Privacy Policy
Last Updated: June 13, 2026
This Privacy Policy (the “Policy”) applies to all users of https://www.jarmelo.com (the “Site”), including visitors, registered users, users logging in via email, and users logging in with Google Sign-In. This Policy governs how we collect, use, store, transfer, and protect your personal data, and complies with the following regulations:
• General Data Protection Regulation (GDPR) – Applicable to all users residing in the European Union (EU) and European Economic Area (EEA);
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) – Applicable to all users residing in the State of California, United States;
• Children’s Online Privacy Protection Act (COPPA) – Applicable to users under 13 years of age in the United States.
By accessing or using the Site, including registering an account or logging in, you acknowledge that you have read, understood, and agreed to the practices described in this Policy.
1. Data Controller Information
The data controller responsible for your personal data is: jarmelo.com
For general privacy inquiries, please contact: contacts@jarmelokids.com
For parental requests related to COPPA (e.g., reviewing, modifying, or deleting a child’s data), please contact our dedicated parent support email: contacts@jarmelokids.com
For users in the EU/EEA, you may also file a complaint with your local data protection authority (DPA) if you believe your privacy rights have been violated.
2. Information We Collect (Data Minimization Principle)
We strictly adhere to the data minimization principle and only collect personal data that is necessary for providing, maintaining, and securing our services. We do not collect any unnecessary personal information, such as phone numbers, physical addresses, advertising IDs, precise location data, or biometric data.
2.1 Personal Data You Voluntarily Provide
• Email Login: Valid email address and encrypted password (not stored in plain text);
• Google Sign-In: Basic Google account information, including email address, display name, and unique Google OpenID (only the minimum data required for authentication);
• Children Under 13 (COPPA): Parent or legal guardian’s email address (for verifiable parental consent).
2.2 Automatically Collected Technical Data
When you access or use the Site, we may automatically collect limited technical data to ensure service stability and security, including:
• IP address;
• Browser type and version;
• Device information (e.g., device type, operating system);
• Login timestamp and access logs;
• Security audit records (for fraud prevention and account protection).
3. Legal Basis for Data Processing
We process your personal data only on valid legal bases as required by GDPR, CCPA, and COPPA, which are clearly outlined below:
• Account Registration & Login: Performance of a contract (GDPR Article 6(1)(b)) – We process your data to fulfill our obligation to provide you with access to your account and the Site’s services;
• Security & Fraud Prevention: Legitimate interest (GDPR Article 6(1)(f)) – We process technical data to protect the Site, prevent unauthorized access, and combat fraud, with no undue impact on your privacy rights;
• Analytics & Marketing (Optional): Explicit, freely given consent (GDPR Article 6(1)(a)) – If you opt in to receive marketing communications or allow analytics, we will process your data only with your consent, which you may withdraw at any time;
• Children Under 13 (COPPA): Verifiable Parental Consent – We will not process any personal data of children under 13 in the United States without the express, verifiable consent of their parent or legal guardian.
4. How We Use Your Personal Data
We use your personal data solely for the purposes stated below, and we will never use it for any unstated or unauthorized purposes:
• Authenticate your identity during login (email or Google Sign-In);
• Maintain and manage your account (e.g., password reset, account updates);
• Send essential service notifications (e.g., account verification, security alerts, password reset instructions);
• Prevent unauthorized access, fraud, and security risks;
• Comply with applicable laws, regulations, and legal obligations;
• (Optional) Send marketing communications (only if you have opted in, and you may unsubscribe at any time);
• (Optional) Conduct analytics to improve the Site’s performance and user experience (only if you have opted in).
We DO NOT:
• Sell, rent, or share your personal data with third parties for commercial purposes, except as explicitly stated in this Policy;
• Use children’s personal data for advertising, user profiling, or any commercial purposes;
• Collect or process any sensitive personal data (e.g., racial or ethnic origin, health information, financial data) without explicit consent;
• Use your data for purposes unrelated to the provision of our services.
5. Sharing of Personal Data
We may share your personal data only with trusted third-party data processors (service providers) that assist us in providing and securing our services. All such third parties are required to sign a Data Processing Agreement (DPA) with us, which obligates them to comply with GDPR, CCPA, COPPA, and other applicable data protection laws. We only share the minimum amount of data necessary for the third party to perform its services.
Third-party processors we may work with include:
• Google: For Google Sign-In authentication (only basic account information required for login);
• Email Service Providers (e.g., SendGrid): For sending account verification, password reset, and security emails;
• Cloud Hosting Providers (e.g., AWS): For secure storage of user data and Site operation.
We will never share, sell, or disclose your personal data to any other third parties (e.g., advertisers, data brokers) without your explicit consent, except when required by law (e.g., court order, regulatory request).
6. Data Storage & Retention Period
We store your personal data only for the shortest period necessary to fulfill the purposes for which it was collected, in compliance with GDPR, CCPA, and COPPA. The retention periods are as follows:
• Adult User Accounts: Personal data is retained while your account is active. Upon account deletion, all your personal data will be permanently and completely deleted within 30 days;
• Children Under 13: Personal data is retained only for the shortest period necessary. Upon parental consent withdrawal or account deletion, all the child’s personal data will be permanently and completely deleted within 7 days (including all backups and logs);
• Access & Security Logs: Automatically deleted after 3 months;
• Consent Records & Audit Logs: Retained for up to 3 years to comply with regulatory requirements and for audit purposes.
7. Data Security & Encryption
We take the security of your personal data seriously and implement industry-standard security measures to protect it from unauthorized access, disclosure, alteration, or destruction:
• Full website encryption: HTTPS protocol and HSTS (HTTP Strict Transport Security) to ensure secure data transmission;
• Password encryption: Passwords are stored using strong, irreversible encryption algorithms (Bcrypt or Argon2), which means we cannot access or recover your plain-text password;
• Static data encryption: All user data stored on our servers is encrypted at rest using AES-256 encryption;
• Access control: Strict internal access controls, with only authorized personnel having access to user data (on a need-to-know basis);
• Security audits: Regular security audits and penetration testing to identify and address potential vulnerabilities;
• Data breach response: In the event of a data breach that poses a risk to your rights and freedoms, we will comply with GDPR requirements and notify the relevant data protection authorities within 72 hours (where required), and notify affected users promptly.
8. User Privacy Rights (GDPR & CCPA)
You have the following privacy rights under GDPR and CCPA, which you may exercise at any time, free of charge:
8.1 Rights Under GDPR (Applicable to EU/EEA Users)
• Right to Access: You may request a copy of the personal data we hold about you;
• Right to Correction: You may request to correct any inaccurate or incomplete personal data we hold about you;
• Right to Erasure (“Right to be Forgotten”): You may request the deletion of your personal data, provided that there is no legal obligation to retain it;
• Right to Restrict Processing: You may request to restrict the processing of your personal data (e.g., if you dispute the accuracy of the data);
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), which you may transfer to another data controller;
• Right to Object: You may object to the processing of your personal data for analytics or marketing purposes;
• Right to Withdraw Consent: If you have given consent for data processing (e.g., marketing), you may withdraw it at any time, with no impact on the lawfulness of processing before withdrawal;
• Right to Complain: You may file a complaint with your local data protection authority if you believe we have violated your privacy rights.
8.2 Rights Under CCPA/CPRA (Applicable to California Residents)
• Right to Know: You may request details of the personal data we collect, use, and share about you;
• Right to Delete: You may request the deletion of your personal data;
• Right to Opt Out (“Do Not Sell My Personal Information”): You may opt out of the sale or sharing of your personal data;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights (e.g., we will not deny you access to the Site or charge you higher fees).
8.3 How to Exercise Your Rights
You may exercise your privacy rights by: (a) accessing your Account profile (where available); or (b) contacting us at contacts@jarmelokids.com. We will respond to all valid requests within 30–45 days (as required by GDPR and CCPA). To protect your privacy, we may require you to verify your identity before processing your request.
9. Children’s Privacy (COPPA Compliance)
This Site is not intended for use by children under 13 years of age in the United States. We do not knowingly collect personal data from children under 13 without the verifiable consent of their parent or legal guardian. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will immediately delete that data.
Parents/legal guardians have the following rights under COPPA:
• Request access to the personal data we hold about their child;
• Request the deletion of their child’s personal data;
• Withdraw their consent for the collection and processing of their child’s personal data;
• Refuse to allow any future collection of their child’s personal data.
To exercise these rights, parents/guardians may contact us at contacts@jarmelokids.com. We will verify the parent/guardian’s identity before processing the request to ensure the child’s privacy is protected.
10. International Data Transfer
Your personal data may be stored on servers located in the United States. For users in the EU/EEA, we ensure that all international data transfers comply with GDPR requirements by using Standard Contractual Clauses (SCCs) – a legally recognized mechanism for ensuring adequate data protection when transferring personal data outside the EU/EEA. We maintain copies of all SCCs and can provide them upon request.
11. Cookies & Tracking Technologies
We use only essential cookies on the Site. Essential cookies are necessary for the Site to function properly (e.g., to maintain your login session). We do not use non-essential cookies (e.g., tracking cookies for advertising or analytics) without your explicit consent.
You may disable cookies in your browser settings, but please note that this may affect your ability to access certain features of the Site (e.g., logging in to your account).
12. Updates to This Policy
We may update this Policy from time to time to reflect changes in applicable laws, technology, or our services. When we update the Policy, we will post the revised version on this page with a new “Last Updated” date. Your continued use of the Site after the updated Policy takes effect constitutes your acceptance of the revised terms. We encourage you to review this Policy regularly to stay informed about how we protect your personal data.
13. Contact Information
For general privacy inquiries, requests to exercise your privacy rights, or questions about this Policy: contacts@jarmelokids.com
