# Data Protection Impact Assessment — Jambo.pics sample template

> **Last reviewed: May 2026.** This template is published by **Jambo.pics** (jambo.pics) and **Keepling** (keepling.app) — the same legal entity, Stuart Ridout (sole trader, England), ICO registration ZC130961. The two services share infrastructure and processing; this template applies to either.

> **This is a starting-point template, not legal advice.** It is designed for adoption by a unit, group, or album owner. Where the platform's facts are pre-filled, you can leave them as-is. Where it says **"You fill in"**, that's your unit's homework. If your unit handles particularly sensitive cases — children with court-recorded protection orders, looked-after children, witnesses to a court matter — you should commission a tailored DPIA from a qualified data protection practitioner and refer to the ICO's own DPIA template at <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/>.

---

## Step 1 — Why we are doing a DPIA

A Data Protection Impact Assessment is a UK-GDPR requirement for any processing that's likely to result in a high risk to the rights and freedoms of individuals. Sharing photos and videos of children inside a private album isn't high-risk on every dimension, but it does involve:

- **Children's data** — under-18s are included and parental consent is required.
- **Special-category-adjacent material** — images of identifiable minors, occasionally in contexts that infer health, religion, or other protected characteristics.
- **Innovative or new technology** — automated content moderation (Azure AI Content Safety) and voice-to-text transcription (OpenAI Whisper) are applied to user content.
- **Systematic monitoring** — every upload is automatically scored for safety.

Any one of those triggers an ICO recommendation to complete a DPIA before processing starts. The Children's Code (Age Appropriate Design Code) requires a DPIA for any service likely to be accessed by children.

---

## Step 2 — Describe the processing

### Pre-filled — keep as-is unless the platform changes

| Question | Answer |
|---|---|
| What is the platform? | Jambo.pics — an invitation-only photo, video, voice-note, and caption album service. Operated by Stuart Ridout, sole trader, England. ICO registration ZC130961. |
| What data is processed? | Photos, videos, voice notes (and their automatic transcripts), written captions, account data (email, display name, date of birth, optional profile photo), parent contact details for under-18 accounts, payment metadata for any optional donations or upgrades, and standard server logs (IP address, browser, timestamps). |
| Whose data? | Invited members of your album: leaders/owners, posters (e.g. scouts, students, wedding party), parents/guardians, and any volunteers given access. May include children aged 13 and over. |
| Special category data? | Photos may inadvertently reveal special category data — religious dress, health conditions, ethnicity, sexual orientation. Voice transcripts may quote sensitive context. The platform does not knowingly elicit special category data; the lawful basis for any incidental special category data is GDPR Article 9(2)(e) (data manifestly made public by the data subject within the album they joined). |
| How is it collected? | Directly from each user via the Jambo.pics app or website. |
| How is it used? | Stored and displayed to other invited members of the same album; voice notes transcribed via OpenAI Whisper; every image and caption scanned by Azure AI Content Safety for hate / self-harm / sexual / violent material; included in optional photo books if a unit orders one. |
| Who else processes it? | Four sub-processors: Microsoft Azure (UK South — storage, moderation), OpenAI (US — voice transcription), Resend (US — transactional email), Stripe (Ireland/US — payment processing). |
| How long is it retained? | While the account is active. Account-close requests are processed within 30 days. Pending child accounts where parental consent isn't received within 30 days are deleted. Residual copies in backups are purged within 30 days of deletion. |
| International transfers? | Yes — Resend, Stripe, and OpenAI are US-based. Transfers are protected by Standard Contractual Clauses and the UK International Data Transfer Addendum. |

### You fill in

- **Your unit / group / album name:** ____________________________________________
- **Person responsible for this DPIA:** ____________________________________________
- **Their role:** ____________________________________________
- **Their contact email:** ____________________________________________
- **Approximate number of members:** 4 adults, 36 under-18s  *(pre-filled — edit if your unit differs)*
- **Age range of under-18s:** 14 to 18 (as of August 2027)  *(pre-filled — edit if your unit differs)*
- **Activities you'll post about:** ____________________________________________
- **Date you started using the platform:** ____________________________________________

---

## Step 3 — Consultation

### Pre-filled

UK-GDPR Article 35(9) recommends consulting "data subjects or their representatives" where appropriate. For a unit-run album, that means consulting the people whose photos and posts will live in it.

The platform consults with:

- Every member who joins, via the unit code (terms of service) accepted on first use.
- Every parent of an under-18 member, via the parental consent email at signup.
- Site admins who handle reports and moderation appeals.

### You fill in

- **Did you consult parents before launching the album?** ☐ Yes  ☐ No
  *If yes, how, when, and what was the response?* ____________________________________________
- **Did you consult members directly?** ☐ Yes  ☐ No
  *If yes, how, when, and what was the response?* ____________________________________________
- **Are there any objections on file?** ____________________________________________
- **Did you consult your governing body?** *(e.g. Scout Association district commissioner, school governors, charity trustees, wedding planner)* ____________________________________________

---

## Step 4 — Necessity and proportionality

### Pre-filled

| Question | Platform's answer |
|---|---|
| Lawful basis for processing | Contract (account data, to provide the service signed up for); legitimate interests (album content, moderation, security); consent (donations, parental consent for under-18s). |
| Does the processing achieve the purpose? | An invitation-only shared album achieves the purpose better than the alternatives — WhatsApp groups that scroll into oblivion, public social media, iCloud Shared Albums that sync to families' camera rolls. |
| Is there a less-intrusive alternative? | None offering the same functional set with the same safeguards: no advertising, no AI training, UK data residency, automated moderation, verifiable parental consent gate, 24-hour human review SLA. See `/vs-meta` for a side-by-side comparison. |
| How is data minimised? | EXIF metadata and GPS coordinates are stripped from delivery. Voice audio is transcribed and the audio is retained for re-listening but is never used to train AI models. Originals stay in private storage; only invited members can fetch them via short-lived signed URLs. |
| How is accuracy maintained? | Members can edit captions, delete posts, and update their own name and profile photo at any time. A content correction request can also be raised to team@jambo.pics or team@keepling.app. |

### You fill in

- **Is there a unit-specific reason this album is necessary?** *(e.g. "we need a continuous record of our 18-month preparation period for the Jamboree")*
  ____________________________________________
- **Have you considered not running an album at all?** *What would the trade-off be?*
  ____________________________________________

---

## Step 5 — Identify and assess risks

The risks below are the platform-level risks the platform considers in its own controller assessment. Add any unit-specific risks to the bottom of the table.

### Pre-filled — platform risks

| # | Risk | Likely | Severe | Mitigations | Residual |
|---|---|---|---|---|---|
| 1 | Photos of children seen by people outside the unit | Low | High | Invitation-only access; no public profiles; no search indexing; signed-URL delivery; role-based access checks on every request. | Low |
| 2 | Inappropriate content posted by another member (nudity, violence, hate) | Medium | High | Wordlist profanity filter; Azure AI Content Safety automated scan on every upload (image + text); zero-tolerance unit code accepted on first use; 24-hour human review on every report; reported content hidden from the feed immediately. | Low |
| 3 | Content used for AI training, advertising, or profiling | Low | Medium | No advertising or analytics SDKs in the app; no AI-training clause in our terms; Microsoft and OpenAI contractually do not retain content for training. | Low |
| 4 | Account compromise via email phishing | Low | Medium | Passwordless sign-in only — no password to reuse or leak; sign-in codes expire in 10 minutes; sessions tied to a single browser. | Low |
| 5 | Re-identification of children via image metadata (EXIF, GPS) | Medium | Medium | Images are re-encoded on processing; EXIF is stripped from everything other album members can see or download; GPS coordinates are removed. | Low |
| 6 | Data breach at a sub-processor | Low | High | Sub-processors limited to four (Azure, OpenAI, Resend, Stripe); all bound by data processing agreements; UK / EU / US transfers covered by SCCs and the UK International Data Transfer Addendum. | Low |
| 7 | Embarrassing or unflattering images affecting a child's wellbeing | Medium | Medium | The unit code prohibits embarrassing posts; report button on every memory; leaders can hide or remove without losing the audit trail. | Medium |
| 8 | Parental consent invalid or withdrawn | Low | Medium | Verifiable consent flow on signup; parent receives confirmation email; withdrawal triggers account closure within 30 days. | Low |
| 9 | Data retained longer than necessary | Low | Medium | Account close = 30-day deletion SLA; pending child accounts purged after 30 days without consent; backup tier ages out within 30 days of deletion. | Low |
| 10 | Member unable to exercise data subject rights | Low | Medium | In-app delete on every post; in-app account close; portability via download; written rights policy on the privacy page; one-month SLA on email requests. | Low |

### You fill in — your unit's additional risks

| # | Risk | Likely | Severe | Mitigations | Residual |
|---|---|---|---|---|---|
| 11 | | | | | |
| 12 | | | | | |
| 13 | | | | | |

*Examples worth thinking about:*

- A child whose parent has a court order restricting their image being shared.
- A leader leaving the unit and retaining their session beyond the agreed end date.
- A scout posting from a private camp event that hasn't been signed off by all parents.

---

## Step 6 — Identify measures to reduce risk

### Pre-filled — the platform's standing controls

- Invitation-only access; no discovery, no public profile, no search indexing.
- Wordlist + Azure AI Content Safety automated moderation on every upload.
- 24-hour human review SLA on every report; reported content hidden immediately.
- Verifiable parental consent gate for every under-18 account.
- Passwordless sign-in with 10-minute code expiry.
- TLS in transit; private blob containers; signed-URL delivery.
- EXIF and GPS metadata stripped from delivery.
- UK data residency; SCC + IDTA for US sub-processors.
- Site admins with content access are enhanced-DBS-checked.
- 30-day deletion SLA on account close.
- Audit log of every moderation action (approve, hide, remove, report).

### You fill in — your unit's additional measures

- ____________________________________________
- ____________________________________________
- ____________________________________________

*Examples worth considering:*

- A clear briefing for new leaders before their first login.
- A scout / parent objection register kept by the lead leader.
- A schedule for reviewing the album content (e.g. every term).
- A photo policy for the unit's own non-platform channels (camera roll, WhatsApp).

---

## Step 7 — Sign off

| Role | Name | Date | Signed |
|---|---|---|---|
| Person responsible for this DPIA | | | |
| Lead leader / album owner | | | |
| Nominated parent representative *(optional)* | | | |

**Date of next review:** ____________________________________________

Recommended cadence: annually, or sooner if any of the following change — your unit's roster, the platform's sub-processors or material features (we'll email you), or following a reportable incident.

---

## Disclaimer

This template is provided by Jambo.pics as a convenience. It is not legal advice. If your processing involves particularly sensitive children's data — for example children with a court-recorded protection order, looked-after children, or children of public figures — you should consult a qualified data protection practitioner and refer to the ICO's own DPIA template at <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/>.

*Questions or corrections: team@jambo.pics or team@keepling.app.*