Trust is the foundation of the Jamgo platform and includes trusting us to do the right thing with your information. Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.
Your information belongs to you
We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete or anonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.
We protect your information from others
If a third party requests your personal information, we will refuse to share it unless you give us permission or we are legally required. When we are legally required to share your personal information, we will tell you in advance, unless we are legally forbidden.
We help merchants and partners meet their privacy obligations
Many of the merchants and partners using Jamgo do not have the benefit of a dedicated privacy team, and it is important to us to help them meet their privacy obligations. To do this, we try to build our products and services so they can easily be used in a privacy-friendly way. We also provide detailed FAQs, documentation and whitepapers covering the most important privacy topics, and respond to privacy-related questions we receive.
We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your subscription payments to use the Jamgo platform), or where we or someone we work with needs to use your personal information for a reason related to their business (for example, to provide you with a service). The United Arab Emirates (“UAE”) does not have a comprehensive data protection law at its federal level, however there are a number laws in place that govern privacy law in the UAE, as well as laws that also relate to data security. There are also sector specific data protection provisions in certain laws. The UAE also has a number of special economic or sector free zones, three of which have specific data protection laws.
In addition; there are several UAE federal level laws that contain various provisions in relation to privacy and the protection of personal data:
The Data Protection Act 2018 controls how your personal information is used by organizations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called “data protection principles”. They must make sure the information is:
There is stronger legal protection for more sensitive information, such as:
There are separate safeguards for personal data relating to criminal convictions and offences.
Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:
You also have rights when an organization is using your personal data for:
Unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:
(a) If the data subject has given consent to the processing of his or her personal data;
(b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
(c) To comply with a data controller's legal obligations;
(d) To protect the vital interests of a data subject or another individual;
(e) To perform a task in the public interest or in official authority;
(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
If informed consent is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a specific, freely-given, plainly-worded,and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely-given. (Recital 32)
Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in. (Article 7(3)) A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service. (Article 7(4)) Consent for children, defined in the regulation as being less than 16 years old (although with the option for member states to individually make it as low as 13 years old (Article 8(1)), must be given by the child's parent or custodian, and verifiable (Article 8).
If consent to processing was already provided under the Data Protection Directive, a data controller does not have to re-obtain consent if the processing is documented and obtained in compliance with the GDPR's requirements (Recital 171).
In addition to federal laws and regulations, the US has hundreds of data privacy and data security laws among its states, territories, and localities. Currently, 25 US state attorney general’s oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, some apply only to private entities, and some apply to both.
The Data Protection Law outlines a similar framework to the European data protection system within the framework of:
In addition, secondary legislation in the form of regulations and communications further outline how Turkey's data protection regime operates in practice.
Key regulations include:
Currently, there is no data protection law in Libya. However, Articles 12 and 13 of the Constitution 2011 guarantee the right to a private life for citizens and the confidentiality of correspondence, telephonic conversations and other forms of communications except where required by a judicial warrant respectively.
We only process personal information for users after considering the potential risks to your privacy—for example, by providing clear transparency into our privacy practices, offering you control over your personal information where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information.
We believe you should be able to access and control your personal information no matter where you live. Depending on how you use Jamgo, you may have the right to request access to, correct, amend, delete, port to another service provider, restrict, or object to certain uses of your personal information (for example, direct marketing). We will not charge you more or provide you with a different level of service if you exercise any of these rights.
If you buy something from a Jamgo website and wish to exercise these rights over information about your purchase, you need to directly contact the merchant you interacted with. We are only a processor on their behalf, and cannot decide how to process their information. As such, we can only forward your request to them to allow them to respond. We will of course help our merchants to fulfill these requests by giving them the tools to do so and by answering their questions.
Please note that if you send us a request relating to your personal information, we have to make sure that it is you before we can respond. In order to do so, we may ask to see documentation verifying your identity, which we will discard after verification.
If you would like to designate an authorized agent to exercise your rights for you, please email us from the email address we have on file for you. If you email us from a different email address, we cannot determine if the request is coming from you and will not be able to accommodate your request. In your email, please include the name and email address of your authorized agent.
If you are not happy with our response to a request, you can contact us to resolve the issue. You also have the right to contact your local data protection or privacy authority at any time.
Finally, because there is no common understanding about what a “Do Not Track” signal is supposed to mean, we don’t respond to those signals in any particular way.
We are a Middle Eastern company, but we work with and process data about individuals across the world. To operate our business, we may send your personal information outside of your state, province, or country, including to the MENA region. This data may be subject to the laws of the countries where we send it. When we send your information across borders, we take steps to protect your information, and we try to only send your information to countries that have strong data protection laws. If you would like more information about where your information might be sent, please contact us.
With the General Data Protection Regulation (GDPR), the EU is leading the charge on data privacy and protection, and the feeling in the MENA region is that it would be a positive move for nations to introduce specific, local data protection laws to follow the GDPR. A Middle East-wide data protection model law or framework would be considered to benefit both the countries and consumers at large; however, the opportunity for regional interoperability is not being leveraged at present.
Across the Gulf Cooperation Council (GCC) countries, jurisdictions like Bahrain and the UAE Free Zones of the DIFC and ADGM are leading the way, with robust data protection laws on the statute books. These laws are all heavily influenced by EU 1995 Data Protection Directive (1995 Directive)
Transfers outside of MENA Region
If you are in MENA Region, your personal information is controlled by Jamsam Information Technology. Your information is then sent to other locations and to service providers who may be located in other regions, including Dubai (where we are based) and the MENA region. When we send your personal information outside of MENA Region, we do so in accordance with MENA law.
Our teams work tirelessly to protect your information, and to ensure the security and integrity of our platform. We also have independent auditors assess the security of our data storage and systems that process financial information. However, we all know that no method of transmission over the Internet, and method of electronic storage, can be 100% secure. This means we cannot guarantee the absolute security of your personal information. You can find more information about our security measures at https://jamgo.io/.
If you would like to ask about, make a request relating to, or complain about how we process your personal information, you can contact us by email at privacy [at] Jamgo.io, or at one of the addresses below.