Privacy Policy

Jambo.pics is operated by Stuart Ridout, a sole trader based in England (“we”, “us”, “our”). We are the data controller for personal data processed through this service.

We are registered with the UK Information Commissioner’s Office under reference ZC130961.

Contact: team@jambo.pics

We collect and process the following personal data:

• Account data: your email address, display name, date of birth, and optional profile photo. Date of birth is used to determine whether parental consent is required.
• Parent contact data (for users under 18): a parent or guardian’s name and email address, collected during the young person’s signup so we can request and record their consent. If the parent approves, their email becomes their own account’s sign-in address and is retained as account data; if the parent rejects, we delete the parent contact data and the pending child account.
• Content you post: photos, videos, voice notes, and written captions you upload to an album. Voice notes are automatically transcribed to text; the transcript is stored alongside the audio and appended to the caption.
• Usage data: which albums you belong to, your role (scout, leader, parent), when you joined, and whether you have accepted the current unit code.
• Technical data: sign-in codes, session tokens, and standard server logs (IP address, browser type, request timestamps). Logs are retained for up to 30 days.
• Payment data: where you make a donation or purchase a storage upgrade, Stripe processes your card details directly. We receive only a transaction reference, the amount, and confirmation of success or failure — we do not see or store card numbers.

We do not use tracking cookies, advertising networks, or analytics services that share data with third parties.

Jambo.pics is designed for use within scout units, which include children aged 13 or over by the time of the Jamboree (the youngest Scout section). We take the privacy of children seriously and comply with the UK Children’s Code (Age Appropriate Design Code).

Every user under 18 needs parental consent before their account is activated. The signup flow is:

1. A leader shares the Scout join code with the young person.
2. The young person signs up themselves using that code. We collect their email address, display name, and date of birth.
3. Because they are under 18, we ask for a parent or guardian’s name and email address before activating the account.
4. We email the parent or guardian with a short, plain-English explanation of Jambo.pics — what it does, what content their child will share, and who can see it — along with an Approve and a Reject button.
5. While consent is pending, the young person’s account is held in a waiting state: they cannot view or post any album content. If they sign in they see a screen explaining that their parent or guardian has been emailed, with options to update the email address and resend the request.
6. On approval, the young person’s account is activated and a separate parent account is created and linked to the child. The parent receives a confirmation email and can sign in at jambo.pics or in the mobile app — they can view the albums their child belongs to but cannot post.
7. The young person receives a confirmation email telling them their account has been approved.
8. If the parent rejects the request, the young person’s account is not activated and the parent contact data is deleted.

Troop leaders can also manually approve child accounts from their admin panel — useful where a parent’s email can’t be delivered or a family has confirmed consent out of band. Manual approvals are recorded on the account for auditing.

Photos and videos posted to an album may depict minors. These are accessible only to invited members of that specific album. We do not make children’s content publicly accessible, use it in advertising, or share it with any party outside the album.

Everyone at Jambo.pics with operational access to members’ content is an adult member of The Scout Association (UK) and holds a current enhanced DBS check.

If you are a parent and wish to have content featuring your child removed, contact the troop leader or email us at team@jambo.pics.

We process personal data on the following legal bases under UK-GDPR:

• Contract: processing your email address and account data to provide the service you have signed up for.
• Parental consent: for all users under 18, we collect verifiable parental or guardian consent through the signup flow described in “Children’s data” above. Accounts remain inactive until consent is given. Consent can be withdrawn at any time by contacting the troop leader or emailing us.
• Legitimate interests: maintaining security logs, preventing abuse, and moderating content to protect other users — including children.
• Consent: where you have opted in to optional features, such as donation processing.

Where content involves children, we also rely on the legitimate interests of the scout unit in maintaining a safe, private shared record of their activities.

We use your personal data only to:

• operate and deliver the Jambo.pics service;
• authenticate you via passwordless email sign-in;
• display your name and profile photo to other album members;
• send transactional emails (sign-in codes, album invitations, parental-consent requests and confirmations);
• investigate reports of content that may breach the unit code or these terms;
• automatically transcribe voice notes to text using OpenAI Whisper, and scan uploaded images, video frames, captions, and voice note transcripts for hate, self-harm, sexual, and violent material so we can hold unsafe content for review before other members see it (see “Automated content moderation” below);
• fulfil any photo book or download orders you or your unit place. Photo books are not currently a live service, but we reserve the right to offer them for sale to members of the unit and their families — uploaded content is licensed to allow inclusion in a book if one is later ordered.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

Every image, video frame, and caption uploaded to Jambo.pics is automatically scored by Microsoft Azure AI Content Safety. The scanner returns a severity rating in four categories — hate, self-harm, sexual, and violent material — and we act on that rating as follows:

• Content scored below the flag threshold publishes immediately.
• Content scored at medium severity is recorded on the memory for leader awareness but still publishes.
• Content scored at high severity is automatically held in a pending state, and a system-generated report is filed against it so the album’s leaders are asked to review before anyone else sees it.

A human — a troop leader, or a site admin — always makes the final call on whether flagged content publishes, is hidden, or is removed. You have the right to object to processing that is based solely on automated decision-making, though our process is always human-in-the-loop for any outcome that affects publication.

Voice notes are first transcribed to text using the OpenAI Whisper API. The transcript is stored as part of the caption, displayed in the app, and then passed to Azure AI Content Safety in the same way as written captions. OpenAI does not retain the audio after transcription and does not use it to train AI models.

The scan runs inside Azure under the same data processing agreement that covers our storage. Microsoft does not retain your content after it has been scored and does not use it to train AI models. Scan results (severity scores, decision, timestamp) are retained alongside the memory record as part of our moderation audit trail and are deleted when the memory is deleted.

We use the following third-party services to operate Jambo.pics. Each processes data only on our instructions and is bound by a data processing agreement:

• Microsoft Azure — your content is stored in Microsoft Azure’s UK South region. Our contracting entity is Microsoft Ireland Operations Ltd.
• Microsoft Azure AI Content Safety (UK South) — automated moderation. A thumbnail of each photo you upload, a sampled frame of each video, and each caption you post is sent to the Content Safety service to be scored for hate, self-harm, sexual, and violent material. Microsoft does not retain the content after scoring and does not use it to train models.
• Resend (United States) — delivery of transactional emails, including sign-in codes and album invitations. Only your email address and the message contents are shared.
• Stripe (Ireland / United States) — payment processing for optional donations and storage upgrade purchases. Stripe handles card data directly; we do not see or store your card details.
• OpenAI (United States) — voice note transcription. Audio from voice notes you upload is sent to the OpenAI Whisper API to generate a text transcript. OpenAI does not retain your audio after transcription and does not use it to train AI models.

Transfers to the United States (Resend, Stripe, OpenAI) are protected by standard contractual clauses and the UK International Data Transfer Addendum.

We retain your personal data for as long as your account is active. If you close your account, we delete your account data and remove your content from all albums within 30 days, except where retention is required by law (for example, financial records related to donations).

Pending child accounts where parental consent has not been received within 30 days are automatically deleted, along with any parent contact data collected during the signup.

Deleted posts are removed immediately from album views. Residual copies in backups are purged within 30 days.

Under UK-GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data — you can update your name and profile photo from your account settings.
• Delete your data — you can delete individual posts at any time, or close your account to request full deletion.
• Restrict or object to certain processing.
• Portability — you can download your uploaded content at any time from within the app.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, email us at team@jambo.pics. We will respond within one calendar month.

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Phone cameras embed hidden information in every photo — the time the shot was taken, the camera model, and (if location services were enabled) GPS coordinates.

When a photo is shown inside Jambo.pics this hidden information is stripped out — the image is re-encoded during processing and none of it is included in what other album members can see or download from the app.

The original upload is retained in private storage so that we can regenerate derivatives if processing changes, so that album members can download their own uploads, and so that we can reproduce content into a photo book if one is ordered. (Photo books are not a current service but we reserve the right to offer them for sale to members of the unit and their families — see our Terms of Service.) Originals are not publicly accessible and are served only through time-limited signed URLs to members of the album they belong to.

All data is transmitted over HTTPS. Media files are stored in private Azure Blob Storage containers and served via time-limited signed URLs — direct URL guessing does not work. Sign-in is passwordless; codes expire in 10 minutes.

We apply role-based access controls so that only invited members of an album can view its content. If you discover a security vulnerability, please report it to team@jambo.pics.

We use a single, strictly necessary session cookie to keep you signed in. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required or shown.

A lot of parents tell us they’d be more comfortable sharing scout photos somewhere that wasn’t Instagram, Facebook, or WhatsApp. The table below summarises how Jambo.pics differs from Meta’s apps on the topics that matter most. The short version: every difference is a thing Meta does that we don’t.

A printable, single-page version of this comparison is available at /vs-meta/print — designed for forwarding to a parent by email or saving as a PDF.

Scout units, schools, and any other organisation running an album for under-18s are expected to complete a Data Protection Impact Assessment under UK-GDPR and the Children’s Code. We publish a pre-filled, ICO-aligned sample DPIA at /dpia-template that leaders can adopt — the platform-side sections (sub-processors, retention, security, mitigations) are filled in for you, leaving only the unit-specific bits to complete. There’s a printable version at /dpia-template/print and an editable markdown copy at /dpia-template.md.

The sample is information, not legal advice. For unusually sensitive cases please consult a qualified data protection practitioner.

We may update this policy from time to time. When we do, we update the date at the top of this page. We will notify you by email if we make changes that materially affect how we handle your personal data.