Privacy Policy

SpotPass ("we", "us", or "our") operates a WiFi billing and access management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, whether as a merchant (business customer) or an end user (WiFi customer).

1. Information We Collect

1.1 Account Information

When you register as a merchant, we collect your business name, email address, phone number, and password. Team members invited to your account provide their name, email, and password.

1.2 Payment Information

Payment processing is handled by third-party providers (Paystack and Flutterwave). We store your payment gateway API keys (encrypted at rest) to process transactions on your behalf. We do not store end-user credit card numbers or bank account details directly.

1.3 WiFi Usage Data

For end users connecting through SpotPass-managed hotspots, we collect: device MAC address, IP address, session duration, data usage (bytes uploaded/downloaded), and connection timestamps. This data is associated with the merchant's tenant and is used for billing and service delivery.

1.4 Router and Network Data

We collect information about routers configured on the platform, including hostname, IP address, and health metrics. Router credentials are stored encrypted and are only used to provision and manage hotspot access.

1.5 Automatically Collected Information

When you visit our website or use our dashboard, we may automatically collect browser type, operating system, referring URLs, and pages viewed.

2. How We Use Your Information

• Service delivery: To provision WiFi access, process payments, manage subscriptions, and operate the platform.
• Billing and invoicing: To process transactions through your configured payment gateways and maintain order records.
• Analytics: To provide merchants with aggregated usage metrics, revenue reports, and business insights through the dashboard.
• Communications: To send transactional emails (order confirmations, credentials, subscription alerts) and respond to support inquiries.
• Security: To detect and prevent fraud, unauthorized access, and abuse of the platform.
• Improvement: To analyze usage patterns and improve our services, features, and user experience.

3. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Payment processors: Transaction data is shared with Paystack and/or Flutterwave to process payments. These providers have their own privacy policies.
• Service providers: We may use trusted third-party services for email delivery, hosting, and infrastructure. These providers are bound by data processing agreements.
• Legal requirements: We may disclose information when required by law, court order, or government regulation.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction.

4. Cookies and Tracking

Our platform uses essential cookies for authentication (session tokens) and preferences. We do not use third-party advertising cookies. Analytics cookies, if used, collect anonymous usage data to improve the platform.

5. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit using TLS/SSL.
• Sensitive data (payment keys, router credentials, passwords) is encrypted at rest.
• Passwords are hashed using bcrypt with appropriate salt rounds.
• Access to production systems is restricted and monitored.
• We conduct regular security reviews of our codebase and infrastructure.

6. Nigeria Data Protection Regulation (NDPR) Compliance

SpotPass is committed to compliance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) 2023. As a data controller and processor:

• We process personal data lawfully, fairly, and transparently.
• We collect data only for specified, explicit, and legitimate purposes.
• We implement appropriate technical and organizational measures to ensure data security.
• We maintain records of data processing activities.
• Data subjects may exercise their rights as outlined in Section 8 of this policy.

7. Data Retention

• Account data: Retained for the duration of your account plus 12 months after deletion.
• Transaction records: Retained for 7 years to comply with financial record-keeping requirements.
• WiFi session data: Retained for 90 days, then anonymized for aggregate analytics.
• Logs: Application and security logs are retained for 30 days.

8. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to the processing of your data in certain circumstances.
• Withdrawal of consent: Withdraw consent for processing where consent is the legal basis.

To exercise any of these rights, contact us at privacy@spotpass.io.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: privacy@spotpass.io
• General support: support@spotpass.io
• Address: Lagos, Nigeria