Why Stadia Maps instead of OpenStreetMap tiles?

Category: Tech

Tags: maps, leaflet, openstreetmap, stadiamaps, gdpr, privacy

When I added the Leaflet photo world map, the very first question was: where do the map tiles come from? The obvious answer — “just use OpenStreetMap” — is sadly not that straightforward. This post walks through what I considered and why Stadia Maps ended up winning.

Why not use the OSM tiles directly?

OpenStreetMap runs its own tile server at tile.openstreetmap.org. Technically it works fine, but the Tile Usage Policy forbids using it for production sites with non-trivial traffic:

OpenStreetMap data is free for everyone to use. Our tile servers are not.

Specifically:

  • No systematic use for commercial or high-traffic sites.
  • Required HTTP Referer and User-Agent so abuse can be traced.
  • Throttled or blocked at any time when resources run thin.

The OSM Foundation is donation-funded. If you want to embed maps seriously, you’re expected to either self-host tiles or use a provider who handles that and contributes back to the OSM ecosystem.

What were my criteria?

I wanted the same strict bar for the tile service as for the rest of the site:

  1. Data from Europe. The tile endpoint must process requests inside the EU — no mandatory US transit.
  2. GDPR-friendly. There has to be a proper Data Processing Agreement (DPA) and ideally no hidden third-party cookies, trackers, or fingerprinting delivered via the tiles.
  3. OSM base data. I want the same cartography as OSM itself, because I like the look and because the licence (ODbL) is transparent.
  4. Reasonable free tier. For a personal site this must cost nothing as long as I stay within hobby-scale limits.
  5. No self-hosted infrastructure. Self-hosting tiles (e.g. with tileserver-gl plus OpenMapTiles data) turns a small photo section into a serious infra project. I didn’t want that for this site.

Why Stadia Maps

Stadia Maps is a small US-based provider with a clear focus on privacy and OSM data. The deciders were:

  • EU endpoint tiles-eu.stadiamaps.com. Tiles are served from Frankfurt, not routed through the US.
  • Documented GDPR compliance. Stadia offers a DPA and counts requests via the Referer header, not cookies or fingerprinting. The privacy policy is explicit: no third-party scripts, just tile images.
  • Built on OpenMapTiles + OSM. The visual styles (I use alidade_smooth) are derived from OSM geometry. Attribution and licensing stay clean — both OSM and OpenMapTiles show up in the copyright field on the map.
  • Free tier with 200,000 tile requests per month. For a personal site that’s massively over the line I actually need; an embedded map on my scale lands somewhere in the four- to five-figure requests per month.
  • Domain-based authentication. No API key in the frontend JS — they authenticate via the Referer header, which also explains the CSP gotchas. This way no secret ships in the client bundle.

Why not Mapbox, Google Maps, MapTiler?

I briefly looked at the others:

  • Mapbox is US-based without an EU endpoint. Legally you can make it work (SCCs, EU-US Data Privacy Framework), but it’s more paperwork than I want for a hobby site.
  • Google Maps is out for one specific reason: tracking and cookies the moment its JS loads. That contradicts my zero third-party requests baseline.
  • MapTiler is a Swiss provider with EU hosting and would have been my second choice. The free tier is lower (25,000 tile loads/month) and the style is a bit too colourful for my taste. But: comparable in substance and definitely GDPR-friendly.
  • Self-hosting with tileserver-gl and an OpenMapTiles dump was the most honest alternative. It failed on disk space (the OpenMapTiles planet dump is ~90 GB) and on the ongoing update effort.

What I take away

  • “Just OSM” is rarely just OSM. The OSM tile servers are community infrastructure, not a general-purpose API. Embedding them on production sites hurts the project — or gets you throttled.
  • GDPR compliance hinges on server location, not company HQ. An EU endpoint plus a DPA makes even a US vendor manageable. Without an EU endpoint, the HQ is irrelevant — it becomes paperwork-heavy either way.
  • Pay-what-you-use is fair. Stadia Maps states that a share of their revenue goes to OpenStreetMap. If I ever outgrow the free tier, that fee is also a contribution back to the ecosystem whose data I’m using.