP addresses can typically rely on legitimate interest (Art. 6(1)(f)) for security, fraud prevention, and content localisation, so explicit consent is generally not required.
Legitimate interest under Art. 6(1)(f) GDPR is the most common basis for fraud prevention, security, and content localisation. For high-risk use cases such as access restriction based on geographic origin, document a clear necessity and proportionality analysis in your Legitimate Interest Assessment.
It depends on the mode. In GeoIP2 database mode, no per-request transfer occurs because lookups happen locally on your EU server. In web service mode (GeoIP2 Precision, minFraud), each visitor IP is sent to MaxMind in the United States. Transfers are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR.
For simple country-level geolocation, no. For minFraud or any fraud scoring use case that combines email, device, payment, and behavioural signals, a DPIA is recommended, particularly if scores influence access to a service or pricing decisions.
Prefer GeoIP2 database mode when feasible. Sign the MaxMind DPA, document Standard Contractual Clauses for web service use, run a short Legitimate Interest Assessment, mention MaxMind and the derived location data in your privacy notice, and avoid storing raw IPs longer than necessary in your own application logs.
Alternatives include DB-IP (US/Romania, free and commercial databases), IP2Location (Malaysia), ipinfo.io (US), ipapi.co (US), and the open source GeoLite alternative ip2asn. For EU-hosted options, consider self-hosting an open dataset on your own infrastructure to avoid any third-country transfer entirely.
MaxMind does not set cookies, so it does not need a cookie policy entry. Instead, update the privacy notice to mention the IP-based geolocation, the lawful basis (legitimate interest), and, if the web service is used, the transfer to the United States with Standard Contractual Clauses.