Last updated: April 30, 2026

1. Introduction

This Privacy Policy explains how Jamble collects, uses, shares, and protects your personal information when you use our mobile app, our website jamble.com, or interact with our services in any other way.

Jamble Brasil Ltda (CNPJ 63.859.095/0001-13), headquartered at R. Maria Paula, 122, Conj. 1011, Sala 2, Bela Vista, Cidade de São Paulo, Estado de São Paulo, República Federativa do Brasil, CEP 01319-907, is the data controller for the personal information processed under this policy.

Jamble is currently a small company and does not have a dedicated or full-time Data Protection Officer. As permitted by ANPD Resolução nº 2/2022 for small-sized data processing agents, the responsibilities of the Encarregado de Proteção de Dados under LGPD Article 41 are exercised by our CEO, Aymar Dumoulin, cumulatively with his other functions within the company.

For any privacy-related question or request, you can contact Aymar Dumoulin to our general support at [email protected].

Jamble is a live-shopping marketplace focused on the Brazilian market. This policy is written to comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Law No. 13.709/2018 — LGPD) and applies to all users accessing our services, wherever they are located.

2. Who this policy applies to

This policy applies to any person who uses Jamble as a buyer, seller, viewer, or visitor, whether through the iOS app, the Android app, or the website. Jamble is intended for individuals aged 18 or older. If you are under 18, please do not create an account or provide us with any personal data. See Section 17 for more on minors.

3. Categories of personal data we collect

To operate our service, we collect the following categories of personal data.

Identification and contact data:

• Full name, username, display name
• Email address
• Phone number (including country code and validated format)
• Date of birth
• Profile picture and bio
• CPF (for individuals) or CNPJ (for legal entities and self-employed sellers)
• Legal company name, trading name, and annual revenue band (for company sellers)

Address data:

• Full shipping and billing addresses, including street, number, complement,
  neighborhood (bairro), city, state, and postal code
• Geographic coordinates (latitude and longitude) when you grant the app permission to access your location

Financial data:

• Bank account information for sellers (bank name, bank code, branch, account number, account type, holder name), processed for the purpose of payouts on sales and for the payment of commissions under the Cash Commission Seller Referral Program (Section 25.B.2 of the Terms of Use)
• Payment method tokens and card metadata (card brand, last four digits, expiration month and year) provided by our payment partners
• Transaction history, payouts, debits, and wallet balances
• Tax data such as Nota Fiscal status and digital certificate registration

Content you submit:

• Product listings, including photos, videos, descriptions, and prices
• Live-show broadcasts, including video, audio, chat, reactions, and bid activity
• Direct messages, comments, reviews, and support conversations
• Any other content you post or share on Jamble

Usage and device data:

• Screens viewed, buttons tapped, searches, bids, purchases, and time spent watching
  shows
• App version, operating system and version, device model, unique device identifier
  (device UUID), language, and time zone
• IP address (current and historical) and connection metadata
• Mobile advertising identifiers (IDFA on iOS, Google Advertising ID on Android) when you consent to tracking
• Crash reports and performance data

Data from third parties:

• Basic profile information from Apple, Google, or Facebook when you choose to sign in through one of these providers
• Attribution data identifying which marketing campaign led you to install the app
• Payment status, card metadata, and chargeback information from our payment processors - Verification outcomes from identity checks performed by our payment partners

Data about others you provide:

• When you choose to invite friends using your phone contacts, you provide us with the names and phone numbers of contacts stored on your device. See Section 9.

We do not knowingly collect special categories of sensitive personal data under LGPD Article 5, such as data on race, religion, political opinions, trade-union membership, health, sexual orientation, or genetic data. Images transmitted during a live show may incidentally reveal such information — please be mindful of what you show on camera.

4. How we collect your data

We collect personal data in three ways:

• You give it to us. Directly, when you create an account, list a product, broadcast a show, buy an item, contact support, respond to a survey, or otherwise interact with the service.
• We observe it. Through automated means such as event logs, device signals, cookies and similar technologies, in-app analytics, crash reporting, and the video and audio streams of your live shows.
• Third parties share it. From social login providers, payment processors, attribution providers, and identity verification partners, as described in Section 10.

Purposes of processing and legal bases.

Under LGPD Article 7, every processing activity is supported by a specific legal basis. Below is a summary.

To create and manage your account, we rely on performance of contract.

To process payments, payouts, and refunds and to comply with financial regulations, we rely on performance of contract and compliance with legal or regulatory obligations (including BACEN, Receita Federal, and anti-money-laundering rules).

To verify identity of sellers (know-your-customer procedures), we rely on compliance with legal obligations, particularly rules against money laundering and terrorist financing (Law No. 9.613/1998 and CVM/BACEN instructions).

To generate shipping labels, track deliveries, and manage returns, we rely on performance of contract.

For the payment of commissions under the Cash Commission Seller Referral Program for Partner Sellers (Section 25.B.2 of the Terms of Use), we rely on performance of contract. For this purpose, we process the Referrer's name, CPF or CNPJ, bank account information (bank name, bank code, branch, account number, account type, and account holder), and the commission amount, strictly for the processing of the international bank transfer and for compliance with related tax obligations.

To prevent fraud, detect scams, and protect the security of the platform and our users, we rely on legitimate interest, balanced with your rights (LGPD Article 10).

To provide customer support, resolve disputes, and handle claims, we rely on performance of contract and, where applicable, the exercise of our rights in legal proceedings.
To personalize your feed, recommend shows, and rank content, we rely on legitimate interest. You can object to this processing by contacting us.

To send marketing emails, push notifications, and promotional SMS or WhatsApp messages, we rely on your consent. You can withdraw consent at any time.

To measure the effectiveness of marketing campaigns and attribute app installations, we rely on your consent (via the App Tracking Transparency prompt on iOS and the Google Advertising ID permission on Android).

To comply with tax obligations and issue Nota Fiscal when applicable, we rely on compliance with legal obligations.

To improve the service, analyze usage, fix bugs, and develop new features, we rely on legitimate interest.

To respond to requests from public authorities and to defend ourselves in legal proceedings, we rely on compliance with legal obligations and the exercise of our rights.
6. Automated decisions and artificial intelligence

Under LGPD Article 20, you have the right to be informed about automated decisions that affect you and to request human review.

Jamble uses algorithms, machine learning, and artificial intelligence, including third-party AI services such as OpenAI, for the following purposes.

Scam and fraud detection. We automatically analyze direct messages, including the text you send, any images you share, and contextual signals such as your username, display name, email address, account creation date, and history of past messages with other users. An AI model classifies the likelihood that a message is an attempt at fraud or off-platform solicitation. If a message is classified as high-risk, it may be hidden automatically, and your account may be flagged for review or restriction.

Impersonation detection. We analyze profile pictures to detect attempts to imitate the Jamble brand or known sellers.

Linked-account detection. To prevent repeat fraud, we maintain records of the devices and IP addresses used to access each account. If multiple accounts share the same device or a common IP pattern, they may be grouped together. When one account in a group is restricted for fraud, other accounts in the same group may also be restricted.

Seller reputation scoring. Sellers are assigned a score (referred to internally as the liver score) based on past show performance, number of completed shows, average show duration, and follower count. This score influences how prominently their shows are surfaced to viewers.

Show ranking. Upcoming shows are ranked using signals such as bookmark count, product count, and seller score.

Content moderation. Administrators, assisted by automated signals, may restrict the visibility of a profile or show (a practice sometimes called shadowing) when patterns associated with abuse are detected.

Live-show summaries and analytics. Chat transcripts, bidder counts, and show metadata may be sent to AI providers to generate post-show summaries and operational reports used by our internal teams.

You can request human review of any of the above decisions by writing to [email protected]. We will respond within 15 days.

7. Live-show recordings and chat content

When you broadcast a live show on Jamble, your video, audio, live chat, bids, and on-screen interactions are transmitted in real time through our video infrastructure provider (Agora) and recorded to our cloud storage for operational purposes.

By starting a broadcast, you consent to the recording and storage of your voice, image, and any content visible or audible in your stream for the following purposes:

• Allowing viewers to replay the show
• Verifying transactions and resolving disputes between buyers and sellers
• Preventing fraud and enforcing our Terms of Service
• Generating post-show summaries and internal analytics
• Responding to lawful requests from public authorities

Viewers who appear on camera during a show or who send messages in the live chat are also recorded. If you participate in a show as a viewer, please be aware that your chat messages, bids, reactions, and any camera input may be part of the show record.

Direct messages between users are stored on our servers and may be reviewed by our automated systems or by authorized personnel when necessary for safety, fraud prevention, or dispute resolution.

See Section 12 for retention periods.

8. Device, IP, and linked-account information

To keep Jamble safe for everyone, we maintain a history of the devices and IP addresses used to access each account. This history includes device model, operating system, app version, a device-level unique identifier, and the IP addresses used over time.

If the same device or IP address is used by several Jamble accounts, we may treat those accounts as linked for fraud-prevention purposes. This can result in coordinated actions across accounts when one of them violates our policies. If you share a device with another Jamble user (for example, within the same household), your accounts may therefore be associated in our fraud-prevention records.

9. Phone contacts

If you choose to use the invite-a-friend feature in the app and grant the corresponding permission, Jamble will upload from your device the names and phone numbers stored in your phone's contact list. We use this data to:

• Identify which of your contacts already have a Jamble account
• Rank suggested contacts when you invite friends
• Avoid sending repeated invitations to contacts who have declined

We do not sell your contacts, do not use them for advertising, and do not share them with third parties for commercial purposes.

Because this data describes people who are not themselves Jamble users, those people also have rights under the LGPD. If someone whose contact information you uploaded wants to know what we store or request deletion, they can contact us at [email protected] and we will respond.

You can revoke the contacts permission at any time in your device settings. Revoking the permission stops future uploads; to delete contact data already uploaded, write to **[email protected].**

10. Who we share your data with

We share the minimum data necessary with the following categories of service providers, which act as data processors under LGPD Article 39.

Payment processors. Pagar.me (Pagar.me Pagamentos S.A.) processes payments and payouts in Brazil. We share with Pagar.me your name, CPF or CNPJ, phone, email, billing address, bank account information (for sellers), and transaction data.

Disbursement of commissions to Partner Sellers. Wise (Wise US Inc., a company incorporated under the laws of the United States of America, or any equivalent entity of the Wise group**)** processes the international bank transfers of commissions due under the Cash Commission Seller Referral Program (Section 25.B.2 of the Terms of Use), through a foreign exchange operation crediting an account held in Brazil. We share with Wise the Referrer's name, CPF or CNPJ, bank account information, and commission amount, strictly for the purpose of processing the international transfer.

Video and streaming. Agora transmits the real-time video and audio of live shows and provides cloud recording. Agora receives the video and audio stream and a stream token tied to your user ID.

Shipping and logistics. Envia is our primary label aggregator and integrates with Correios and other Brazilian carriers. Melhor Envio is used as a backup. These providers receive the full shipping address, recipient name, recipient phone, and parcel information required to generate labels and track shipments. Correios itself processes delivery data.

Tax invoicing. Nuvem Fiscal helps us issue Nota Fiscal when required. Nuvem Fiscal receives the seller's CNPJ, the buyer's shipping information, product details, and prices.

Customer support. Intercom powers our support chat and email conversations. Intercom receives your name, email, conversation history, and relevant transaction context.

Customer messaging. Customer.io is used to send transactional and promotional messages and to coordinate our messaging campaigns. Customer.io receives your profile attributes (including identifiers such as CPF when relevant for compliance messaging), device tokens, and the events that trigger each message.

Transactional communications. SendGrid delivers transactional emails (label files, order receipts). Twilio delivers SMS and WhatsApp messages, including one-time passwords at login.

Analytics and product intelligence. Mixpanel receives usage events, a user identifier, device and application metadata, and aggregate attributes such as the number of purchases, sales, and followers, for the purpose of understanding how the service is used.

Attribution. Adjust receives install and event data, advertising identifiers (IDFA or Google Advertising ID when consented), IP address, user-agent, and country, to attribute app installs to marketing campaigns. Where available, we apply limited-data-use flags.

Error monitoring. Sentry receives crash reports and associated user attributes(including email and username) that help us diagnose technical issues.

Authentication and infrastructure. Firebase (Google Cloud) powers authentication, push notifications, crash reporting, and part of our backend infrastructure.

Mobile app stores and operating systems. Apple and Google process push-notification tokens and in-app-purchase receipts as part of their standard operating-system services.
Artificial intelligence. OpenAI receives direct-message text, images, and related profile signals for scam detection, and live-show chat transcripts for the generation of post-show summaries.
Dispute defense. When a payment dispute is opened, we may share with our chargeback-defense partner (Chargeflow) the data needed to submit evidence, including buyer identification, shipping address, product details, and tracking information.

Marketing and social attribution. The Meta (Facebook) SDK and, on iOS, the TikTok SDK are integrated for attribution of paid campaigns and, in the case of TikTok, to enable sharing content directly from the app. These SDKs may collect limited device and event data when initialized.

Internal tools. We use Slack and similar internal tools to coordinate our team. Messages flagged as potentially fraudulent and significant moderation decisions may be visible to authorized Jamble personnel in these internal tools.

Public authorities. When required by law, court order, or valid request from a competent authority, we may disclose personal data to public bodies.

We do not sell your personal data. We do not share your personal data with third-party advertising networks outside the attribution relationships described above.

11. International data transfers

Some of our service providers are located outside Brazil, primarily in the United States and the European Union (for example, Firebase, Mixpanel, Intercom, Customer.io, OpenAI, Agora, Sentry, Adjust, SendGrid, Twilio, Chargeflow, Meta, TikTok, and Wise — the latter located in the United States of America, exclusively for the processing of commissions due under the Cash Commission Seller Referral Program, as set out in Section 25.B.2 of the Terms of Use).

When we transfer your personal data internationally, we rely on one of the legal bases permitted under LGPD Article 33, which include:

• Transfers to countries that provide an adequate level of data protection
• Standard contractual clauses or equivalent safeguards adopted with the provider
• Your specific and highlighted consent
• Compliance with a legal obligation or the execution of a contract

For more detail on the basis applicable to a specific provider, contact **[email protected].**

12. How long we keep your data

We keep personal data only as long as necessary for the purposes described in this policy, to comply with legal obligations, to resolve disputes, and to enforce our agreements.
Account data is kept while your account is active. If you delete your account, we keep the minimum data required to meet the retention rules below for fraud prevention, compliance, and dispute resolution.

Transaction and financial records are kept for at least five years after the transaction, as required by the Brazilian Consumer Code and tax legislation.

Identity-verification data collected for KYC purposes is kept for at least five years after the end of the commercial relationship, as required by anti-money-laundering rules.
Live-show recordings (video, audio, chat, bids) are retained for as long as necessary for operational purposes, dispute resolution, fraud prevention, and compliance with legal requests. We do not apply a fixed deletion period by default.

Shipping addresses are retained for as long as they remain useful to complete future transactions and handle post-delivery claims. You can remove saved addresses from your account at any time.

Payment methods (tokens, card metadata, bank-account information) are retained as long as necessary for transaction continuity, fraud prevention, and compliance with financial regulations. Nota Fiscal digital certificates (A1) are automatically removed when they reach their built-in expiration date.