How HotPass collects, uses, and protects your personal data.
This Privacy Policy explains how Kishea Technologies SMC Ltd, trading as HotPass ("we", "us", "our"), collects, uses, stores, and shares personal data when you use the HotPass platform, whether as an agent (reseller), a WiFi customer, or a visitor to our website at hotpass.app.
HotPass is a WiFi hotspot billing platform operating in Uganda. It enables agents to sell prepaid internet access to customers, collect payments via Mobile Money (MTN MoMo and Airtel Money), and manage connected devices on MikroTik routers.
This policy is issued under the Uganda Data Protection and Privacy Act 2019 (DPPA) and its associated regulations. By registering as an agent or purchasing WiFi through a HotPass-powered hotspot, you acknowledge that your personal data will be processed as described in this document.
The data controller responsible for your personal data is:
| Company | Kishea Technologies SMC Ltd |
| Trading as | HotPass |
| Country of incorporation | Uganda |
| [email protected] | |
| Phone / WhatsApp | +256 787 832 775 |
| Website | https://hotpass.app |
For all data protection matters, privacy requests, and complaints, please use the contact details above or those in Section 14.
| Term | Meaning |
|---|---|
| Agent | A registered reseller who deploys a HotPass hotspot, sells WiFi vouchers, and receives earnings on the platform. |
| Customer / End User | A person who purchases WiFi access through a HotPass-powered captive portal or buy link, typically by paying via Mobile Money. |
| Personal Data | Any information that directly or indirectly identifies a natural person, as defined in the Uganda DPPA 2019. |
| Processing | Any operation performed on personal data — collection, storage, use, disclosure, deletion, etc. |
| MAC Address | A hardware identifier unique to a device's network interface. Used by routers to track and manage device connectivity. |
| RADIUS | A network protocol used by MikroTik routers to communicate session accounting (usage, duration, bytes transferred) to the HotPass platform. |
| Payment Processor | A licensed third-party Mobile Money aggregator used to process MTN MoMo and Airtel Money payments on behalf of agents. HotPass may change payment processors at any time without notice. |
The data we collect depends on your role and how you interact with the platform.
When you register as a HotPass agent, we collect:
When someone buys WiFi through a HotPass-powered hotspot, we collect:
When a customer's device connects to a HotPass hotspot, the MikroTik router reports the following session accounting data to our platform via RADIUS:
Agents may whitelist specific devices (e.g. smart TVs or set-top boxes) that cannot authenticate through a captive portal. For these devices we store the MAC address, an agent-assigned label, and the subscription details (package, payment method, expiry date). This data is held under the agent's account and may include the MAC address of a device belonging to the agent's customer.
When you use the HotPass web dashboard or API, we may collect:
We do not use third-party analytics tools (e.g. Google Analytics) on the dashboard.
We process personal data only for the purposes listed below, on the lawful bases identified under the Uganda DPPA 2019.
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and managing your agent account | Name, phone, email, PIN hash | Contract (providing the service you signed up for) |
| Processing Mobile Money payments | Customer phone, payment amount, payment processor transaction reference | Contract; Legitimate interest (completing the purchase) |
| Delivering voucher codes to customers | Customer phone number | Contract (fulfilling the paid service) |
| Enforcing session time and data limits on connected devices | MAC address, session data, IP address | Contract; Legitimate interest (network management) |
| Disbursing agent earnings via Mobile Money | Withdrawal account phone number, amount | Contract |
| Sending OTPs for login and PIN reset | Agent phone number | Legitimate interest (account security) |
| Sending account and sales alerts by email | Email address | Consent (opt-in at registration) |
| Fraud prevention and security monitoring | Login attempts, IP addresses, audit logs | Legitimate interest (protecting the platform and users) |
| Resolving disputes and providing customer support | Account data, payment records, session records | Legal obligation; Legitimate interest |
| Complying with legal obligations (e.g. tax, regulatory enquiries) | Transaction records, account data | Legal obligation |
We share personal data with third parties only where necessary to deliver the service, as described below.
All Mobile Money transactions (MTN MoMo and Airtel Money) are processed through a licensed payment aggregator operating in Uganda. When a customer initiates a payment, their phone number and payment amount are transmitted to the payment processor to initiate the STK push. The processor returns a transaction reference and final status. We share no data beyond what is required to complete the transaction. The payment processor's own privacy terms apply to their processing of this data. HotPass reserves the right to change payment processors at any time.
Voucher codes and account notifications may be sent to agents and customers via WhatsApp. Message delivery is facilitated through an automated bot. When a message is sent, the recipient's phone number and the message content are transmitted to WhatsApp's servers (operated by Meta Platforms). Meta's Privacy Policy governs the handling of this data. We do not send marketing messages via WhatsApp without prior consent.
The HotPass platform is hosted on Microsoft Azure virtual machines and SQL databases. All agent and customer data resides on these servers. Microsoft processes this data as a data processor on our behalf under a Data Processing Agreement that includes standard contractual clauses for international transfers. Azure's data centre regions used may be outside Uganda; see Section 12.
The HotPass WhatsApp bot uses the Anthropic API to classify customer message intent (e.g. "buy WiFi", "check balance"). Only the text of the customer's WhatsApp message — with no personally identifiable context — is sent to the API. Phone numbers and account details are not included in API requests. Anthropic processes this data under its own privacy policy.
We may disclose personal data to competent Ugandan authorities (including the Uganda Communications Commission, Uganda Revenue Authority, and law enforcement agencies) when legally compelled to do so by court order, regulatory requirement, or other legal process. We will notify affected users where we are legally permitted to do so.
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify affected users and require the successor to honour this Privacy Policy.
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Agent account data | Duration of the account, plus 5 years after closure | Legal/financial record-keeping obligations |
| Payment & transaction records | 7 years from transaction date | Uganda tax law (Income Tax Act, financial regulations) |
| WiFi session records (MAC, duration, bytes) | 90 days from session end | Dispute resolution and support; then deleted |
| Customer phone numbers (payment records) | 7 years (as part of the payment record) | Financial record-keeping |
| Login OTPs and PIN reset codes | 10 minutes from issuance (automatically expires and is cleared) | Security — OTPs are single-use and short-lived |
| Audit logs (admin/agent actions) | 1 year | Security and accountability |
| Deleted / closed accounts | Account flagged as deleted; anonymised after 5 years | Fraud prevention; legal obligations |
After the applicable retention period, data is either permanently deleted or anonymised so that it can no longer be linked to any individual.
The Uganda Data Protection and Privacy Act 2019 grants you the following rights in relation to your personal data. You may exercise any of these rights by contacting us as described in Section 14.
Request a copy of the personal data we hold about you, including how it is being used and with whom it has been shared.
Request correction of any inaccurate or incomplete personal data we hold about you. Most account data can be updated directly from your dashboard settings.
Request deletion of your personal data where there is no compelling reason for us to continue processing it. Note that we may be required to retain certain records under financial law.
Request that we restrict the processing of your data — for example, while a dispute or accuracy challenge is being resolved.
Object to processing based on legitimate interests. You may also withdraw email consent at any time by updating your dashboard settings or contacting us.
Receive your personal data in a structured, machine-readable format so you can transfer it to another service, where technically feasible.
We will respond to all verified requests within 30 days. For complex requests we may take up to 60 days, in which case we will notify you of the extension. We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.
We implement technical and organisational measures proportionate to the risk of processing your personal data, including:
Despite these measures, no system is completely immune to breach. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify the Personal Data Protection Office of Uganda within 72 hours and affected individuals without undue delay, as required by the DPPA.
The HotPass web dashboard uses the following browser storage mechanisms:
| Name / Type | Purpose | Duration |
|---|---|---|
| .AspNetCore.Cookies (secure HTTP cookie) | Authentication — stores your encrypted login session after you sign in. Required for the dashboard to function. | Session (cleared when you log out or close the browser, or after 14 days of inactivity) |
| Blazor SignalR connection | Maintains the real-time WebSocket connection between your browser and the server for the interactive dashboard. No personal data is stored in the browser. | Duration of the browser tab / session |
We do not use advertising cookies, third-party tracking cookies, or analytics cookies. The public landing page (hotpass.app) does not set any cookies on visitors who are not logged in.
HotPass is intended for use by adults aged 18 and over. Our Terms of Service require agents to be at least 18 years of age. We do not knowingly collect personal data from children under the age of 18.
If you are a parent or guardian and believe that a child under 18 has provided personal data to us, please contact us immediately at [email protected]. We will promptly investigate and delete any such data.
We note that end-user customers (WiFi buyers) interact only through a payment prompt and receive a voucher code. They do not create accounts. While we cannot verify the age of every customer, agents are contractually responsible for ensuring their hotspot services comply with applicable age restrictions at their premises.
Your personal data may be stored on or processed by servers located outside Uganda, specifically:
Where personal data is transferred internationally, we ensure that appropriate safeguards are in place consistent with the requirements of the Uganda DPPA 2019, including contractual protections and, where applicable, adequacy assessments.
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or legal requirements. When we make material changes, we will:
Your continued use of HotPass after the effective date of revised terms constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.
For all privacy-related questions, access requests, corrections, or complaints, please contact us:
✉ Email: [email protected]
📲 WhatsApp / Phone: +256 787 832 775
🌎 Website: hotpass.app
We aim to respond to all privacy requests within 5 business days. Complex requests (e.g. full data exports) may take up to 30 days.
If you are not satisfied with our response to a privacy request or complaint, you have the right to lodge a complaint with the Personal Data Protection Office of Uganda (PDPO), the national supervisory authority established under the Uganda DPPA 2019:
For disputes involving Mobile Money transactions, you may also contact the Uganda Communications Commission (UCC) or the relevant Mobile Money provider (MTN Uganda, Airtel Uganda).