FOR THE UNIT’S COMPLIANCE FILE

Data Protection Impact Assessment

Sample template provided by Jambo.pics. Pre-filled with the platform’s processing details and standing controls; the unit fills in the sections marked “You fill in”. Aligned with the ICO’s seven-step DPIA structure and the Children’s Code.

This is a sample template a unit, group, or album owner can adopt and fill in. It's pre-filled with the platform's standing controls so you only need to add your unit's specifics. It is information, not legal advice — see the disclaimer at the foot.

Step 1 — Why we are doing a DPIA

A Data Protection Impact Assessment is a UK-GDPR requirement for any processing that's likely to result in a high risk to the rights and freedoms of individuals. Sharing photos and videos of children inside a private album isn't high-risk on every dimension, but it does involve:

• Children's data — under-18s are included and parental consent is required.

• Special-category-adjacent material — images of identifiable minors, occasionally in contexts that infer health, religion, or other protected characteristics.

• Innovative or new technology — automated content moderation (Azure AI Content Safety) and voice-to-text transcription (OpenAI Whisper) are applied to user content.

• Systematic monitoring — every upload is automatically scored for safety.

Any one of those triggers an ICO recommendation to complete a DPIA before processing starts. The Children's Code (Age Appropriate Design Code) requires a DPIA for any service likely to be accessed by children.

This template is a starting point provided by Jambo.pics, not legal advice. If your unit handles particularly sensitive cases — children with court-recorded protection orders, looked-after children, witnesses to a court matter — you should commission a tailored DPIA from a qualified data protection practitioner.

Step 2 — Describe the processing

Pre-filled — keep as-is unless the platform changes

What is the platform?

Jambo.pics — an invitation-only photo, video, voice-note, and caption album service. Operated by Stuart Ridout, sole trader, England. ICO registration ZC130961.

What data is processed?

Photos, videos, voice notes (and their automatic transcripts), written captions, account data (email, display name, date of birth, optional profile photo), parent contact details for under-18 accounts, payment metadata for any optional donations or upgrades, and standard server logs (IP address, browser, timestamps).

Whose data?

Invited members of your album: leaders/owners, posters (e.g. scouts, students, wedding party), parents/guardians, and any volunteers given access. May include children aged 13 and over.

Special category data?

Photos may inadvertently reveal special category data — religious dress, health conditions, ethnicity, sexual orientation. Voice transcripts may quote sensitive context. The platform does not knowingly elicit special category data; the lawful basis for any incidental special category data is GDPR Article 9(2)(e) (data manifestly made public by the data subject within the album they joined).

How is it collected?

Directly from each user via the Jambo.pics app or website.

How is it used?

Stored and displayed to other invited members of the same album; voice notes transcribed via OpenAI Whisper; every image and caption scanned by Azure AI Content Safety for hate/self-harm/sexual/violent material; included in optional photo books if a unit orders one.

Who else processes it?

Four sub-processors: Microsoft Azure (UK South — storage, moderation), OpenAI (US — voice transcription), Resend (US — transactional email), Stripe (Ireland/US — payment processing).

How long is it retained?

While the account is active. Account-close requests are processed within 30 days. Pending child accounts where parental consent isn't received within 30 days are deleted. Residual copies in backups are purged within 30 days of deletion.

International transfers?

Yes — Resend, Stripe, and OpenAI are US-based. Transfers are protected by Standard Contractual Clauses and the UK International Data Transfer Addendum.

You fill in

Your unit / group / album name
Person responsible for this DPIA
Often the lead leader, owner, or designated DP lead.
Their role
Their contact email
Approximate number of members
4 adults, 36 under-18sPre-filled
Age range of under-18s
14 to 18 (as of August 2027)Pre-filled
Activities you'll post about
e.g. weekly meetings, weekend camps, international jamboree
Date you started using the platform

Step 3 — Consultation

Pre-filled

UK-GDPR Article 35(9) recommends consulting "data subjects or their representatives" where appropriate. For a unit-run album, that means consulting the people whose photos and posts will live in it.

Jambo.pics consults with: every member who joins (via the unit code accepted on first use); every parent of an under-18 member (via the parental consent email at signup); and site admins who handle reports and moderation appeals.

You fill in

Did you consult parents before launching the album?
Yes / No. If yes — how, when, and what was the response?
Did you consult members directly?
Yes / No. If yes — how, when, and what was the response?
Are there any objections on file?
Did you consult your governing body?
e.g. Scout Association district commissioner, school governors, charity trustees, wedding planner.

Step 4 — Necessity and proportionality

Pre-filled

Lawful basis for processing

Contract (account data, to provide the service signed up for); legitimate interests (album content, moderation, security); consent (donations, parental consent for under-18s).

Does the processing achieve the purpose?

An invitation-only shared album achieves the purpose better than the alternatives — WhatsApp groups that scroll into oblivion, public social media, iCloud Shared Albums that sync to families' camera rolls.

Is there a less-intrusive alternative?

None offering the same functional set with the same safeguards: no advertising, no AI training, UK data residency, automated moderation, verifiable parental consent gate, 24-hour human review SLA. See /vs-meta for a side-by-side comparison.

How is data minimised?

EXIF metadata and GPS coordinates are stripped from delivery. Voice audio is transcribed and the audio is retained for re-listening but is never used to train AI models. Originals stay in private storage; only invited members can fetch them via short-lived signed URLs.

How is accuracy maintained?

Members can edit captions, delete posts, and update their own name and profile photo at any time. A content correction request can also be raised to team@jambo.pics or team@keepling.app.

You fill in

Is there a unit-specific reason this album is necessary?
e.g. "we need a continuous record of our 18-month preparation period for the Jamboree"
Have you considered not running an album at all?
What would the trade-off be? — record this even if the answer is short.

Step 5 — Identify and assess risks

The risks below are the platform-level risks Jambo.pics considers in its own controller assessment. Add any unit-specific risks to the bottom of the table.

Risk

Likely

Severe

Mitigations

Residual

Photos of children seen by people outside the unit

Low

High

Invitation-only access; no public profiles; no search indexing; signed-URL delivery; role-based access checks on every request.

Low

Inappropriate content posted by another member (nudity, violence, hate)

Medium

High

Wordlist profanity filter; Azure AI Content Safety automated scan on every upload (image + text); zero-tolerance unit code accepted on first use; 24-hour human review on every report; reported content hidden from the feed immediately.

Low

Content used for AI training, advertising, or profiling

Low

Medium

No advertising or analytics SDKs in the app; no AI-training clause in our terms; Microsoft and OpenAI contractually do not retain content for training.

Low

Account compromise via email phishing

Low

Medium

Passwordless sign-in only — no password to reuse or leak; sign-in codes expire in 10 minutes; sessions tied to a single browser.

Low

Re-identification of children via image metadata (EXIF, GPS)

Medium

Images are re-encoded on processing; EXIF is stripped from everything other album members can see or download; GPS coordinates are removed.

Low

Data breach at a sub-processor

Low

High

Sub-processors limited to four (Azure, OpenAI, Resend, Stripe); all bound by data processing agreements; UK / EU / US transfers covered by SCCs and the UK International Data Transfer Addendum.

Low

Embarrassing or unflattering images affecting a child's wellbeing

Medium

The unit code prohibits embarrassing posts; report button on every memory; leaders can hide or remove without losing the audit trail.

Medium

Parental consent invalid or withdrawn

Low

Medium

Verifiable consent flow on signup; parent receives confirmation email; withdrawal triggers account closure within 30 days.

Low

Data retained longer than necessary

Low

Medium

Account close = 30-day deletion SLA; pending child accounts purged after 30 days without consent; backup tier ages out within 30 days of deletion.

Low

Member unable to exercise data subject rights

Low

Medium

In-app delete on every post; in-app account close; portability via download; written rights policy on the privacy page; one-month SLA on email requests.

Low

You fill in — your unit's additional risks

Risk

Likely

Severe

Mitigations

Residual

Examples worth thinking about:

A child whose parent has a court order restricting their image being shared.
A leader leaving the unit and retaining their session beyond the agreed end date.
A scout posting from a private camp event that hasn't been signed off by all parents.

Step 6 — Identify measures to reduce risk

Pre-filled — the platform's standing controls

Invitation-only access; no discovery, no public profile, no search indexing.
Wordlist + Azure AI Content Safety automated moderation on every upload.
24-hour human review SLA on every report; reported content hidden immediately.
Verifiable parental consent gate for every under-18 account.
Passwordless sign-in with 10-minute code expiry.
TLS in transit; private blob containers; signed-URL delivery.
EXIF and GPS metadata stripped from delivery.
UK data residency; SCC + IDTA for US sub-processors.
Site admins with content access are enhanced-DBS-checked.
30-day deletion SLA on account close.
Audit log of every moderation action (approve, hide, remove, report).

You fill in — your unit's additional measures

Examples worth considering:

A clear briefing for new leaders before their first login.
A scout / parent objection register kept by the lead leader.
A schedule for reviewing the album content (e.g. every term).
A photo policy for the unit's own non-platform channels (camera roll, WhatsApp).

Step 7 — Sign off

Role

Name

Date

Signed

Person responsible for this DPIA

Lead leader / album owner

Nominated parent representative (optional)

Date of next review:

Recommended cadence: annually, or sooner if any of the following change — your unit's roster, the platform's sub-processors or material features (we’ll email you), or following a reportable incident.

Disclaimer. This template is provided by the platform as a convenience. It is not legal advice. If your processing involves particularly sensitive children's data — for example children with a court-recorded protection order, looked-after children, or children of public figures — you should consult a qualified data protection practitioner and refer to the ICO's own DPIA template at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/.

Last reviewed: May 2026.