Privacy Policy

This Privacy Policy explains how JAZZCAT LTD ("we", "us", or "our") collects, uses, shares, and protects personal information when you use Jazzcat, including our mobile application and web application (collectively, the "Service"). The Service is operated by JAZZCAT LTD. It also describes your rights and how to exercise them.

We comply with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), where applicable.

The data controller responsible for your personal data is:

JAZZCAT LTD (Data Controller) Innovation Centre, The Sussex Innovation Centre, Science Park Square, Falmer, Brighton, Sussex, England, BN1 9SB

Email: privacy@jazzcat.com

For EU/EEA users, JAZZCAT LTD acts as the data controller under Article 4(7) GDPR. As JAZZCAT LTD is established in the United Kingdom (not the EU/EEA), we are in the process of appointing an EU representative under Article 27 GDPR. Until that appointment is complete, please direct all enquiries to privacy@jazzcat.com

We collect personal information in the following ways:

3.1 Information You Provide Directly

• Account information: your name, email address, and password when you register.
• Profile information: any additional details you choose to add to your profile.
• Payment information: billing name, address, and payment card details when you make a purchase. Payment card data is processed directly by Stripe and is never stored on our servers.
• Communications: messages or feedback you send to us, including support requests.

3.2 Information from Third-Party Sign-In

If you register or log in using Google or Apple, we receive information from those providers, such as your name and email address, in accordance with your privacy settings on those platforms. We do not receive your password.

3.3 Information We Collect Automatically

• Usage data: pages or features viewed, actions taken, session duration, and interaction events.
• Device information: device type, operating system, app version, and unique device identifiers.
• Log data: IP address, browser type, referring URL, and timestamps.
• Location data: approximate location inferred from IP address; precise GPS location only if you grant permission in the app.
• Session recordings: replays of user interactions to help us improve the interface, processed by PostHog. Sensitive fields (passwords, payment inputs) are masked and never captured. These recordings are pseudonymous, not anonymised.
• Push notification tokens: device tokens used to deliver push notifications via Appwrite Messaging plus APNs/FCM.

3.4 Sensitive Personal Information

Precise geolocation data (collected via Mapbox when you grant location permission) is classified as sensitive personal information under the CCPA/CPRA. We collect this data solely to provide location-based features within the Service and do not use it for advertising or profiling purposes.

We use your personal information for the following purposes:

• To create and manage your account.
• To provide, operate, and improve the Service.
• To process payments and prevent fraud.
• To send transactional communications (e.g., receipts, password resets, account alerts).
• To send service announcements and, where you have opted in, marketing communications.
• To respond to your support requests and enquiries.
• To analyse usage patterns and improve product performance and user experience.
• To send push notifications where you have granted permission.
• To comply with legal obligations and enforce our Terms of Service.
• To protect the safety and security of our users, staff, and the public.

If you are in the EU or UK, we process your personal data on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): account creation, service delivery, and payment processing.
• Legitimate interests (Art. 6(1)(f)): product analytics, fraud prevention, security monitoring, and service improvement. We have conducted a balancing test and determined our interests do not override your fundamental rights. You have the right to object to processing on this basis at any time (see Section 10).
• Consent (Art. 6(1)(a)): marketing communications; precise GPS location access; push notification delivery; and, on our web application, analytics cookies placed under the ePrivacy Directive. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)): compliance with applicable law, including responding to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)) — post-deletion retention: retaining limited account data for up to 3 years after account deletion to handle post-termination disputes and meet commercial record-keeping obligations.

5.1 Automated Processing

The Service uses automated processing to personalise certain content and features (for example, ordering or surfacing relevant items based on your usage patterns). These automated processes do not produce legal or similarly significant effects on you — a human is always involved in decisions that materially affect your account or access. You have the right to request human review of any automated outcome that concerns you.

5.2 Data Protection Impact Assessments

Where our processing activities are likely to result in a high risk to your rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR. We have conducted DPIAs for our session recording functionality (PostHog) and our use of precise geolocation data (Mapbox). These assessments are reviewed periodically and updated when processing activities change.

We do not sell your personal information. We share it only in the following circumstances:

6.1 Sub-processors

We share data with third-party service providers who process it on our behalf under data processing agreements. See Section 9 for the full list.

6.2 Legal & Safety

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of JAZZCAT LTD, our users, or others.

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a materially different privacy policy.

6.4 Aggregated / Anonymised Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Account data: retained for the duration of your account, plus up to 3 years after account deletion to handle post-termination disputes and meet applicable commercial record-keeping obligations (legal basis: legitimate interests).
• Payment records: retained for 7 years in accordance with applicable tax and financial recordkeeping legislation (legal basis: legal obligation).
• Analytics data: session-level data retained for up to 12 months; aggregated, non-identifiable analytics retained indefinitely.
• Communications: support correspondence retained for up to 2 years (legal basis: legitimate interests in resolving disputes).

You may request deletion of your account at any time (see Section 10). Upon deletion, we will remove or anonymise your data within 30 days, subject to any applicable legal retention obligations.

We use cookies and similar technologies on our web application. These include:

• Strictly necessary cookies: required for the Service to function (e.g., authentication tokens). These are placed without consent as they are essential to the service.
• Analytics cookies: placed by PostHog to record how users interact with our web app. These are only placed with your consent, obtained via our cookie consent banner. The underlying analytics data is then processed on the basis of our legitimate interests in improving the Service.
• Preference cookies: used to remember your settings. Placed with your consent.

You can manage or withdraw cookie consent at any time through our cookie preference centre or your browser settings. Withdrawing consent does not affect cookies already placed. Our mobile app does not use browser cookies but may use equivalent persistent device identifiers (e.g., advertising IDs, installation IDs) for similar purposes, which you can reset via your device settings.

SMS communications sent via Twilio are transactional only (e.g., one-time passcodes, account alerts). We do not send marketing SMS. Reply STOP to any SMS to opt out.

The following sub-processors may process your personal data as part of the Service:

All sub-processors are bound by written data processing agreements and are required to implement appropriate technical and organisational security measures. Where data is transferred outside the EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission, or another lawful transfer mechanism.

10.1 GDPR Rights (EU / UK Users)

If you are in the EU or UK, you have the following rights under the GDPR:

To exercise any of these rights, contact us at privacy@jazzcat.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice). We may need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with your local supervisory authority:

• EU: your national data protection authority (full list at edpb.europa.eu)
• Ireland: Data Protection Commission — dataprotection.ie
• UK: Information Commissioner's Office — ico.org.uk

10.2 CCPA / CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

We do not sell your personal information and do not share it with third parties for cross-context behavioural advertising. Accordingly, there is no sale or sharing of your personal information to opt out of. Precise geolocation (collected via Mapbox when you grant permission) is sensitive personal information under CPRA; you may limit its use by revoking location permission in your device settings at any time.

To submit a CCPA/CPRA request, contact us at privacy@jazzcat.com or use in-app account settings. We will acknowledge your request within 10 business days and respond substantively within 45 calendar days (extendable by 45 days with notice).

We will not discriminate against you for exercising your CCPA/CPRA rights.

JAZZCAT LTD is established in the United Kingdom. As a UK-based controller processing EU/EEA personal data, we are required under Article 27 GDPR to appoint a representative in an EU member state. We are in the process of making that appointment and will update this Policy with the representative's details once confirmed.

Your personal data may be transferred to and processed in countries outside the EEA, including the United States.

Where we transfer data from the EEA or UK to third countries, we use one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The UK International Data Transfer Agreement (IDTA) or UK Addendum.
• Transfers to recipients in countries with an adequacy decision by the European Commission.

PostHog processes data in the EU (Germany), meaning analytics data does not leave the EEA. For a full list of sub-processors and their data locations, see Section 9.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS) and at rest.
• Access controls and role-based permissions for staff.
• Regular security assessments and penetration testing.
• Incident response procedures, including notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required by Article 33 GDPR.

No method of transmission over the internet or electronic storage is 100% secure. We use industry-standard measures to protect your data, but we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

The Service is not directed to children under the age of 16 in the EU/EEA, or under 13 in the UK and United States. We do not knowingly collect personal information from children below these age thresholds. If you believe we have collected personal information from a child, please contact us at privacy@jazzcat.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you via email or an in-app notification at least 14 days before the changes take effect. The updated policy will be posted on our website and in the app, with the revised effective date.

For material changes that introduce a new legal basis or significantly alter how your data is used, we will seek fresh consent where required by applicable law. Your continued use of the Service after the effective date of a non-material update constitutes your acceptance of the revised Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

JAZZCAT LTD (Data Controller) Innovation Centre, The Sussex Innovation Centre, Science Park Square, Falmer, Brighton, Sussex, England, BN1 9SB

Email: privacy@jazzcat.com

We will respond to all enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (see Section 10 for contact details).

© 2026 JAZZCAT LTD. All rights reserved.