This Privacy Policy is issued by Mapxus Technology Pte. Limited (UEN 202024637M), a private company limited by shares incorporated in Singapore, with registered office at 10 Anson Road #11-20, International Plaza, Singapore 079903 (“Mapxus”, “we”, “us”, or “our”).
Mapxus Technology Pte. Limited is the data controller for the Personal Data described in this Policy, for all Mapxus customers and users worldwide. Our Japan regional operating entity, 株式会社マプサス・テクノロジー・ジャパン (Mapxus Technology Japan K.K.), supports Japan-region operations under the intra-group arrangements set out in our Mapxus Group Intra-Group Data Transfer Agreement; for Japan-region operations and APPI inquiries, please see Section 13.4.
The Mapxus indoor mapping and positioning technology is owned by Mapxus Technology Holding Limited (British Virgin Islands), the group’s intellectual-property holding company, and licensed to Mapxus under intra-group arrangements. Mapxus Technology Holding Limited is not a data controller and does not receive Personal Data from the services covered by this Policy.
Mapxus also operates regional offices in Hong Kong (Maphive Technology Limited), Taiwan (台灣蜂圖誌科技有限公司), and Japan (株式会社マプサス・テクノロジー・ジャパン) that provide local sales, support, and regulatory liaison. They are operational offices of the Mapxus group. Where you have entered into a regional Master Services Agreement with one of these entities, that regional entity processes your billing and account information for invoicing purposes under intra-group arrangements; Mapxus Technology Pte. Limited remains the controller for the underlying service data unless a separate regional Privacy Policy applies.
This Policy applies to Personal Data processed in connection with:
(a) the Mapxus English-language website at mapxus.com and subdomains (the “Website”);
(b) the Mapxus SDK for iOS and Android (the “SDK”);
(c) the Mapxus API;
(d) the Mapxus Service Center, Cell Sketch, Site Validation, and Mapxus Anywhere products;
(e) Mapxus-published consumer applications (e.g., CityGeni, MapInspect);
(f) the Mapxus Positioning Analytics & Tracking add-on, where subscribed; and
(g) sales, support, and business-development activities.
This Policy does not apply to:
• Applications developed by third-party Business Users that use the SDK or API — those are the responsibility of the Business User
• Indoor positioning carried out by Apple Core Location on iOS devices — Apple is the controller of that data
Mapxus is designed to minimise the Personal Data we retain. By default, we do not save positioning history on our servers. On Android, our SDK collects a small set of inputs (a pseudonymous device identifier, Wi-Fi scan data, request metadata) for the sole purpose of calculating and returning your position; those inputs are deleted shortly after. GPS coordinates are not transmitted to our backend for Wi-Fi positioning. On iOS, indoor positioning is delivered through Apple Core Location and is governed by Apple’s privacy practices. Beyond positioning, we process Personal Data you provide through our Website, your Business User Account, and our sales and support activities.
When you visit our Website we automatically collect: IP address, device and browser information, pages visited, time stamps, referring URL, and other standard server-log information. Cookies and similar technologies as in Section 11.
When you register for or manage a Business User Account in the Mapxus Service Center (CMS), we collect: name, email, phone number, job title, company name, billing address, tax identifier, salted-hashed authentication credentials, and support and billing correspondence. Card numbers are not collected; all customer payments are processed by bank transfer, cheque, or TT based on invoice.
When an End User on Android triggers an indoor position calculation through an application powered by the Mapxus SDK, the SDK transmits to Mapxus servers:
• Pseudonymous device identifier — generated inside the SDK as a per-install random UUID using the standard Java java.util.UUID.randomUUID() method. The identifier is not derived from any operating-system or hardware identifier (including IMEI, MAC address, Android ID, or advertising identifiers). It is used solely to route the calculated position back to the requesting device within the session.
• Wi-Fi scan data — BSSIDs, SSIDs, and received signal strengths (RSSI) of Wi-Fi access points visible at the moment of the request.
• Request metadata — timestamp, SDK version, application identifier.
GPS coordinates are not transmitted to Mapxus servers for Wi-Fi-based indoor positioning.
These inputs are used to calculate an indoor position, which is returned to the device. The calculated position is not persisted on Mapxus servers by default. The inputs themselves are retained in operational logs for up to 30 days and in encrypted archives for up to a further 11 months (total: up to 12 months) for service integrity, fraud prevention, and billing purposes, then permanently deleted.
On iOS devices, indoor positioning is delivered through Apple Core Location and the Apple Indoor Maps Program. Apple is the controller of this processing. Mapxus’s role on iOS is limited to submitting venue maps in IMDF format to Apple’s Indoor Maps Program; we do not receive position-calculation inputs or outputs.
For Apple’s processing, see Apple’s Privacy Policy at https://www.apple.com/legal/privacy/ and the Apple Maps Terms of Use.
Where a venue has subscribed to VPS, the SDK transmits camera images (captured from the device’s camera, not the photo album), GPS coordinates, and the pseudonymous device identifier to Mapxus servers for server-side AI-based face and license-plate blurring, followed by position calculation. Raw (unblurred) images are deleted within 5 minutes of blur completion; blurred images are deleted within 24 hours; calculated positions are not retained by default. End Users are required to provide specific consent before VPS is used on their device. A dedicated VPS Privacy Notice is shown at the first use of VPS. See also Section 12.
If a venue (Business User) subscribes to the Mapxus Positioning Analytics & Tracking add-on, additional Personal Data may be processed about End Users within that venue, only after the venue obtains all required End User consents and complies with applicable privacy and employment law. Details in the separate Add-on Terms.
If you engage our sales team, request a demo, or subscribe to newsletters or communications, we collect contact information, company information, and records of our communications.
For clarity, Mapxus does not routinely collect:
• Government-issued identity documents (except as required for billing verification on certain payment methods)
• Biometric identifiers (the momentary face detection used to trigger blurring in VPS is not retained)
• Racial, ethnic, religious, health, genetic, or sexual-orientation data
• Precise advertising identifiers (Apple IDFA, Google AAID) from the SDK
We process Personal Data for the following purposes:
We do not use Wi-Fi fingerprints, camera images, or other positioning inputs to train or improve our machine learning models. We do not sell Personal Data, and we do not share Personal Data for cross-context behavioural advertising.
When retention ends, we delete or irreversibly anonymise the data.
We use the following categories of sub-processor under written agreements:
• Cloud hosting: Microsoft Azure — Azure Southeast Asia (primary region for this Policy’s scope) and Azure East Asia (Hong Kong) for backup
• Content delivery network: Microsoft Azure Front Door (for web-based SDKs and the Mapxus Anywhere product; not used for map tiles or the positioning SDK pipeline)
• Email and communications: Microsoft 365
• Website analytics: Google Analytics 4 (with IP anonymisation enabled; being phased out) and Amplitude (no IP collection)
• Customer support ticketing: Linear
• Crash reporting for Mapxus consumer apps only (e.g., CityGeni): Google Firebase Crashlytics
A current sub-processor list, with entity names and locations, is maintained at mapxus.com/legal/sub-processors. Material changes are notified to Business Users at least 30 days in advance, with a right to object and terminate the affected subscription if the change is unacceptable.
Personal Data may be accessed by Mapxus’s regional operating entities (Maphive Technology Limited HK, 台灣蜂圖誌科技有限公司 TW, 株式会社マプサス・テクノロジー・ジャパン JP) for support and operational purposes under the intra-group safeguards described in our Mapxus Group Intra-Group Data Transfer Agreement and in Section 8 below. Japan-region operations are supported through Mapxus Technology Japan K.K. and Personal Data of Japanese data subjects, where stored, is primarily held in the Azure Japan region.
Where you use a Mapxus-published consumer application within a venue, we may share necessary data with the venue Business User (e.g., your wayfinding request within the venue).
Where required by law, legal process, or a binding request from a public authority. We notify the affected individual or Business User where permitted.
If Mapxus or the Mapxus group is involved in a merger, acquisition, restructuring, or asset sale, Personal Data may be transferred with notice.
Personal Data we collect under this Policy is primarily processed in Singapore (Azure Southeast Asia). Processing may also occur in Hong Kong (Azure East Asia backup) and in other regions where our sub-processors operate.
Pursuant to the Singapore Personal Data Protection Act (PDPA), we ensure that any recipient of Personal Data outside Singapore is legally bound to provide a standard of protection to the transferred Personal Data that is comparable to the protection under the Singapore PDPA (for example, through Standard Contractual Clauses or an intra-group Data Transfer Agreement). This is implemented through written contractual safeguards with our sub-processors and group affiliates, including Microsoft Azure and our regional operating entities. Copies of the relevant safeguards are available on request from info@mapxus.com.
For transfers involving Personal Data of data subjects in Hong Kong, we apply the equivalent cross-border data-transfer safeguards required by Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486). For transfers involving Personal Data of data subjects in Taiwan, we apply the equivalent safeguards required by 個人資料保護法 Article 21.
We implement technical and organisational measures designed to protect Personal Data including: encryption in transit (TLS 1.2+) and at rest, access controls, logging and monitoring, regular penetration testing, and employee training.
No system is perfectly secure. In the event of a personal data breach affecting your data, we will notify Business Users within 72 hours of becoming aware, in accordance with applicable data-protection law.
Categories:
• Strictly necessary (session management, login) — no consent required
• Analytics (understanding Website usage) — opt-out available via cookie preferences
• Marketing (targeted communications) — opt-out available
A cookie preference centre is available on our Website. Our SDK does not set browser cookies on End User devices. See the Mapxus Cookie Notice at mapxus.com/legal/cookies for full details.
Subject to applicable law, you have rights to:
• Access your Personal Data
• Correct inaccurate or incomplete data
• Request deletion (subject to legal-retention exceptions)
• Restrict processing in specified circumstances
• Portability in a structured, commonly used, machine-readable format (where applicable)
• Object to processing based on legitimate interests, and to direct marketing at any time
• Withdraw consent at any time where processing is consent-based, without affecting prior processing
• Complain to your local data-protection authority (e.g., Singapore’s Personal Data Protection Commission (PDPC) for data subjects in Singapore; other regional authorities for other regions)
To exercise any right, contact info@mapxus.com. We will respond within the statutory timeframe applicable in your jurisdiction. We may verify your identity before responding. There is generally no fee.
Because we do not retain positioning history by default, most access, portability, or deletion requests for positioning data are fulfilled by confirming that no such data exists.
Where a venue has subscribed to Positioning Analytics & Tracking or enabled VPS for their venue:
• The venue is the data controller of positioning events in that venue
• Mapxus acts as data processor, under the terms of a separate Data Processing Addendum
• End User rights (access, deletion, etc.) are exercised through the venue
• Full disclosures are in the separate Mapxus Positioning Analytics & Tracking Add-on Terms and the Mapxus VPS Privacy Notice
• Controller: Mapxus Technology Pte. Limited (UEN 202024637M)
• Data Protection Officer: info@mapxus.com
• Consent withdrawal: privacy@mapxus.com
• Cross-border transfers under PDPA Section 26 use contractual safeguards ensuring comparable standard of protection (per Section 8 above)
• Access and correction requests: privacy@mapxus.com. A fee may be charged where permitted.
• Complaints: Personal Data Protection Commission (https://www.pdpc.gov.sg/)
• Our Hong Kong regional operating entity, Maphive Technology Limited (Flat/Rm 2308, 23/F, CEO Tower, 77 Wing Hong Street, Cheung Sha Wan / Lai Chi Kok, Kowloon, Hong Kong), supports local inquiries
• Data access and correction requests under DPP6 may be submitted to privacy@mapxus.com
• Complaints: Office of the Privacy Commissioner for Personal Data, Hong Kong (https://www.pcpd.org.hk/)
• Our Taiwan regional operating entity, 台灣蜂圖誌科技有限公司 (5F-5, No. 142, Sec. 4 Zhongxiao East Road, Da’an District, Taipei City 106), is our local liaison
• Article 3 rights (access, copy, correct, stop collection/use, delete): privacy@mapxus.com
• Complaints: the relevant Taiwanese industry regulator or the Ministry of Digital Affairs
• Controller: Mapxus Technology Pte. Limited (Singapore). Our Japan regional operating entity, 株式会社マプサス・テクノロジー・ジャパン (Mapxus Technology Japan K.K.) (法人番号 4140001118039, 9F Edobori Center Building, 2-1-1 Edobori, Nishi-ku, Osaka 550-0002), supports Japan-region operations and serves as the local contact point for APPI-related inquiries.
• Article 18 purposes of use: as set out in Sections 4 and 5 of this Policy.
• Article 28 cross-border transfer: Personal Data of Japanese data subjects, where stored, is primarily held in the Azure Japan region (East / West) operated by Microsoft Corporation. Where Personal Data is transferred from Japan to Mapxus Technology Pte. Limited (Singapore) or other Mapxus group entities for support, operational, billing, or group-coordination purposes, the safeguards in our Mapxus Group Intra-Group Data Transfer Agreement apply, providing a Standard of Protection comparable to that required under the APPI.
• Article 32 disclosure procedure and rights: for disclosure (開示), correction (訂正), suspension of use (利用停止), or deletion (消去) requests, please contact privacy@mapxus.com.
• Complaints: Personal Information Protection Commission (PPC), https://www.ppc.go.jp/.
For Personal Data processed under this Policy and relating to data subjects in other regions, we will apply reasonable protections consistent with applicable local data-protection law. Contact info@mapxus.com for any data-protection inquiry.
Mapxus is a leading Spatial AI Data Infrastructure provider. Our operations are anchored by two operational headquarters — Singapore (covering Southeast Asia) and Japan (covering North Asia) — and extend across the Asia-Pacific region and the Middle East. We are actively expanding into the Rest of the World. We offer flexible deployment architectures to enterprise and government customers, including regional data-residency deployments, enterprise-dedicated environments, and sovereign-architecture options that keep customer data within a specified jurisdiction and align with local regulatory requirements.
At this time, Mapxus does not offer goods or services to, or monitor the behaviour of, individuals located in the European Economic Area or the United Kingdom within the meaning of Article 3(2) of the GDPR or UK GDPR. As we expand globally, we engage with each new market on a case-by-case basis. If your business requires indoor spatial intelligence in the EEA, UK, or any other jurisdiction with specific regulatory or data-sovereignty requirements, we welcome the conversation. Contact us at info@mapxus.com to discuss how our infrastructure can be deployed to meet your regional compliance needs. Where engagement proceeds, Mapxus will establish the appropriate data-protection, contractual, and regulatory frameworks — including the appointment of a GDPR Article 27 representative and updates to this Privacy Policy — prior to commencing service in that region.
Incidental use of our Website, or of Asia-based Mapxus-powered services by individuals who happen to be located in the EEA or UK at the time (for example, a traveller using a venue application while visiting an Asian venue), is not a regulated service offering by Mapxus under the GDPR or UK GDPR. In all cases, individual rights of access, correction, deletion, and complaint remain available by contacting privacy@mapxus.com.
Mapxus does not sell Personal Data and does not share Personal Data for cross-context behavioural advertising under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Precise geolocation data that may be processed during indoor positioning is handled in accordance with this Policy’s Sensitive Personal Information practices and is not used for purposes beyond those necessary to provide the service. California residents may exercise CCPA / CPRA rights by contacting privacy@mapxus.com.
The Service is not directed to children under 13. We do not knowingly collect Personal Data from children under 13. If we learn that we have inadvertently done so, we will delete it promptly. If you believe a child has provided data to us, contact privacy@mapxus.com.
We may update this Policy from time to time. The “Last updated” date indicates when this version took effect. For material changes, we will notify Business Users by email, in-product notice, or homepage banner at least 30 days before the changes take effect. An archive of prior versions is available at mapxus.com/legal/privacy-archive.
Controller: Mapxus Technology Pte. Limited, 10 Anson Road #11-20, International Plaza, Singapore 079903
Privacy and General inquiries: info@mapxus.com