Skip to main content

Legal

Privacy Policy

How HotSpot, operated by Horan Technologies PLC, collects, uses, and protects your personal data in Ethiopia and worldwide.

Effective date
May 3, 2026
Last updated
May 3, 2026
Version
2.0

1. Overview

HotSpot (the “Service”) is a travel discovery platform offered by Horan Technologies PLC (“HotSpot,” “we,” “our,” or “us”), a private limited company organised under the laws of the Federal Democratic Republic of Ethiopia. We respect your privacy and treat your personal data as a duty of trust not as an asset to be sold or rented.

This policy explains what data we collect when you use hotspot.et and the HotSpot mobile applications, why we collect it, how long we keep it, who we share it with, and the rights you have over it under the Personal Data Protection Proclamation No. 1321/2024 of Ethiopia and applicable international laws (including the EU General Data Protection Regulation and the California Consumer Privacy Act for users to whom those apply).

2. Who we are

Data controller: Horan Technologies PLC, Addis Ababa, Ethiopia.

Contact for privacy matters: [email protected]

Postal address: Bole Sub-City, Addis Ababa, Ethiopia (full registered address available on request).

We are the “data controller” (Ethiopia PDP) and “controller” (GDPR) of the personal data collected through the Service, except where a third-party partner is independently named as the controller (for example, when you book directly with a third-party guide and share data with them outside our platform).

3. Scope of this policy

This policy applies to:

  • The HotSpot website at hotspot.et and all subdomains we operate.
  • The HotSpot mobile applications for iOS and Android.
  • Email, push notifications, and customer support we send.

It does not apply to third-party websites, services, or apps linked from HotSpot, or to data you voluntarily share with other users (e.g. messages to a tour guide). Third parties operate under their own privacy policies.

4. Information we collect

Information you provide directly

  • Account information: name, email address, phone number (for OTP verification), password (stored as a salted hash, never in plain text), profile photo, and any biographical information you choose to add to your profile.
  • Authentication identifiers: if you sign in with Google or Apple, the unique provider ID and the email/profile fields those providers return; we never receive your social-network password.
  • Content you create: reviews, posts, comments, photos, lists, and messages sent through the platform.
  • Travel preferences: destinations saved, interests selected, languages spoken.
  • Support and form submissions: when you contact us, apply to be a partner, or submit a help-centre ticket, we keep the message and any details you choose to include.

Information collected automatically

  • Device and technical data: IP address, device type, operating system, browser, app version, crash logs, locale, and time zone.
  • Usage data: pages and screens viewed, actions taken, search queries, and approximate session timing used to operate the Service and improve it.
  • Location data: when you grant permission, we collect approximate or precise location to show nearby places. You can revoke this in your device settings at any time.
  • Cookies and similar technologies: see the “Cookies” section below.

Information from third parties

  • Identity providers: Google and Apple sign-in.
  • Mapping and place data: Google Places and OpenStreetMap to enrich destination listings.
  • Push delivery: Firebase Cloud Messaging tokens for push notifications.

5. How we use your information

We use personal data only for the purposes below:

  • Operate the Service authenticate you, deliver content you requested, route messages between travellers and guides, and process transactions.
  • Personalise recommendations show destinations, guides, and content relevant to your interests and saved places.
  • Communicate with you send transactional emails (account verification, ticket confirmations, booking updates), and with your consent newsletters or product updates. You can opt out of marketing email at any time using the unsubscribe link in any such message.
  • Improve and secure the Service diagnose bugs, prevent fraud and abuse, monitor for spam, and measure aggregate usage.
  • Comply with legal obligations respond to lawful requests from authorities, enforce our Terms, and protect our rights and the rights of others.

We do not sell your personal data, and we do not use the content of your private messages for advertising or to train third-party AI models.

6. Legal bases for processing

When the GDPR applies, our legal bases for processing your personal data are:

  • Contract processing necessary to provide the Service you signed up for (Article 6(1)(b) GDPR).
  • Legitimate interests improving the Service, securing our systems, and basic analytics (Article 6(1)(f) GDPR), balanced against your rights.
  • Consent marketing email, optional cookies, and precise-location features (Article 6(1)(a) GDPR). You may withdraw consent at any time.
  • Legal obligation responding to lawful requests, retaining records as required by tax or consumer-protection law (Article 6(1)(c) GDPR).

Under Ethiopian law (Proclamation No. 1321/2024) we rely on equivalent grounds: performance of a contract, legitimate interest, explicit consent, and legal compliance.

7. How we share information

We share personal data only in the limited cases below, and only to the minimum extent necessary:

  • With other users when you choose to share (e.g. a public review, a message to a guide, a profile you set to public).
  • With service providers who process data on our behalf under written agreements: Google Cloud Platform (hosting, storage), Resend (transactional email), Firebase (authentication, push messaging), Cloudflare (CDN and DDoS protection), and Typesense (search index).
  • With partners you transact with for example, a tour guide you book is given the booking details necessary to fulfil the trip.
  • With authorities where required by Ethiopian law or a court order, or where necessary to investigate fraud or threats to safety.
  • In a corporate transaction if we are acquired or merge, your data may transfer to the successor under the same protections, with notice to you.

8. International data transfers

HotSpot is operated from Ethiopia, but our service providers store and process data in other regions, including the European Union and the United States. When we transfer personal data out of Ethiopia, we rely on:

  • Contracts with our processors that require equivalent protections (data-processing addenda, GDPR Standard Contractual Clauses where applicable).
  • The transfer being necessary for the performance of the contract you have with us, or based on your explicit consent.

You may request a copy of the safeguards in place for any specific transfer by emailing [email protected].

9. Data retention

We keep personal data only as long as we need it:

  • Account data: for the life of your account, plus up to 90 days after deletion to allow for account recovery and fraud investigation.
  • Content you posted publicly (reviews, public profile, public posts): may be retained as part of the historical record of the Service, anonymised after account deletion where feasible.
  • Help-centre and support tickets: 24 months from the last interaction.
  • Server and security logs: 90 days unless needed for an active investigation.
  • Records required by law (tax, accounting, consumer-protection): for the period required by the relevant statute, typically up to 10 years.

10. Security

We implement organisational and technical safeguards appropriate to the risk, including encryption in transit (HTTPS/TLS), encryption at rest for sensitive fields, least-privilege access controls, and regular review of our vendor security posture.

No internet service is 100% secure. If we ever experience a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Ethiopian data-protection authority without undue delay, as required by Article 24 of Proclamation No. 1321/2024 and Article 34 GDPR where applicable.

11. Your rights

Subject to applicable law and verification of your identity, you have the right to:

  • Access ask for a copy of the personal data we hold about you.
  • Rectify ask us to correct inaccurate or incomplete information.
  • Erase ask us to delete your account and associated personal data (some records may persist where we are legally required to keep them).
  • Restrict or object ask us to limit how we process your data, or object to processing based on legitimate interests.
  • Portability receive your data in a structured, machine-readable format, or have us transmit it to another controller where technically feasible.
  • Withdraw consent at any time, without affecting the lawfulness of past processing.
  • Lodge a complaint with the Ethiopian data-protection authority once it is established, or with the supervisory authority of your country of residence (for EU/EEA users).
  • California residents (CCPA/CPRA): the right to know, delete, correct, and opt out of any “sale” or “sharing” for cross-context behavioural advertising. We do not sell personal information.

To exercise any right, email [email protected] or use the Help Center form with topic “Data / privacy request.” We respond within 30 days.

12. Children’s privacy

HotSpot is not directed to children under 13, and we do not knowingly collect personal data from children under that age. Where local law sets a higher age of digital consent (16 in some EU member states), we apply that higher age. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.

13. Cookies & tracking technologies

We use cookies and similar technologies (local storage, device identifiers) for three purposes:

  • Strictly necessary authentication, session continuity, security. These cannot be disabled without breaking the Service.
  • Functional remember your theme preference, locale, and recently viewed places.
  • Analytics aggregate, privacy-respecting measurement of how the Service is used. We do not deploy third-party advertising cookies.

Most browsers let you block or delete cookies in their settings. Doing so may break parts of the Service.

14. Third-party services

HotSpot relies on the following sub-processors. Each is contractually bound to process personal data only on our instructions and to apply appropriate safeguards.

  • Google Cloud Platform application hosting, file storage, and database (regions: EU and US).
  • Cloudflare CDN, WAF, DDoS mitigation (global edge).
  • Firebase authentication and push notifications.
  • Resend transactional email delivery.
  • Typesense search indexing.
  • Google Places / OpenStreetMap place data and mapping.

We will keep this list current and notify you of material changes via this page.

15. Changes to this policy

We may update this policy from time to time. When we make material changes (for example, adding a new sub-processor, changing the legal bases for processing, or expanding the data we collect), we will:

  • Update the Last updated date at the top of this page.
  • Notify registered users by email or in-app notice at least 14 days before the change takes effect, where the change is significant.
  • Maintain previous versions on request from [email protected].

16. Contact us

Questions, requests, or complaints about this policy or our handling of your personal data:

You also have the right to contact the Ethiopian data-protection authority once established under Proclamation No. 1321/2024, or your local supervisory authority if you are in the EU/EEA.