Privacy Policy — JamStream

🔒 YOUR PRIVACY IS A FUNDAMENTAL RIGHT This Privacy Policy ("Policy") explains in full detail what personal information JamStream Ltd collects about you, how we collect it, why we collect it, how we use it, who we share it with, how we protect it, how long we keep it, and what rights you have over it. Please read this Policy carefully and completely.

Effective Date: May 25, 2026 | Last Updated: June 15, 2026 | Version: 4.5.2 | Data Controller: ג'אמסטרים בע"מ (JAMSTREAM LTD) · ח.פ. 517333407 · Israel

📋 What's new in v4.5.2 (June 15, 2026) v4.5.2 is a version-alignment update issued alongside Terms of Service v4.5.2. The Terms were updated to strengthen and consolidate users' responsibility for music and copyright (new Section 11.11 of the Terms). This Privacy Policy makes no change to how JamStream collects, uses, shares, retains, or protects your personal data — the version number is incremented only to keep the Terms of Service and Privacy Policy in lockstep. All data-protection commitments, legal bases, retention periods, and your rights remain exactly as in v4.5.1.

📋 What's new in v4.5.1 (June 11, 2026) v4.5.1 is a non-substantive factual correction to v4.4. It corrects the registered legal entity name and registered address of JamStream's EU GDPR Article 27 Representative and the registered legal entity name of JamStream's UK GDPR Article 27 Representative, to match the public certificates of representation issued by Prighter and the official Prighter Group corporate disclosures. Specifically: (A) the EU Representative is correctly identified as iuro Rechtsanwälte GmbH t/a Prighter, at Schellinggasse 3, 1010 Vienna, Austria (the v4.4 release used an outdated short-form name and address); (B) the UK Representative is correctly identified as Prighter Ltd (the v4.4 release used an outdated short-form name); (C) the Swiss FADP Article 14 Representative remains unchanged: Prighter CH GmbH, Obergrundstrasse 17, 6002 Luzern, Switzerland. No new substantive obligations are introduced; the underlying appointments and protections are identical to v4.4. The public verification certificates remain accessible under Prighter Client ID 16835533678 at app.prighter.com/portal/jamstream.

📋 What's new in v4.4 (May 25, 2026) v4.4 reflects JamStream's appointment of Prighter Group (Prighter ID: 16835533678) as JamStream's EU GDPR Article 27 Representative (iuro Rechtsanwälte GmbH t/a Prighter (Vienna, Austria)), UK GDPR Article 27 Representative (Prighter Ltd), and Swiss Federal Act on Data Protection Article 14 Representative (Prighter CH GmbH, Luzern, Switzerland), each evidenced by signed Letters of Appointment dated May 25, 2026 and confirmed as Active in the Prighter compliance dashboard the same day. Specifically v4.4: (A) identifies iuro Rechtsanwälte GmbH t/a Prighter at Schellinggasse 3, 1010 Vienna, Austria as JamStream's EU representative for purposes of Article 27 GDPR, and provides the dedicated inquiry endpoint at app.prighter.com/portal/jamstream; (B) identifies Prighter Ltd as JamStream's UK representative for purposes of UK GDPR Article 27, with the same inquiry endpoint; (C) identifies Prighter CH GmbH, Obergrundstrasse 17, 6002 Luzern, Switzerland as JamStream's Swiss representative under Article 14 FADP, with the same inquiry endpoint; (D) proactively appoints the EU/UK Representatives ahead of formal Article 27 thresholds being triggered, as part of JamStream's pre-launch compliance posture; (E) updates §13 (EU Users), §14 (UK Users), and §22.9 (Switzerland) of this Policy to reflect the appointed representatives; (F) updates the corresponding §23.9g of the Terms of Service in parallel. v4.4 builds on v4.3, v4.2, v4.1, v4.0; all prior protections remain in effect.

📋 What's new in v4.3 (May 23, 2026) v4.3 reflects JamStream's confirmed registration with the National Center for Missing & Exploited Children (NCMEC) as a registered Electronic Service Provider (ESP) under the identifier JAMSTREAMLTD, completed in May 2026. Specifically v4.3: (A) activates the previously held-back §8a "Automated Safety Scanning, CSAM Detection & NCMEC Reporting" section, now expanded to explicitly reference Microsoft PhotoDNA Cloud Service + Sightengine parallel scanning of both profile photos and concert covers; (B) updates the §8a sub-processor disclosure to name PhotoDNA Cloud Service and Sightengine as live, active sub-processors; (C) adds explicit cross-reference to the new standalone Child Safety & CSAM Reporting Policy (accessible via the third tab in this legal modal); (D) introduces the dedicated trusted-flagger contact address safety@jamstream.live for NCMEC and other recognized child-safety hotlines; (E) updates the children's-safety reporting contact in §8a.8 from abuse@ to safety@. v4.3 builds on v4.0, v4.1, and v4.2; all prior protections remain in effect. Earlier additions: (v4.2) safety-driven audio recording disclosure, multi-state biometric-privacy compliance map, GDPR Art. 6 lawful-basis map, Israeli consumer-law prevalence, cross-border MLAT disclosure, regulatory-shutdown refund commitment, AI-output/training disclosure, pseudonymous-litigation acknowledgment; (v4.1) initial PhotoDNA disclosure (then held pending NCMEC integration); (v4.0) creator payout disclosure, Earnings category, real-time chat moderation, 7-year withdrawal records, PayPal 1099-K reporting, EU/UK Representative status, cookie-consent enforcement.

Table of Contents

Data Controller & DPO
What Information We Collect
How We Collect Information
Legal Bases for Processing
How We Use Information
Information Sharing & Disclosure
Data Retention
Data Security
Automated Safety Scanning & NCMEC Reporting (§8a)
Your Privacy Rights
Children's Privacy
International Data Transfers
California (CCPA/CPRA)
EU/EEA Users (GDPR)
UK Users (UK GDPR)
Israeli Users
Brazilian Users (LGPD)
Other Jurisdictions
Cookies & Tracking
Marketing Communications
Third-Party Links
Changes to Policy
Contact & Complaints

1. Data Controller and Data Protection Officer

Data Controller: ג'אמסטרים בע"מ (JAMSTREAM LTD) · ח.פ. 517333407 · Havatselet 6, Kiryat Yam, Israel

Data Protection Contact: privacy@jamstream.live

JamStream Ltd is the data controller responsible for the personal information collected through the Service. If you have any questions about this Policy or our data practices, or wish to exercise any privacy right, please contact us at the email above.

2. What Personal Information We Collect

2.1 Account and Profile Information

Category	Specific Data	Required / Optional
Account Credentials	Email address, encrypted password (via Firebase Auth)	Required
Public Profile	Username, display name, profile picture, bio, instruments listed	Required (username); Optional (others)
Age / Date of Birth	Date of birth — used to verify you are 18 or older. The Service is strictly 18+ and this verification is mandatory.	Required
Phone Number	Mobile phone number in E.164 format (e.g. +972XXXXXXXXX) — collected for identity verification, fraud prevention, and to enable microphone and camera features. One phone number per Account. Stored in our `phones` collection in Firestore. Shared with Firebase Auth (Google LLC) solely for OTP delivery via SMS.	Required for live performance features (microphone, camera)
Social Links	Optional links to external social media profiles	Optional

2.2 Activity and Usage Data

Category	Specific Data
Room Activity	Rooms created, joined, left; time in rooms; role (performer/listener)
Instrument Data	Instruments played, notes/pads triggered (not stored permanently)
Battle/Concert Data	Battles entered, results, concerts hosted or attended, ticket purchases
Coin Economy	Coin balance, purchases, tips sent/received, gifts sent/received, transaction timestamps
Transaction History (NEW v4.0)	Per-event log of every Coin movement: type (tip_received, tip_sent, gift_received, gift_sent, ticket_sold, ticket_bought, coins_purchased, referral_bonus, streak_reward, withdrawal_requested, withdrawal_paid, withdrawal_rejected, withdrawal_cancelled), amount, counterparty username and uid, context (room id / concert id), timestamp. Retained per Section 7 below.
Earnings Ledger (NEW v4.0)	Server-only ledger of withdrawable earning entries with: amount (post-platform-fee), source type, source uid (counterparty), maturation timestamp (earnedAt + 14 days), withdrawal status, link to processed payout request. Used to compute the 14-day hold and creator payout eligibility.
Withdrawal Requests (NEW v4.0)	For each payout request: amount in Coins and USD, registered PayPal email address, status (pending / paid / rejected / cancelled), submission timestamp, processing timestamp, admin notes, PayPal transaction ID (after payout), and the list of consumed earning ledger entries. Stored in a top-level `withdrawalRequests` Firestore collection.
Daily Streak State (NEW v4.0)	Current consecutive-day streak count, last-claimed UTC date, lifetime longest streak, milestone bonus award flags (Day-7, Day-30).
Referral Program State (NEW v4.0)	For Referees: the referring uid (immutable, set at registration), bonus-granted flag, bonus-paid flag (after first paid purchase), pending flag (between age-verify and first purchase). For Referrers: cumulative referral count, daily-cap window timestamps. Used for anti-fraud monitoring of the deferred Referral payout.
Social Activity	Follow relationships, chat messages sent, reports submitted
Calendar/Sessions	Scheduled sessions you post publicly

2.3 Technical and Device Data

Category	Specific Data
Device Information	Device type, OS, browser type and version, screen resolution, hardware specs (where provided by browser)
Network Data	IP address, approximate geolocation (city/country level), connection type, ISP
Log Data	Access timestamps, pages/features accessed, errors encountered, HTTP request/response headers
WebRTC Metadata	ICE candidate information, connection state, RTT (latency) measurements, TURN server usage
Session Data	Firebase session tokens, local storage identifiers, cookie values

2.4 Audio Data — Critical Disclosure

JamStream does NOT record, store, or permanently retain audio streams. Audio is transmitted directly between users' devices via encrypted WebRTC peer-to-peer connections. JamStream's servers act as WebRTC signaling intermediaries but do not intercept, process, or retain audio content. TURN server relay (used as fallback when direct P2P is unavailable) transmits but does not store audio. Audio data transiting TURN servers is encrypted using DTLS-SRTP and not accessible to JamStream staff.

2.4a Biometric and Voice Data — Special Notice

JamStream recognizes that voice data may constitute biometric information under certain state laws including the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/), the Texas Capture or Use of Biometric Identifier (CUBI) Act, Washington My Health My Data Act, and equivalent laws. JamStream's position on voice data:

We do not capture or store biometric voice templates from users' performances. Audio transmitted through the Service is peer-to-peer via encrypted WebRTC and is not retained;
We do not create voiceprints or use voice recognition technology to identify users by their voice;
We do not sell voice or biometric data to any third party for any purpose;
To the extent any incidental voice data is retained in server logs (e.g., brief WebRTC signaling metadata), it is retained only for the minimum period necessary for security and technical purposes and is not used for biometric identification;
Illinois residents have rights under BIPA including the right to request deletion of any biometric data. Contact privacy@jamstream.live for BIPA requests.

2.5 Payment and Payout Information

Coin purchase processing. Coin purchases are processed exclusively by PayPal (Europe) S.à r.l. et Cie, S.C.A. ("PayPal"), a PCI-DSS compliant third-party processor. JamStream does not store raw payment card numbers, CVV codes, or full payment account details. JamStream retains: PayPal order/transaction identifiers; gross USD amounts; coin-pack identifier; timestamps; partial payment-method descriptors (e.g., last four digits where surfaced by PayPal). These records are retained for billing reconciliation, fraud prevention, tax compliance, and accounting purposes per Section 7 (7-year retention).

Creator payout (cash-out) processing. Where you submit a Creator Payout request (Section 8.14 of the Terms), JamStream collects and stores: the PayPal email address you provide; the amount in Coins and equivalent USD; a list of consumed earning ledger entries (computed and stored at submission); status; processing timestamps; the PayPal transaction ID returned by PayPal after a successful payout. The PayPal email is also remembered as a saved field on your Account record for convenience on future requests; you can change or remove it at any time by submitting a new request with a different email. JamStream does not have access to your PayPal account credentials, balance, or other PayPal-side data.

Tax reporting. Where applicable thresholds are met, PayPal issues IRS Form 1099-K to U.S. recipients. JamStream does NOT issue Form 1099-NEC for payouts processed via PayPal (because PayPal, as a third-party settlement organization, is the reporting party for those payments). JamStream may issue or be required to issue tax forms in non-U.S. jurisdictions where local law applies; recipients will be notified.

2.6 Communications Data

If you contact JamStream support, submit a DMCA notice, send an abuse report, or otherwise communicate with us directly, we collect and retain those communications and their metadata for the purpose of resolving your inquiry and for quality and legal purposes.

2.7 Third-Party Sign-In Data

If you use Google or another third-party service to sign in, we receive limited profile data from that service (typically: name, email, profile picture) as authorized by you under that service's terms. We do not receive your third-party service password.

2.8 Guest (Anonymous) Account Data

JamStream allows users to access certain Service features as a "Guest" without registering a full account. When you use the Service as a Guest, Firebase Authentication automatically assigns you an anonymous unique identifier (UID) stored in your browser. We disclose the following about Guest accounts:

What we collect: An anonymous Firebase UID; technical data described in Section 2.4 (device type, browser, IP address, room activity); any chat messages or other content you submit during your guest session;
What we do NOT collect: Your name, email address, or any voluntarily provided personal information;
Retention: Anonymous UIDs and associated activity data are retained for up to 90 days for safety and abuse prevention purposes, then deleted. If we detect abusive conduct from a guest session, we may retain relevant data for longer as required for enforcement or legal purposes;
Personal data status under GDPR: Although anonymous UIDs do not directly identify you, combined with technical data they may constitute personal data under GDPR. We process this data on the legal basis of legitimate interests (Art. 6(1)(f)) — specifically, platform safety, fraud prevention, and abuse detection;
Converting to a full account: If you register a full account after using the Service as a guest, your guest activity data may be associated with your new account for continuity and abuse-prevention purposes;
Limitations on Guest use: Guests cannot create rooms, perform, or access paid features. This restriction exists for safety and accountability reasons, as anonymous accounts cannot be effectively moderated through normal channels.

3. How We Collect Information

Directly from you: Registration, profile setup, chat, Coin purchases, support requests;
Automatically: As you use the Service (logs, analytics, WebRTC metadata);
From Firebase: Firebase Authentication, Firestore, and Realtime Database automatically generate and process technical data;
From third-party sign-in providers: Google and similar providers if you choose to use them;
From payment processors: Transaction confirmations, dispute notifications.

4. Legal Bases for Processing Personal Data

Processing Activity	Legal Basis (GDPR)	Equivalent (Israeli Law)
Account creation and management	Contract performance (Art. 6(1)(b))	Contractual necessity
Providing and operating the Service	Contract performance (Art. 6(1)(b))	Contractual necessity
Processing Coin transactions	Contract performance (Art. 6(1)(b))	Contractual necessity
Safety, fraud prevention, abuse detection	Legitimate interests (Art. 6(1)(f))	Legitimate purpose
Service improvement and analytics	Legitimate interests (Art. 6(1)(f))	Legitimate purpose
Legal compliance and responding to authorities	Legal obligation (Art. 6(1)(c))	Legal obligation
Responding to legal requests	Legal obligation (Art. 6(1)(c))	Legal obligation
Marketing (opt-in only)	Consent (Art. 6(1)(a))	Consent
Mandatory safety reporting (CSAM, etc.)	Legal obligation (Art. 6(1)(c))	Legal obligation

5. How We Use Personal Information

To create, maintain, and secure your Account;
To provide all features of the Service including Rooms, Battles, Concerts, Beat Maker, and instruments;
To process Coin purchases, tips, gifts, and other in-Service transactions;
To enforce these Terms, our policies, and applicable law;
To detect and prevent fraud, abuse, security threats, and policy violations;
To respond to DMCA notices and other legal requests;
To communicate with you about your Account, security alerts, and Service updates;
To improve, personalize, and develop the Service;
To comply with legal obligations, including mandatory reporting requirements;
To send marketing communications where you have consented;
To analyze aggregate, anonymized usage trends.

6. Information Sharing and Disclosure

6.1 We Do Not Sell Your Data

JamStream does not sell, rent, trade, or otherwise transfer your personal information to third parties for their independent marketing, advertising, or commercial purposes. California users: we do not "sell" or "share" personal information as defined by CCPA/CPRA.

6.2 Service Providers (Processors)

We share personal data with trusted service providers acting as data processors under contractual data protection obligations:

Provider	Service	Data Shared	Location
Google Firebase	Auth, database, hosting infrastructure	Account data, usage data, messages, transactions, earnings, withdrawal requests	EU (europe-west1) + global
Twilio (TURN)	WebRTC relay credentials	Temporary TURN credentials only	Global
Cloudflare	Email routing, DDoS protection, alternative TURN	Email metadata, traffic data, ephemeral TURN credentials	Global
Firebase Hosting	Web hosting, CDN	Server access logs (IP, pages)	Global
PayPal (Europe) S.à r.l. et Cie, S.C.A.	Coin purchase processing AND creator payout processing (LIVE)	For purchases: card/bank details (PayPal-side, not visible to JamStream), payer email, gross amount. For payouts: recipient PayPal email, USD amount, JamStream-issued reference ID. PayPal acts as third-party settlement organization (TPSO) for U.S. tax reporting.	Luxembourg (EU) for EEA/UK; PayPal regional entities for other regions
Sentry GmbH (EU region)	Error/exception monitoring (consent-based)	Anonymized error stack traces, browser metadata, user uid (where consent given)	Germany (EU)
Google Fonts	Web typography	IP address (pass-through, not retained by us)	Global

Each processor is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28 and equivalent laws. Standard Contractual Clauses (SCCs) are in place for data transfers to non-adequate third countries.

6.3 Public Information

Your username, display name, profile picture, public profile, and Content you share in public Rooms, Battles, and Concerts is visible to other Service users and potentially the general public. Once shared publicly, this information may be cached or re-shared beyond our control.

6.4 Legal Disclosures and Law Enforcement

We may disclose your personal information to law enforcement agencies, courts, government authorities, or other authorized parties when: (a) required by applicable law, court order, subpoena, or legal process; (b) necessary to prevent, detect, or investigate crimes; (c) required to respond to mandatory reporting obligations (including CSAM reports to NCMEC); (d) necessary to protect the rights, property, or safety of JamStream, our users, or others; or (e) necessary in connection with enforcement of these Terms. We will endeavor to notify you of legal demands for your data where legally permitted, except where such notice is prohibited by law or in urgent circumstances.

6.4a Law Enforcement Cooperation and Legal Process

JamStream cooperates with law enforcement and government agencies in accordance with applicable law. When JamStream receives valid legal process (subpoenas, court orders, warrants, or equivalent international instruments), JamStream may: (a) disclose user data and account information to the requesting authority without prior notice to the user, where providing notice is legally prohibited or would obstruct the investigation; (b) preserve user data pending receipt of formal legal process upon an informal request from law enforcement; (c) report suspected criminal activity — including CSAM, terrorism, sex trafficking, and serious threats to life — to relevant authorities proactively, without waiting for legal process. Where legally permitted, JamStream will notify affected users of legal requests for their data. JamStream will not disclose law enforcement requests where doing so is prohibited by law (e.g., under a court order sealing the request). JamStream challenges overbroad or legally deficient legal process through available legal channels. Users may contact legal@jamstream.live for information about JamStream's law enforcement guidelines, subject to applicable legal restrictions.

6.5 Business Transfers

If JamStream is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity or new owner. We will provide advance notice where required by applicable law and, where required, seek consent for material changes to data processing.

6.6 Aggregated and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify any individual for analytics, research, marketing, or promotional purposes, without restriction.

7. Data Retention

Data Category	Retention Period	Reason
Active Account data	Duration of Account	Service provision
Account data after deletion	90 days post-deletion request	Backup, fraud prevention
Coin purchase transaction records (PayPal)	7 years from transaction	Israeli tax law (Income Tax Ordinance §131), U.S. and E.U. tax compliance, AML
Earnings ledger entries	7 years from earning event	Tax/AML compliance; required to substantiate creator income
Withdrawal requests (paid, rejected, cancelled, expired)	7 years from final processing	Tax/AML compliance, dispute defense, fraud audit
Transaction history (in-Service Coin movements: tips, gifts, ticket sales)	3 years from event (or longer if subject to legal hold)	User dispute support, fraud investigation
Chat messages	90 days, or until deletion	Service delivery
Moderation records & bans	5 years from incident	Safety, legal defense
DMCA records	As required by US Copyright law	Legal compliance
NCII removal records (TAKE IT DOWN Act)	3 years from removal	Compliance audit; cooperation with future legal process
CSAM reports	As required by applicable law	Legal/reporting obligation
Server access logs	90 days	Security, debugging
Legal hold data	Duration of legal proceedings + applicable statute of limitations	Legal defense
Backup data	Up to 30 days after deletion	Disaster recovery

We may retain certain data beyond these periods where required by applicable law or where retention is necessary for establishment, exercise, or defense of legal claims. The 7-year retention for financial records aligns with Israeli accounting and tax-record retention requirements.

8. Data Security

JamStream implements appropriate technical and organizational security measures, including:

Encryption in transit: TLS/HTTPS for all web traffic;
WebRTC audio encryption: DTLS-SRTP for all peer-to-peer audio;
Database security: Firebase Firestore and RTDB security rules with granular access control;
Authentication: Firebase Authentication with secure session token management;
TURN credential security: Dynamically issued, short-lived, per-request TURN credentials via Cloudflare Worker; no static credentials in source code;
No raw payment data: Payment card data is handled exclusively by PCI-DSS compliant processors;
Access control: Strict internal access controls; principle of least privilege;
Incident response: Procedures for detecting, responding to, and notifying affected parties of data breaches.

No security system is perfectly impenetrable. In the event of a personal data breach, we will notify affected users and applicable supervisory authorities within the timeframes required by law:

GDPR (EU/EEA): Supervisory authority within 72 hours; users without undue delay where high risk;
UK GDPR: ICO within 72 hours; users without undue delay;
California (CPRA): Affected California residents within 30 days of discovery;
New York SHIELD Act: Affected New York residents within 30 days;
Israeli Protection of Privacy Law: Privacy Protection Authority as required;
Other US states: We comply with the breach notification law of each affected user's state, which generally require notification within 30–45 days;
Brazil LGPD: ANPD and affected users within 2 business days of discovery of severe incidents.

Breach notifications will specifically identify: (a) the categories of data affected; (b) whether specific users' data was confirmed accessed or stolen (not merely "may have been exposed"); (c) the steps we have taken to address the breach; and (d) steps you can take to protect yourself. We maintain this standard in part because courts (e.g., Greenstein v. Noblr, 9th Cir. 2024) have held that vague "may have been exposed" notices are insufficient to establish standing for affected users. We will provide details of the breach, data affected, and steps taken to mitigate harm.

8a. Automated Safety Scanning, CSAM Detection & NCMEC Reporting

To protect children, comply with mandatory reporting obligations, and enforce these policies, JamStream operates a multi-layered automated and human-reviewed safety system. This Section describes that system in plain language so you understand what we scan, why we scan it, what we report, to whom, and when. For the full standalone framework — including evidence preservation, internal SLAs, and trusted-flagger procedures — see our Child Safety & CSAM Reporting Policy (accessible via the dedicated tab in this legal modal or via the footer link).

8a.1 What we scan and why

What is scanned	Method	Where	Purpose	Legal basis
Chat messages, Room names, profile fields, public display name, public bio, and other public text User Content	Server-side automated keyword/pattern matching plus AI classifier; human review for escalations	Server-side at message creation and at rest in the Firestore database (EU + global regions)	Detect and remove prohibited content (Terms §10.1) including CSAM solicitation, sex-trafficking signals, doxing, credible threats, hate speech, harassment	Contract performance (GDPR Art. 6(1)(b)); legal obligation (GDPR Art. 6(1)(c)); legitimate interest in user safety and platform integrity (GDPR Art. 6(1)(f)); analogous bases under Israeli PPL Amendment 13 and other applicable laws
User-uploaded images (profile photos, concert covers, and any other image content uploaded to JamStream's servers)	Perceptual-hash matching against the National Center for Missing & Exploited Children (NCMEC) database of known CSAM hashes, using Microsoft PhotoDNA Cloud Service. PhotoDNA converts images into one-way "perceptual hashes" — irreversible numerical signatures that cannot be used to reconstruct the image — and compares those hashes to NCMEC's catalogued database of known illegal material. In parallel, the same image is screened by Sightengine AI classifiers for novel (previously unseen) CSAM, age-inappropriate content, weapons, gore, and offensive material.	Image content is hashed in transit by JamStream's server-side Cloud Function in europe-west1; hashes (not the images themselves) are submitted to the PhotoDNA Cloud Service. Match results are returned to JamStream. Sightengine receives the image URL for AI analysis.	Detect and prevent the distribution of known child sexual abuse material; comply with 18 U.S.C. § 2258A reporting obligations as a registered NCMEC ESP (JAMSTREAMLTD); comply with the EU Digital Services Act's child-protection obligations; comply with the UK Online Safety Act 2023 illegal-content duties; comply with the Israeli Penal Law obligations regarding child protection.	Legal obligation (GDPR Art. 6(1)(c) — 18 U.S.C. § 2258A; UK OSA; EU DSA Art. 28); substantial public interest in child protection (GDPR Art. 9(2)(g)); analogous bases under Israeli PPL §32; equivalent local lawful bases.
Behavioral signals (account creation patterns, repeated reports against the same user, abnormal spending patterns)	Aggregated rule-based detection; human review for escalations	Server-side	Fraud prevention, ban-evasion detection, coordinated abuse detection	Legitimate interest (GDPR Art. 6(1)(f)); contract performance; legal obligation
Live audio streams (WebRTC peer-to-peer audio during Rooms, Battles, Concerts)	Not scanned by JamStream. Live audio is encrypted peer-to-peer via DTLS-SRTP and routed directly between participants. JamStream's servers do not relay or have access to the live audio stream content.	Peer-to-peer between participants; not on JamStream's servers	JamStream cannot scan content it does not access. User-to-user reports of audio incidents are investigated through the in-Service report flow.	—
Recordings (where a user opts to record their own performance)	If recordings are stored on JamStream-controlled storage in the future, they will be subject to the same image/text scanning regime as applicable. The current Service does not centrally store user audio recordings except as expressly disclosed in the recording feature flow.	—	—	—

8a.2 PhotoDNA — what it is and what it is not

What PhotoDNA does. PhotoDNA is an industry-standard perceptual-hashing technology developed by Microsoft and Dartmouth College, used by Google, Meta, Twitter/X, Reddit, Discord, and most major user-generated-content platforms worldwide to detect previously catalogued child sexual abuse material. It operates as follows: (i) JamStream's server takes an uploaded image and converts it (one-way) into a "perceptual hash" — a numerical signature that captures the image's visual structure but cannot be reversed to reconstruct the image; (ii) the hash is submitted to the PhotoDNA Cloud Service, which compares it against NCMEC's database of hashes derived from previously verified CSAM; (iii) PhotoDNA returns a match / no-match result. The image itself is not stored by PhotoDNA; the hash database does not contain images; and the match process is one-way and privacy-preserving. PhotoDNA is run automatically on every image uploaded to JamStream's servers; no human at JamStream views your image content as part of the routine PhotoDNA workflow.

What PhotoDNA does not do. PhotoDNA does not (i) classify images for nudity, adult content, copyright infringement, or any purpose other than CSAM detection; (ii) identify individuals depicted in images; (iii) generate facial-recognition data, biometric templates, or other biometric identifiers (and JamStream does not process any other biometric identifiers under the Illinois Biometric Information Privacy Act, the Texas CUBI, the Washington Biometric Privacy Act, or analogous laws); (iv) scan content stored on your own device. If a future version of the Service introduces any biometric processing, JamStream will obtain prior, separate, opt-in consent and will provide additional disclosures as required by applicable biometric-privacy law.

Use of Microsoft PhotoDNA Cloud Service. JamStream uses (or, where indicated, intends to use) the Microsoft PhotoDNA Cloud Service under the Microsoft PhotoDNA Cloud Service terms. By using the Service, you acknowledge and consent to: (a) automated submission of perceptual hashes (not images) of any image you upload to JamStream's servers, to the Microsoft PhotoDNA Cloud Service for comparison against NCMEC's hash database; (b) Microsoft providing aggregate match-count reports to NCMEC identifying JamStream as the originating service; (c) PhotoDNA's use solely for CSAM detection and not for any other content-classification or marketing purpose. JamStream confirms it does not use PhotoDNA to scan for any content category other than CSAM.

8a.3 What happens when a CSAM match is detected

If automated scanning produces a match against NCMEC's hash database or human review confirms the presence of CSAM, JamStream takes the following steps without notice to the suspected user (because notice could destroy evidence and obstruct investigation):

Immediate account suspension. The associated Account is immediately suspended and the user's access to the Service is revoked.
Evidence preservation. JamStream preserves the matched content, the Account's communications history, the Account's transaction history, the registered email and (where applicable) phone number, login IP addresses, device fingerprints, and any associated metadata for a minimum of 90 days after the CyberTipline report (extendable to 180 days upon law enforcement request, and longer where required by court order or legal hold) — consistent with 18 U.S.C. § 2258A(h).
NCMEC CyberTipline report. JamStream submits a report to the NCMEC CyberTipline (cybertip.org) as required by 18 U.S.C. § 2258A. The report includes the matched content, associated user identifiers (username, email, phone, registration IP, last-login IP), and the date and circumstances of detection. JamStream submits these reports as soon as reasonably practicable after gaining actual knowledge, and within 24 hours of detection where operationally feasible (consistent with the EU Digital Services Act and good industry practice).
Hashing for cross-platform protection. Where a novel CSAM image is identified (i.e., not previously hashed in the NCMEC database), JamStream may submit it through NCMEC's hash-sharing program so that other platforms can detect future uploads of the same image.
Cooperation with law enforcement. JamStream cooperates fully with law enforcement investigations and responds to lawful preservation requests, subpoenas, court orders, and warrants in accordance with applicable U.S., Israeli, EU, UK, and other jurisdictional process.
No restoration. Accounts terminated for CSAM are not eligible for appeal or restoration. CSAM is the single category of Terms violation for which the appeal pathway in Section 15 of the Terms does not apply.
Forfeiture. All Coins, earnings, pending Payouts, and any other Account assets are forfeited per Sections 8.6 and 8.7 of the Terms upon termination for CSAM.

Federal criminal nature. Possession, distribution, and production of CSAM are federal crimes in the United States (18 U.S.C. §§ 2251, 2252, 2252A) and serious offenses under the Israeli Penal Law (§§ 214, 214B), the UK Protection of Children Act 1978 and Criminal Justice Act 1988, EU Member State equivalents, and laws in essentially every jurisdiction worldwide. JamStream's mandatory reporting protects children, supports criminal investigation, and is not waivable by any user.

8a.4 Privacy of the reporting process — protections for the falsely accused

JamStream takes seriously the possibility of false-positive matches (which are statistically rare but possible due to perceptual-hash collisions or database errors). Specifically: (i) automated PhotoDNA matches are flagged for human review by JamStream's trust-and-safety team before any NCMEC report is filed; (ii) the JamStream reviewer's role is limited to confirming that the matched image is what the hash indicated; (iii) confirmed false positives result in no NCMEC report and no account action; (iv) any user who believes their account was suspended in error may contact abuse@jamstream.live for review (note: NCMEC reports, once filed, cannot be retracted by JamStream as a matter of federal law, and JamStream's review process is designed to prevent erroneous filings, not to undo them after the fact).

8a.5 Data minimization and retention specific to safety scanning

Hashes vs. images. PhotoDNA receives hashes only; the underlying images are processed on JamStream's servers and not transmitted to PhotoDNA in their original form.
Match results. PhotoDNA match results (positive/negative) are retained in JamStream's moderation logs for the duration of the moderation record retention period (Section 7 of this Privacy Policy — currently 5 years from incident).
Negative results. Negative-match results are not retained at the per-image level; only aggregate counts are retained for reporting and audit purposes.
Reported content. Where content has been reported to NCMEC, JamStream retains the content and associated records as required by 18 U.S.C. § 2258A(h) (90 days, extendable) and any longer period imposed by law enforcement preservation requests, court orders, or legal holds.
Permanent CSAM-report records. The fact that a NCMEC report was filed, the report number assigned by NCMEC, and the associated Account identifiers are retained permanently as part of JamStream's legal-defense record. This permanent retention is the minimum necessary to demonstrate compliance with 18 U.S.C. § 2258A and to respond to future law enforcement inquiries; it is the JamStream-side counterpart to the federally mandated reporting pathway.

8a.6 Your rights regarding safety scanning

The following data subject rights apply, with the noted limitations specific to safety-scanning data:

Right to access. You may request access to data JamStream holds about you, including moderation records relating to your Account. JamStream may withhold access to specific moderation records where disclosure would (i) reveal the identity of a reporter or fellow user, (ii) prejudice an ongoing investigation, (iii) prejudice law enforcement cooperation, (iv) be inconsistent with 18 U.S.C. § 2258A(h)(2) or analogous legal restrictions, or (v) compromise platform-wide moderation methodology.
Right to erasure. The right to erasure (GDPR Art. 17, Israeli PPL §13F, CCPA/CPRA "right to delete," and equivalents) is subject to the legal-obligation exception (GDPR Art. 17(3)(b), CCPA §1798.105(d)(8), Israeli PPL §13G). Records preserved under 18 U.S.C. § 2258A and other mandatory-reporting laws cannot be deleted on request and will be retained for as long as required by applicable law.
Right to object to automated processing. Where JamStream relies on legitimate interests for safety scanning, you may object to that processing under GDPR Art. 21. JamStream will evaluate the objection but anticipates that compelling legitimate grounds — protection of children and platform safety — will generally override an individual user's objection. Note: PhotoDNA scanning is conducted under legal obligation, not legitimate interests, and is therefore not subject to the right to object.
Right to lodge a complaint. You may complain to the supervisory authority of your jurisdiction (see Section 22 of this Privacy Policy for contact details).

8a.7 Where the scanning happens (sub-processors)

The processors involved in safety scanning are listed in Section 6.2 of this Privacy Policy. PhotoDNA Cloud Service is provided by Microsoft Corporation under the Microsoft PhotoDNA Cloud Service Terms; submitting hashes to PhotoDNA does not constitute a transfer of identified personal data, but to the extent any associated metadata (e.g., a JamStream customer reference) constitutes personal data under applicable law, the transfer is covered by Microsoft's Data Protection Addendum and Standard Contractual Clauses where required.

8a.8 Children's safety and the 18+ requirement

JamStream is a strictly 18+ platform (Section 3 of the Terms; Section 10 of this Privacy Policy). The combination of date-of-birth verification at registration, phone-number verification before access to live features, server-side enforcement of underage rejection (Cloud Function enforceAgeVerification), and the safety-scanning regime described in this Section 8a is JamStream's defense-in-depth approach to keeping minors off the platform and to protecting any minor who improperly bypasses the gate. If you become aware of a minor on the platform, please report immediately to safety@jamstream.live.

9. Your Privacy Rights

Subject to applicable law, you have the following rights regarding your personal information. To exercise any right, contact privacy@jamstream.live. We will respond within 30 days (or within 1 month under GDPR, extendable to 3 months for complex requests).

Right	What It Means	Available To
Right of Access	Request a copy of all personal data we hold about you	All users
Right to Rectification	Request correction of inaccurate or incomplete data	All users
Right to Erasure	Request deletion of your personal data (subject to legal retention requirements)	All users
Right to Data Portability	Receive your data in a structured, machine-readable format	GDPR/CCPA users
Right to Restriction	Restrict our processing in certain circumstances	GDPR users
Right to Object	Object to processing based on legitimate interests	GDPR users
Right to Withdraw Consent	Withdraw consent for consent-based processing at any time	All users (where applicable)
Right to Non-Discrimination	Not be discriminated against for exercising rights	CCPA users
Right to Opt-Out of Sale	JamStream does not sell data — no opt-out needed	CCPA users
Right to Lodge Complaint	Complain to a supervisory authority	GDPR/UK GDPR users

We may need to verify your identity before processing requests. We will not charge fees for reasonable requests. We may decline requests that are manifestly unfounded, excessive, or where fulfillment would violate applicable law or the rights of others.

10. Children's Privacy — 18+ Platform

JamStream is strictly an 18+ platform. We do not permit, target, or knowingly collect personal data from anyone under the age of 18. This is an absolute restriction with no exceptions.

Minimum age is 18, globally. We do not apply lower ages-of-consent from any jurisdiction. The 18+ rule is universal;
We do not knowingly collect personal data from any person under 18. Date of birth is required at registration and is verified technically by the platform;
If we discover an Account belonging to a person under 18, we will immediately terminate the Account and delete all associated personal data;
Parents or guardians who believe a minor has registered should contact privacy@jamstream.live — we will promptly delete such data and terminate the Account;
We comply with COPPA (US, no under-13 data), GDPR Article 8 (EU, 18+ requirement exceeds the 16-year GDPR minimum), UK Children's Code, and equivalent Israeli regulations;
We do not target any advertising or communications at minors, as no minors are permitted on the Service.

11. International Data Transfers

JamStream is based in Israel. Israel has received an adequacy decision from the European Commission, meaning transfers of EU/EEA personal data to Israel are lawful without additional safeguards. For transfers to countries without adequacy decisions (primarily through our third-party processors such as Google and Cloudflare), we rely on:

European Commission Standard Contractual Clauses (SCCs) — Module 2 (controller to processor);
Processor agreements that include appropriate supplementary measures where required;
Other valid transfer mechanisms under applicable law.

You may request information about transfer mechanisms by contacting privacy@jamstream.live.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA") grants you the rights set forth in this section, in addition to other rights described herein.

12.1 Categories of Personal Information We Collect (CCPA Categories)

CCPA Category	Collected?	Examples in Our Service
A. Identifiers	Yes	Username, display name, email address, IP address, Firebase Auth uid
B. Customer Records (Cal. Civ. Code § 1798.80(e))	Yes	Phone number, PayPal email (for payouts only)
C. Protected Classifications	Limited	Date of birth (for 18+ verification only — not used for any other purpose)
D. Commercial Information	Yes	Coin purchases, Concert ticket purchases, Tip/Gift transactions, payout requests
E. Biometric Information	No	We do not capture voiceprints or biometric templates (see §2.4a)
F. Internet/Network Activity	Yes	Pages accessed, features used, error logs, WebRTC metadata
G. Geolocation Data	Yes (precise: No)	City/country level only, derived from IP. We do not collect GPS-precise location.
H. Sensory Data (Audio)	No retention	Live audio is peer-to-peer encrypted and not retained by JamStream (see §2.4)
I. Professional/Employment Information	Optional	Self-reported in profile bio if user chooses
J. Education Information	No	Not collected
K. Inferences	Limited	For Service-internal anti-fraud and recommendation logic only — no profile-building for targeted advertising
L. Sensitive Personal Information (CPRA)	Limited	Account credentials (login). We do not collect SSN, driver's license, financial account numbers, precise geolocation, racial/ethnic origin, religion, sexual orientation, genetic data, or contents of mail/email/SMS.

12.2 Sources, Purposes, and Recipients

Sources: Directly from you (registration, in-Service activity); from your devices (browser, OS, network); from third-party services you connect (PayPal — only the data PayPal sends back to us for transaction reconciliation).

Business purposes: Service provision; account security; fraud prevention; legal compliance; tax/AML reporting; analytics for service improvement; mandatory safety reporting (CSAM, sex trafficking, NCII).

Recipients: Service providers / processors listed in §6.2; law enforcement and government authorities where required by law; successor entities in business transfers (§6.5).

12.3 Your CCPA/CPRA Rights

Right to Know (Categories): Categories of personal information collected in the last 12 months, sources, business purposes, and categories of third parties shared with — see this Section.
Right to Know (Specific Data): Specific pieces of personal information we hold about you. Submit a request to privacy@jamstream.live; we will respond within 45 days (extendable by 45 days with notice and reason).
Right to Delete: Deletion of personal information, subject to retention exceptions in §7 (legal compliance, fraud prevention, claim defense, etc.).
Right to Correct (CPRA): Correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: JamStream does not sell personal information for monetary or other valuable consideration. JamStream does not "share" personal information for cross-context behavioral advertising as defined in CPRA. No opt-out is required because no sale or sharing occurs. JamStream maintains the technical capability to honor a "Do Not Sell or Share My Personal Information" request via Global Privacy Control (GPC) signal in the event our practices ever change.
Right to Limit Use of Sensitive Personal Information (CPRA): We use sensitive personal information (account credentials) only as necessary for Service provision and security. We do not use it for inference, profiling, or any secondary purpose; therefore no limitation election is needed.
Right to Non-Discrimination: We will not retaliate, deny service, charge differently, or provide a different level of service because you exercised CCPA rights.
Right to Opt Out of Automated Decision-Making (CCPA Reg. effective 2025): JamStream does not engage in solely-automated decision-making that produces legal or similarly significant effects on California consumers. Account moderation actions involve human review at the discretion stage; algorithmic flagging is advisory only.
"Shine the Light" (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their own direct marketing purposes.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf with verified written authorization.
Children Under 16 (CPRA): Not applicable — JamStream is strictly 18+.

How to exercise: Submit California rights requests to privacy@jamstream.live with subject line "CCPA REQUEST" and a clear description of the right you wish to exercise. We will verify your identity using two pieces of personal information you provided to us. Verification protects against impersonation. We will respond within 45 days (extendable by 45 days with notice).

12.4 California "Eraser Button" (Cal. Bus. & Prof. Code § 22581)

Not applicable — this provision protects users who registered as minors. JamStream does not permit minor accounts.

13. EU/EEA Users — GDPR Rights

If you are in the European Union or European Economic Area, you are protected by the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). In addition to the rights listed in §9, you have:

Right of Access (Art. 15): Confirmation whether we process your data, and a copy of that data.
Right to Rectification (Art. 16): Correction of inaccurate or incomplete data.
Right to Erasure / "Right to be Forgotten" (Art. 17): Subject to exceptions, including JamStream's legal-compliance retention obligations under §7 (tax records, AML, dispute defense, evidence preservation in active investigations).
Right to Restriction (Art. 18): In specified circumstances.
Right to Data Portability (Art. 20): A copy of your data in a structured, machine-readable format, where processing is based on consent or contract.
Right to Object (Art. 21): Object to processing based on legitimate interests; we will assess each objection individually (LIA documentation per §16a available on request).
Rights Related to Automated Decision-Making (Art. 22): JamStream does not subject users to solely-automated decisions that produce legal or similarly significant effects without meaningful human involvement. Account moderation incorporates human review.
Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of pre-withdrawal processing.
Right to Lodge a Complaint: With the supervisory authority of your habitual residence, place of work, or place of alleged infringement. List of EU DPAs: edpb.europa.eu.

Article 17 vs. Evidence Preservation. Where you exercise the Right to Erasure but JamStream is subject to a legal hold, criminal investigation, ongoing AML/sanctions review, or active legal proceedings involving your data, JamStream will retain the strictly necessary data under the GDPR Article 17(3)(b) (legal obligation) or 17(3)(e) (legal claims) exceptions. Affected data will be restricted from active processing per Art. 18 and used only for the qualifying purpose.

EU Representative (Article 27 GDPR). Effective May 25, 2026, JamStream has appointed iuro Rechtsanwälte GmbH t/a Prighter as its representative in the European Union under Article 27 of the EU General Data Protection Regulation. Although JamStream's processing scale does not currently mandate appointment (Israel benefits from a Commission adequacy decision and processing remains pre-launch and small-scale), the Representative is appointed proactively to provide EU data subjects and supervisory authorities a single, frictionless point of contact for all matters under GDPR. Contact details: iuro Rechtsanwälte GmbH t/a Prighter, Schellinggasse 3, 1010 Vienna, Austria. Use the dedicated inquiry portal at app.prighter.com/portal/jamstream (Prighter Client ID: 16835533678). Inquiries received by Prighter are forwarded to and answered by JamStream within statutory response times. The appointment is reviewed annually and on each material change of processing scale.

14. UK Users — UK GDPR

If you are in the United Kingdom, you are protected by the UK General Data Protection Regulation and the Data Protection Act 2018. Your rights are equivalent to those under GDPR (Section 13 above). UK-specific points:

Complaint authority: Information Commissioner's Office (ICO), ico.org.uk.
International transfers: JamStream relies on the UK Addendum to the EU SCCs and adequacy regulations as appropriate.
UK Children's Code: Not applicable in operational terms because JamStream is strictly 18+. Still observed as design philosophy.
UK Representative (Article 27 UK GDPR). Effective May 25, 2026, JamStream has appointed Prighter Ltd as its representative in the United Kingdom under Article 27 of the UK GDPR. Inquiries from UK data subjects and the Information Commissioner's Office may be directed to the dedicated portal at app.prighter.com/portal/jamstream (Prighter Client ID: 16835533678). Inquiries are forwarded to JamStream and answered within statutory response times. The appointment is reviewed annually.

15. Israeli Users — Protection of Privacy Law (as amended)

Israeli users are protected by the Protection of Privacy Law, 5741-1981 ("PPL") as amended by Amendment No. 13 (effective August 2025), the Protection of Privacy Regulations (Data Security), 5777-2017, and Privacy Protection Authority guidance. Your rights:

Right to Inspect (§13). Receive information held about you in any registered database.
Right to Correct (§14). Correct inaccurate, incomplete, unclear, or outdated personal data.
Right to Object to Direct-Marketing Processing. JamStream does not engage in mass direct marketing; you may opt out of any marketing email per §19.
Right to Lodge Complaint: Privacy Protection Authority of Israel (PPA, gov.il/PPA).

Database registration. JamStream maintains a database of users and is registered as required under the PPL where threshold criteria are met. Database registration details available on request.

Privacy Protection Officer. JamStream's Privacy Protection Officer per the PPL Amendment 13 is reachable at privacy@jamstream.live. Officer functions: monitoring compliance with the PPL and Regulations; advising the data controller; serving as the contact point for the PPA and for data subjects exercising rights.

Cross-border transfers. Transfers from Israel to non-EU/EEA countries are made under PPL Regulations (Transfer of Data Abroad), 5761-2001, relying on appropriate safeguards (SCCs, processor contractual obligations, or transfers to adequate countries).

Israeli Consumer Protection Law 5741-1981 — privacy interface. Where data processing intersects with consumer protection (e.g., spending limits, dark-pattern prohibitions), JamStream observes the parallel obligations under that law.

16. Brazilian Users — LGPD

Brazilian users are protected by the Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018). You have the right to: confirm whether we process your data; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary data; request data portability; be informed of third parties with whom we share data; withdraw consent; and lodge complaints with the ANPD. Contact privacy@jamstream.live to exercise rights.

17. Other Jurisdictions

Canada (PIPEDA/CPPA): You have rights to access and correct personal information. Contact privacy@jamstream.live.
Australia (Privacy Act 1988): Contact privacy@jamstream.live. Lodge complaints with the OAIC (oaic.gov.au). JamStream complies with the Online Safety Amendment (Social Media Minimum Age) Act 2024 via its 18+ age requirement.
India (DPDPA 2023): Indian users have rights to access, correct, and erase personal data, to nominate a representative, and to lodge grievances. Contact privacy@jamstream.live. JamStream will appoint a local India representative if required by applicable threshold regulations.
South Korea (PIPA): Korean users have rights under the Personal Information Protection Act. JamStream processes Korean users' data on the basis of contractual necessity and consent. Contact privacy@jamstream.live.
Japan (APPI): Japanese users have rights under the Act on Protection of Personal Information. Contact privacy@jamstream.live.
Other jurisdictions: We comply with applicable local privacy laws. Contact privacy@jamstream.live for jurisdiction-specific information.

16a. GDPR Legitimate Interests — Processing Documentation

Where JamStream processes personal data on the legal basis of legitimate interests under GDPR Article 6(1)(f), JamStream has conducted Legitimate Interests Assessments (LIAs) for: (a) platform safety and fraud prevention; (b) aggregate analytics for service improvement; (c) security monitoring (server logs, infrastructure); (d) legal defense (moderation records, legal claims). LIA summaries are available on request at privacy@jamstream.live. Users may object to legitimate-interest processing under GDPR Article 21 by contacting privacy@jamstream.live — each objection will be assessed individually.

17a. Platform Design and User Wellbeing

JamStream does not employ design features specifically intended to maximize engagement through psychological manipulation or to create compulsive usage. We do not: build psychological profiles for the purpose of increasing compulsive use; use variable reward mechanisms to exploit psychological vulnerabilities for retention; or employ dark patterns to override users' rational agency. Usage data we collect (see Section 2.2) is used to improve Service performance and features, not to engineer addictive behavioral patterns. If you are concerned about your usage of the Service, you may restrict or delete your Account at any time by contacting support@jamstream.live.

18. Cookies and Tracking Technologies

JamStream uses browser localStorage and session technologies. We do not use third-party advertising cookies, cross-site tracking cookies, or cookies for behavioral advertising. We do not sell cookie data. The following table describes every tracking technology we use:

Type	Technology	Purpose	Can You Opt Out?
Essential / Functional	Firebase Auth (localStorage, IndexedDB)	Authentication tokens, session management, login state. Without this the Service cannot function.	No — required for Service
Functional	Browser localStorage (key prefix: `kj_`)	Remembering UI preferences (audio mode, piano dock state, microphone device selection). No personal data transmitted to servers.	Partial — clearing browser data removes these
Functional	Browser localStorage (key: `kj_cookie_consent`)	Storing your cookie consent choice so we do not show the banner on every visit.	Yes — clearing localStorage resets this
Analytics / Error Tracking (Consent-Based)	Sentry (EU region, ingest.de.sentry.io)	Sentry is enabled only with your consent. If you select "Essential only" in Cookie Preferences, Sentry is disabled entirely and no error data is sent. When enabled, error reports include your user ID and browser details for debugging. This requires consent per guidance from German and French DPAs (2024) under GDPR/ePrivacy Directive.	Yes — select "Essential only" to disable entirely
Typography	Google Fonts (fonts.googleapis.com)	Loading the Quicksand, Inter, and Caveat typefaces. Google receives your IP address when fonts are loaded. See Google's Privacy Policy.	No — no personal data stored by us

We do not currently use Google Analytics, Facebook Pixel, TikTok Pixel, or any other third-party analytics or advertising platform. If this changes, we will update this Policy and seek fresh consent where required.

18a. Cookie Consent, Your Choices, and the Right to Withdraw

In compliance with the GDPR, ePrivacy Directive, Israeli Protection of Privacy Law, and equivalent laws, JamStream provides a clear, prominent consent mechanism for non-essential cookies. Our implementation ensures: (a) accepting and rejecting non-essential cookies is equally easy and prominent — we do not use dark patterns; (b) consent is freely given, specific, informed, and unambiguous before any non-essential tracking occurs; (c) essential technologies (required for authentication and Service functionality) cannot be disabled without preventing Service use — we disclose this clearly; (d) you may change or withdraw your consent at any time without detriment.

How to manage your cookie preferences: You may update your choices at any time by clicking the "🍪 Cookie Preferences" link in the footer of any page, or by clearing your browser's localStorage data. You may also contact privacy@jamstream.live. Note that withdrawing consent for essential cookies will prevent you from using the Service, as authentication requires them.

19. Marketing Communications

JamStream may send you promotional communications about new features, events, updates, or offers only with your prior consent (where required by applicable law). You may opt out of marketing emails at any time by: clicking the "unsubscribe" link in any email; or emailing privacy@jamstream.live. Opting out of marketing does not affect transactional communications essential to your Account (security alerts, billing confirmations, etc.).

20. Third-Party Links and Services

The Service may contain links to or integrations with third-party websites, applications, or services. This Policy does not apply to those third parties. We are not responsible for third parties' privacy practices, content, or security. We encourage you to review the privacy policies of any third-party services before providing personal information to them.

21. Changes to This Privacy Policy

We may update this Policy at any time to reflect changes in law, technology, or our data practices. We will notify you of material changes by: (a) posting the updated Policy with a revised "Last Updated" date; (b) displaying a prominent notice in the Service; and (c) where required by law, seeking your affirmative consent before the change takes effect. Your continued use of the Service after changes are effective constitutes acceptance of the updated Policy. If you do not accept the updated Policy, you must stop using the Service and may close your Account.

23. Additional Disclosures (v4.2)

This Section consolidates additional disclosures introduced in v4.2 to align this Policy with the Terms of Service v4.2 and to address evolving global privacy and data-protection law.

23.1 Audio Recording for Safety, Investigation, and Legal Compliance

Although JamStream's design principle is to not retain live-audio content as a routine matter (see Privacy Policy §2.4 and Terms §11.8), JamStream may record, retain, or transcribe live-audio content from a Room, Battle, or Concert in the limited circumstances described in Terms §25.2 — namely, in response to user reports of serious misconduct, valid legal process, automated high-confidence flags for prohibited material, or imminent harm. Lawful basis: legal obligation under 18 U.S.C. § 2258A, EU Digital Services Act Art. 18, UK Online Safety Act 2023, and analogous statutes; legitimate interests in safety and Terms enforcement; vital interests in life-safety emergencies. Retention: only as long as necessary for the investigation, plus statutory minimum periods where applicable. Recipients: JamStream's safety and legal teams; appropriate processors under data-processing agreements; law enforcement and regulators only pursuant to valid legal process. Your rights: as described in §9 of this Policy, subject to limitations applicable to data processed for legal-obligation and vital-interest purposes.

23.2 Multi-State and International Biometric and Voice-Data Coverage

JamStream does not knowingly process voice data as a biometric identifier and applies the safeguards described in §2.4a regardless of jurisdiction. We provide notice of compliance posture under: Texas CUBI; Washington Biometric Privacy Act; New York SHIELD Act biometric provisions; the biometric/sensitive-data provisions of the Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, Montana Consumer Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and any subsequently enacted state laws of similar character; UK Data Protection Act 2018 special-category data; Israeli Protection of Privacy Law as amended; Brazilian LGPD Art. 11; South Korean PIPA biometric data; Indian DPDP Act sensitive personal data. JamStream's voice processing is limited to real-time peer-to-peer transmission, audio-mixer routing, opt-in safety-flag detection, and the limited safety-recording described in §23.1.

23.3 EU GDPR Article 6 Lawful-Basis Map

For EU/EEA users, the following lawful bases apply (consistent with §4 of this Policy and Terms §25.14): (a) Performance of contract (Art. 6(1)(b)) — Account creation, Service delivery, payment processing, payout fulfillment, customer support; (b) Legal obligation (Art. 6(1)(c)) — CSAM hash-scanning, AML/sanctions screening, tax record retention, response to legal process; (c) Legitimate interests (Art. 6(1)(f)) — fraud prevention, account security, abuse moderation, ban-evasion detection, analytics, product improvement; (d) Consent (Art. 6(1)(a)) — non-essential cookies, marketing communications, optional features (cinema-mode recording), voluntary biometric/voice opt-in; (e) Vital interests (Art. 6(1)(d)) — emergency intervention; (f) Public interest (Art. 6(1)(e)) — limited cooperation with regulators on CSAM/terrorism/child-safety. Special-category data under Art. 9 is processed only with explicit consent (Art. 9(2)(a)) or under another applicable Art. 9 condition (such as Art. 9(2)(g) substantial public interest for CSAM detection).

23.4 Cross-Border Legal Process — MLAT and Direct Service

JamStream's data is held under the laws of the State of Israel. Foreign legal process is generally received and processed through the Mutual Legal Assistance Treaty (MLAT) framework or other recognized international cooperation channel. JamStream may, at its sole discretion, voluntarily comply with foreign legal process where the request meets Israeli legal standards, does not violate Israeli or applicable EU/UK data-protection law, and specifically identifies the data sought. Users acknowledge that JamStream's data may be subject to Israeli legal process at any time. JamStream commits to publishing aggregate transparency reporting on legal-process volume on a periodic basis, subject to law enforcement non-disclosure obligations.

23.5 AI / Machine-Learning Training Disclosure

JamStream does not use User Content (including voice, music performances, photos, chat messages, or other identifiable User Content) to train artificial intelligence or machine-learning models for voice synthesis, music generation, or other generative purposes, except: (a) for the limited safety-classifier purposes described in §8a (e.g., detecting CSAM, abusive content, or prohibited speech), where automated systems are necessary to comply with safety obligations; (b) for aggregated, de-identified product-improvement analytics that cannot be reasonably re-identified; and (c) where a user has affirmatively opted in to a specific feature that uses User Content for AI/ML purposes (no such feature exists at the v4.2 Effective Date). JamStream does not sell or license User Content for third-party AI/ML training. JamStream's third-party processors are contractually required to apply equivalent restrictions.

23.6 Pseudonymous Litigation Acknowledgment

Where a user pursues a legal claim against JamStream involving sensitive subject matter (e.g., sexual harassment, sexual abuse, child safety, intimate-imagery exposure, or stalking), JamStream's general policy is to not oppose a good-faith motion to proceed pseudonymously, except where JamStream's defense is materially impaired or governing law does not permit such proceedings (see Terms §25.10). This Section does not constitute a substantive admission and does not affect any other procedural right.

23.7 Israeli Mandatory Privacy Law Prevails for Israeli Residents

For users resident in the State of Israel, the Protection of Privacy Law, 5741-1981, as amended (including the recent biometric and database-registration amendments), and any subsequently enacted Israeli mandatory privacy or data-protection statute, prevail over any conflicting provision of this Policy to the extent the statute provides a non-waivable right. Where a provision of this Policy is held by an Israeli authority to be inconsistent with mandatory Israeli law, the provision shall be construed and applied to the maximum extent consistent with Israeli law, or, if not so possible, severed.

23.8 Right to Submit a Complaint

If you believe your privacy rights have been violated by JamStream, you have the right to lodge a complaint with the relevant supervisory authority, including but not limited to: Israel — the Israeli Privacy Protection Authority (Reshut Hahaganah Al Hapratiyut, גנת המידע); EU/EEA — your local Data Protection Authority; UK — the Information Commissioner's Office (ICO); California — the California Privacy Protection Agency (CPPA) or Attorney General; Brazil — Autoridade Nacional de Proteção de Dados (ANPD); Other jurisdictions — your local supervisory authority. We encourage you to contact us first at privacy@jamstream.live so we may attempt to resolve your concern directly.

23.9 Limitations of This Document

JamStream does not represent that this Policy is exhaustive or that any particular legal result will be achieved by this Policy in any particular jurisdiction. JamStream's policy is to draft this Policy in good faith, in plain language to the extent practicable, and to update it regularly as law evolves. Users should consult their own legal counsel for advice specific to their circumstances.

22. Contact and Complaints

For all privacy questions, data access requests, deletion requests, or complaints:

Email: privacy@jamstream.live
Postal: ג'אמסטרים בע"מ (JAMSTREAM LTD) · ח.פ. 517333407 · Havatselet 6, Kiryat Yam, Israel

We will acknowledge receipt within 5 business days and provide a substantive response within 30 days (or within applicable legal deadlines). If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.

This Privacy Policy was last reviewed and updated May 1, 2026. JamStream is committed to the highest standards of data protection. For questions, contact privacy@jamstream.live.

Disclaimer: This Policy is designed to be comprehensive but does not constitute legal advice. JamStream recommends periodic review by a qualified data protection attorney.