In addition to the content below, this Privacy Policy also governs data collected via BigGeo's MCP server tool calls, including inputs passed to and outputs received from the MCP server. This disclosure is made pursuant to Anthropic's Software Directory Policy and OpenAI's ChatGPT App Directory submission guidelines. When BigGeo's MCP server is accessed via Claude, Anthropic may independently collect tool call parameters and responses as telemetry in accordance with Anthropic's own privacy policy and terms. Users should review Anthropic's privacy policy for details.
BigGeo Global Inc. and its affiliates and subsidiaries ("BigGeo," "we," "us," "our," and similar expressions) value your privacy and we want you to understand how we collect, use, share, and protect your personal information when you visit www.biggeo.com and any of its sub-domains (our "Website"), buy products through us, use our services, sign up for an Account with us, use our software platform including Datalab, Marketplace, and Datascape (the "Platform"), interact with BigGeo's Model Context Protocol (MCP) server and integrations, and otherwise interact with us (collectively, our "Products and Services"). By using our Website or any of our Products and Services, you are agreeing to the terms of this Privacy Policy.
This policy applies globally. BigGeo's MCP connector is available to users worldwide. Regional rights and obligations are addressed in Section 13 (EU/EEA — GDPR Compliance) and Section 14 (CCPA/CPRA — California Residents).
Privacy contact: privacy@biggeo.com
"Personal information" is generally any information about an identified or identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a natural person.
Categories of Personal Data Collected via MCP (CCPA §1798.100 / OpenAI requirement)
MCP tool call data falls into the following CCPA-defined categories: Geolocation Data (coordinates, place names, bounding boxes); Internet or Other Electronic Network Activity (tool invocation metadata: tool name, timestamp — anonymised); Identifiers (OAuth session identifiers — transient only, not retained).
No other CCPA categories are collected via MCP tool calls. BigGeo's geospatial tools require precise coordinates as functional inputs (not user-tracking data). These coordinates are analytical parameters — analogous to search terms — and are not used to track user location. The 'coarse geolocation' alternative is insufficient for geospatial analysis, which is the tool's sole purpose.
MCP tool input parameters are strictly task specific and do not accept open-ended intent or context fields that could expand data collection beyond the tool's stated geospatial function.
If BigGeo introduces MCP tools with write capabilities in the future, such tools will be annotated as write actions and will require user confirmation before execution, in accordance with platform guidelines.
When users interact with BigGeo's MCP server through an AI platform, the following categories of data may be collected, processed, or transiently handled as part of tool call execution:
| Data Type | Description | How Handled |
|---|---|---|
| Geospatial query inputs | Location coordinates, place names, geographic regions, bounding boxes, and spatial parameters submitted as MCP tool call inputs | Processed to execute the geospatial function; not retained beyond request execution |
| Boundary lookup parameters | Administrative or custom boundary identifiers (e.g. country, city, postal code, polygon references) | Processed to return boundary data; not retained beyond request execution |
| Brand and business name queries | Names of businesses, brands, or points of interest submitted as search parameters | Processed to return geospatial or business data; not retained beyond request execution |
| Foot traffic data parameters | Query parameters relating to foot traffic datasets, including location identifiers and date/time ranges | Processed to retrieve aggregated, non-identifiable foot traffic data; parameters not retained beyond request execution |
| OAuth identity tokens | Short-lived authentication tokens used to verify user identity and authorise MCP endpoint access | Temporarily cached server-side for minimum duration necessary, then securely discarded. See Section 2.3. |
| MCP tool invocation metadata | Tool names called, timestamp of invocation, and response metadata | Retained in anonymised/aggregated form for security monitoring. PII is redacted from all logs. Logs contain only anonymised correlation identifiers (tool name, timestamp) with all PII redacted. |
BigGeo's MCP tool calls do not collect sensitive or special category data as defined under GDPR Article 9 or CCPA. MCP tools are designed to accept geospatial and business query parameters only. If a user's natural language prompt incidentally contains sensitive information before it is passed to BigGeo's MCP server, BigGeo does not process, retain, or act on that information beyond executing the geospatial function requested.
BigGeo's core function is geospatial analysis. Location inputs (coordinates, place names, bounding boxes) are strictly necessary to execute the tool's stated geospatial function and are not retained beyond request execution. Location data is not used for tracking, profiling, advertising, or any purpose beyond returning the requested geospatial result.
BigGeo does not engage in surveillance, tracking, or behavioural profiling of MCP users. BigGeo does not use MCP tool call data for advertising, sponsored content, paid product placement, cross-context behavioural advertising, or any form of user profiling. Anonymised, PII-redacted MCP invocation metadata is used solely for security monitoring and abuse prevention.
BigGeo's MCP tool input schemas are designed to collect only the minimum parameters required for each geospatial function. Input fields are specific, narrowly scoped, and clearly linked to the task. BigGeo does not include broad profile data fields or "just in case" data collection in any MCP tool schema.
BigGeo's MCP tool responses contain only the geospatial or analytical results directly relevant to the user's request. Tool responses never include diagnostic data, telemetry, internal identifiers, session IDs, trace IDs, timestamps, or logging metadata.
Contact data and account profile data: We collect personal information you give us directly when you create an Account, activate a subscription or purchase our Products and Services, or upload data to the Platform. This includes your email address, first and last name, payment information, and your username and password. You may also provide optional information such as avatars, profile images, and links to social network profiles.
Data in contracts and other legal agreements: We may collect information directly from you for contractual or legal reasons, such as your jurisdiction selection when you sign up for Products and Services.
Identity verification information: We collect information to verify your identity, which may include your name, date of birth, and contact details.
Communications: We may collect personal information you include in your communications with us, including SMS messages, form submissions on the Website, in-platform communications, and other electronic messages.
Marketing preferences, surveys, and promotions: We collect information you include in your marketing preferences or that you provide as part of a survey, contest, or promotion.
Social and community content: We receive content you post on our social media pages and the public areas of our Website.
Payment processing information: If you make a purchase through us, we or any third-party payment processors will collect information about the purchase or transaction, including billing details, credit card information, and authentication information.
Information you upload: We collect personal information about you when you upload it to the Platform or otherwise give it to us when we provide our Products and Services to you.
We may receive personal information about you from third parties where you have provided consent or where we are permitted by applicable law. Sources include:
We, our service providers, and our business partners may automatically collect personal information about you, including usage of the Website and Platform (IP address, geographic location, browser type and settings, log data, device information, date and time of your visit, language preferences), usage information about your use of our Products and Services, communication interaction data, online behavioral data, and cookies and tracking technologies. More information on our use of cookies is available in our Cookie Policy at biggeo.com/legal/cookies.
Our Products and Services may ask you to input sensitive personal information in certain contexts, such as when you request financial products made available through collaborations with our business partners. Sensitive personal information will be identified at the time we request it.
MCP — Required disclosure: Anthropic Software Directory Policy and OpenAI ChatGPT App Directory both prohibit storage of authentication secrets in tool responses.
BigGeo uses OAuth 2.0 (with certificates from recognised authorities, as required by the Anthropic Software Directory Policy) to authenticate users accessing the MCP server. The following practices govern OAuth token handling:
We use information that we collect about you or that you provide to us, including any personal information, for the following purposes:
We may use machine learning algorithms and forms of automated decision-making to prevent risk and fraud, to personalise your experience, and to determine eligibility for certain services or features we offer on our Website and Products and Services. Some jurisdictions give individuals a right to have these automated decisions reviewed by a person. Please contact us at privacy@biggeo.com with any requests or information about our use of automated decision-making technologies. EU/EEA residents have specific rights with respect to automated decision-making under Article 22 of the GDPR. See Section 13.4(g) for details.
In addition to other scenarios discussed in this Privacy Policy, we may share your personal information in the following ways:
Data collected via BigGeo's MCP tool calls may be shared with the following categories of recipients: (1) Authentication provider — Stytch (user identifiers and session metadata for identity verification only; OAuth tokens are not shared); (2) Geocoding provider — Google Maps Platform (address strings and coordinate pairs for geocoding resolution; no account data or OAuth tokens shared); (3) Infrastructure and hosting providers — cloud hosting, database, and monitoring services acting as data processors under BigGeo's instruction; (4) Analytics providers — aggregated, anonymised platform analytics only; (5) Payments - Stripe. No MCP data is shared with advertisers, data brokers, or third parties for commercial purposes.
BigGeo shares personal data with the following third-party services in the course of providing its platform and MCP server. Each third party is bound by contractual obligations to protect the data shared with them.
Purpose: Stytch provides identity and authentication infrastructure for BigGeo's MCP server and platform.
Data shared: User identifiers, email addresses, and session metadata necessary to authenticate users and manage access.
Data not shared: OAuth identity tokens cached server-side are not passed to Stytch.
Stytch Privacy Policy: https://stytch.com/privacy
Purpose: Google Maps Geocoding API is used to resolve addresses, place names, and coordinates submitted as MCP tool call parameters into structured geospatial data.
Data shared: Address strings, place name queries, and coordinate pairs submitted in tool call inputs that require geocoding resolution. No user account information or OAuth tokens are shared.
Google Privacy Policy: https://policies.google.com/privacy
BigGeo may use third-party infrastructure and analytics providers (including cloud hosting, database, and monitoring services) to operate its platform. These providers act as data processors under BigGeo's instruction and are bound by appropriate data processing agreements. A current list of subprocessors is available upon request at privacy@biggeo.com.
Purpose: Stripe provides payment processing infrastructure for BigGeo's marketplace. When you make a purchase through BigGeo's marketplace, your payment is processed directly by Stripe.
Data shared: A payment token and customer identifier generated by Stripe are shared with BigGeo to confirm and record completed transactions. BigGeo does not receive, store, or process raw payment card details, banking information, or full billing information — these are submitted directly to and handled exclusively by Stripe.
Data not shared: Payment card numbers, CVV codes, and bank account details are never transmitted to or stored by BigGeo.
Stripe Privacy Policy: https://stripe.com/privacy
Where applicable law requires (and subject to any relevant exceptions under law), you may have the right to access, update, change, or delete your personal information. You can access, update, delete, or change your personal information directly in your Account or by contacting us at privacy@biggeo.com to request the required changes.
If we rely on consent for the collection, use, or disclosure of your personal information, you have the right to withdraw it at any time and free of charge.
Some jurisdictions' laws may give you the right to restrict or object to the processing of your personal information or to exercise a right to data portability. If such rights apply to you, you may exercise them by contacting us at privacy@biggeo.com.
If you no longer wish to receive marketing emails or other Electronic Messages from us, you can opt-out by following the unsubscribe link in the messages or by contacting us.
You may have the right to lodge a complaint with a competent supervisory authority, subject to applicable law. Canadian users may contact the Office of the Privacy Commissioner of Canada. California residents may contact the California Privacy Protection Agency. EU/EEA residents may lodge a complaint with the supervisory authority in their member state of residence. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
MCP User Controls
Users may exercise the following controls over data collected via BigGeo's MCP server: (a) Deletion of anonymised MCP metadata logs — Users may request deletion of MCP tool invocation metadata logs by contacting privacy@biggeo.com. Please note that where logs have been fully anonymised (containing only tool name and timestamp with all PII redacted), such data may not be attributable to any individual and deletion may not be technically feasible. BigGeo will notify the requester if this is the case. (b) Revocation of OAuth access — Users may revoke BigGeo's OAuth access at any time through the AI platform's integration settings. Revoking access will prevent further MCP tool calls until access is re-granted. (c) All other data subject rights described in this Section 7 apply equally to MCP-collected data.
You may be able to post or make public communications on certain areas of our Website or Products and Services, such as comments, discussion forums, and in-platform communication functions. These kinds of communications are made at your own risk.
We are based in Canada, but we may process, store, and transfer personal information in Canada or elsewhere. We may use third-party service providers such as managed hosting providers, credit card processors, CRM systems, and technology partners whose servers may be located outside of Canada.
MCP — Global Availability
BigGeo's MCP connector is available globally. Geographic restrictions are not enforced at the Anthropic Connectors Directory or OpenAI ChatGPT App Directory level. The OpenAI project used for BigGeo's ChatGPT App Directory submission does not have EU data residency.
EU/EEA Users: BigGeo collects and processes Personal Information from EU/EEA residents in compliance with the GDPR. Transfers of EU/EEA personal data from the EU/EEA to BigGeo in Canada are governed by Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission. BigGeo has designated an EU Representative pursuant to Article 27 of the GDPR. See Section 13 for details.
Canadian users: BigGeo complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Quebec Law 25 (Law 25 / Bill 64).
We follow industry standards on information security management to safeguard sensitive information, such as financial information, intellectual property, and any other personal information entrusted to us. Security measures include:
SOC 2 certification: BigGeo is currently in the process of obtaining SOC 2 certification. Upon certification, details will be published at biggeo.com/trust. In the interim, BigGeo's security practices are available to enterprise customers upon request under NDA.
No method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, we cannot guarantee the absolute security of your personal information. BigGeo will notify affected users and applicable regulatory authorities of any personal data breach in accordance with applicable law.
Where a personal data breach affects EU/EEA personal data, BigGeo will notify affected customers within 48 hours of confirming the breach to enable customers to meet their own 72-hour supervisory authority notification obligation under Article 33 of the GDPR.
BigGeo retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following specific retention periods apply:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| OAuth identity tokens (cached) | Maximum 15 minutes or session lifetime, whichever is shorter — then securely discarded (confirmed by engineering) | Minimum necessary for authentication |
| MCP tool call inputs and outputs | Not retained beyond request execution. Anonymised metadata (tool name, timestamp — no PII) retained up to 90 days for security monitoring | Data minimisation; security monitoring necessity |
| Platform account data (name, email, organisation) | Duration of active account, plus 3 years following account closure or last activity | Contractual and legal compliance obligations |
| Usage and analytics data (anonymised) | Up to 24 months from collection, then aggregated or deleted | Service improvement; legitimate interests |
| Support and communication records | 3 years from the date of communication | Legal compliance and dispute resolution |
| Transaction and billing records | 7 years from date of transaction | Tax and financial regulatory obligations (Canada — Income Tax Act) |
| Security and audit logs (PII-redacted) | 12 months | Security monitoring; fraud prevention |
| Uploaded datasets and configurations | Duration of active subscription, plus 90 days following account closure (to permit export), then permanently deleted | Contractual obligation |
Deletion requests: Users may request deletion of their personal data at any time by contacting privacy@biggeo.com. BigGeo will acknowledge deletion requests promptly (within 5 business days) and will complete deletion without undue delay and within 30 days of receipt, subject to any legal obligations requiring retention. This timeline satisfies applicable statutory requirements. Where data cannot be fully deleted due to legal retention requirements, BigGeo will notify the requester and explain the basis for continued retention. For EU/EEA personal data, the legal bases identified in the table correspond to the following GDPR Article 6 grounds: "Contractual and legal compliance obligations" = Article 6(1)(b) and 6(1)(c); "Legitimate interests" = Article 6(1)(f); "Consent" = Article 6(1)(a). Retention periods for EU/EEA personal data are subject to the data minimisation principle under Article 5(1)(e) of the GDPR.
BigGeo maintains a Data Processing Agreement (DPA) that governs the processing of personal data on behalf of commercial customers and data partners.
BigGeo's DPA can be found here: biggeo.com/legal/dpa
Enterprise customers and data partners may request a copy of BigGeo's DPA by contacting privacy@biggeo.com.
EU/EEA customers should refer to Section 13 of this Privacy Policy for information on how BigGeo processes EU/EEA personal data under the GDPR and how the DPA governs that processing.
BigGeo collects and processes Personal Information from individuals located in the European Union and European Economic Area ("EU/EEA") in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). BigGeo acts as a Data Controller when processing EU/EEA personal data for its own purposes, and as a Data Processor when processing EU/EEA personal data on behalf of its customers pursuant to a Data Processing Agreement.
BigGeo has designated an EU Representative pursuant to Article 27 of the GDPR. BigGeo's EU / EEA Representative is: Verasafe.
https://verasafe.com/public-resources/contact-data-protection-representative
Telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
BigGeo processes EU/EEA personal data on the following lawful bases under Article 6 of the GDPR: (a) Contract performance (Article 6(1)(b)): processing necessary to deliver the Platform, Products, and Services; (b) Legitimate interests (Article 6(1)(f)): processing for security monitoring, fraud prevention, and service improvement on anonymised data, where BigGeo's legitimate interests are not overridden by your fundamental rights; (c) Legal obligation (Article 6(1)(c)): processing required to comply with applicable laws; and (d) Consent (Article 6(1)(a)): where BigGeo relies on your consent, such as for marketing communications, which may be withdrawn at any time by contacting privacy@biggeo.com.
If you are located in the EU or EEA, you have the right to:
Access the personal data BigGeo holds about you.
Request correction of inaccurate or incomplete data.
Request deletion of your personal data, subject to applicable legal obligations.
Request restriction of processing in certain circumstances.
Receive your personal data in a structured, machine-readable format.
Object to processing based on legitimate interests or for direct marketing.
Not be subject to solely automated decisions that produce significant legal or similarly significant effects.
To exercise any of these rights, contact privacy@biggeo.com. BigGeo will respond within 30 days (extendable by a further 60 days for complex requests, with notice).
BigGeo is based in Canada. Transfers of EU/EEA personal data to BigGeo in Canada are governed by Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission Decision of 4 June 2021. Copies of the applicable Standard Contractual Clauses are available upon request at privacy@biggeo.com.
Where BigGeo processes EU/EEA personal data as Controller for its own purposes, transfers shall be governed by the applicable Standard Contractual Clauses module, which may include Module 1 (Controller to Controller). BigGeo will confirm the applicable module upon request at privacy@biggeo.com.
If you believe BigGeo has not handled your personal data in compliance with the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU/EEA member state of residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. You may also contact BigGeo's EU Representative directly at the contact details provided in Section 13.2.
BigGeo's MCP connector is technically available globally. Geographic restrictions are not enforced at the connector directory level. EU/EEA users who access BigGeo's MCP server do so within the scope of BigGeo's GDPR-compliant service offering. BigGeo processes any EU/EEA personal data submitted via MCP tool calls in accordance with this Section 13 and the GDPR. Users and deploying organizations are responsible for ensuring compliance with applicable local law.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
Categories of personal information collected: In the preceding 12 months, BigGeo has collected the following categories as defined under CCPA: Identifiers (name, email, IP address); Commercial information (subscription records); Internet or other electronic network activity (usage data, analytics); Geolocation data (coordinates and location parameters submitted in tool calls); Professional or employment-related information (organisation, job title). See also Section 2.1 for MCP-specific CCPA category disclosures.
To exercise your rights, contact: privacy@biggeo.com. BigGeo will respond within 45 days of receipt of a verifiable consumer request (extendable by a further 45 days with notice).
Our Website, its features, the Products and Services, and BigGeo's MCP server are not directed at individuals under the age of 16 (or such other age as may be prescribed by applicable law in the relevant jurisdiction). BigGeo does not knowingly collect personal data from children. If BigGeo becomes aware that personal data has been collected from a child without verifiable parental consent, BigGeo will take steps to delete that data promptly. If you believe BigGeo has inadvertently collected data from a child, please contact privacy@biggeo.com.
We may update this Privacy Policy from time to time to reflect changes to our privacy practices, applicable law, or platform requirements. When material changes are made, BigGeo will:
Continued use of BigGeo's platform or MCP connector following the effective date of any updated policy constitutes acceptance of the revised terms, to the extent permitted by applicable law.
For all privacy-related enquiries, data subject requests, data deletion requests, or complaints:
Privacy Contact: privacy@biggeo.com
Support (general): support@biggeo.com
Data Controller: BigGeo Global Inc., Calgary, Alberta, Canada
Address: Suite 200, 1215 1 Street SE. Calgary, Alberta, Canada. T2R 0V3
EU / EEA Representative (GDPR Article 27): Verasafe.
https://verasafe.com/public-resources/contact-data-protection-representative
Telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
BigGeo aims to acknowledge all privacy enquiries within 5 business days of receipt. Substantive responses to formal data subject requests will be provided within the applicable statutory timeframes set out in Section 13.4 (GDPR), Section 14 (CCPA/CPRA), and Section 7.1 (general) of this policy.