Privacy Policy

1. Information We Collect

We collect information you provide directly and information generated automatically when you use HostMas.

1.1 Information You Provide

• Account information — name, email address, phone number, password, and organization details when you register or are registered by your administrator.
• Student & guardian data — biodata, contact details, emergency contacts, academic information, and accommodation history entered by authorized users.
• Hostel & property data — hostel names, addresses, room configurations, pricing, and facility details.
• Financial data — invoice details, payment records, mobile money transaction references, and accounting entries.
• Communications — messages, support requests, SMS content, and notification templates you create or send through the platform.

1.2 Information Collected Automatically

• Usage data — pages visited, features used, actions taken, timestamps, and session duration.
• Device information — browser type, operating system, screen resolution, and device identifiers.
• Network data — IP address, approximate location (country/region), and connection type.
• Performance data — page load times, errors, and crash reports to help us improve reliability.

2. How We Use Your Information

We use collected information for the following purposes:

• Service delivery — operating the platform, processing bookings, managing rooms, generating invoices, and facilitating payments.
• Account management — authenticating users, managing roles and permissions, and maintaining multi-tenant data isolation.
• Communication — sending booking confirmations, payment receipts, SMS notifications, and system alerts you or your administrator have configured.
• Support — responding to inquiries, troubleshooting issues, and providing technical assistance.
• Analytics & improvement — understanding usage patterns, measuring feature adoption, and improving the platform’s performance and user experience.
• Security — detecting unauthorized access, preventing fraud, enforcing rate limits, and maintaining audit logs.
• Legal compliance — meeting regulatory obligations, responding to lawful requests, and protecting our legal rights.

3. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

• Contract performance — processing necessary to provide the services you or your organization have subscribed to.
• Legitimate interests — improving our platform, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
• Consent — where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.
• Legal obligation — processing required to comply with applicable laws and regulations.

4. Data Sharing & Third Parties

We do not sell your personal data. We may share information with:

• Payment processors — MTN Mobile Money, Airtel Money, Pesapal, and bank payment gateways to process transactions on your behalf.
• SMS providers — EgoSMS or other configured SMS gateways to deliver notifications and messages you send through the platform.
• Hosting & infrastructure — cloud hosting providers that store and serve the platform, bound by data processing agreements.
• Your organization — tenant administrators and authorized users within your organization can access data as permitted by their assigned roles.
• Legal authorities — when required by law, court order, or to protect the safety and rights of HostMas, our users, or the public.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data:

• Encryption — TLS/SSL encryption for all data in transit; AES-256 encryption for sensitive data at rest.
• Password security — Argon2ID hashing algorithm for all stored passwords (no plaintext or reversible encryption).
• Access control — role-based access control (RBAC) with 8 distinct user roles, each with granular permissions.
• Session security — CSRF token protection, secure session management, and automatic session expiration.
• Rate limiting — protection against brute-force attacks and API abuse.
• Audit logging — comprehensive logging of security events, login attempts, and administrative actions.
• Backups — regular automated backups with secure off-site storage.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Active accounts — data is retained for the duration of your subscription or account activity.
• After termination — account data is retained for up to 90 days after account closure to allow for reactivation, after which it is permanently deleted.
• Financial records — invoices, payment records, and accounting data may be retained for up to 7 years as required by applicable tax and financial regulations.
• Audit logs — security and access logs are retained for up to 12 months.

You may request earlier deletion of your data by contacting us, subject to legal retention requirements.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Data portability — request your data in a structured, machine-readable format (CSV/JSON export).
• Restriction — request that we limit the processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info@waestaltd.com or call +256 750 081 491. We will respond within 30 days.

8. Cookies & Tracking

HostMas uses the following types of cookies and similar technologies:

• Essential cookies — required for authentication, session management, and CSRF protection. These cannot be disabled.
• Functional cookies — remember your preferences such as language, theme, and dashboard layout.
• Analytics cookies — help us understand how users interact with the platform to improve features and performance.

HostMas does not use third-party advertising cookies or cross-site tracking. As a Progressive Web App, HostMas also uses a service worker for offline caching, which stores application assets locally on your device.

9. International Data Transfers

HostMas is operated by Waesta Enterprises U Ltd from Kampala, Uganda. If you access the platform from outside Uganda, your data may be transferred to and processed in Uganda or other countries where our hosting infrastructure is located. We ensure appropriate safeguards are in place for any cross-border data transfers, including data processing agreements with our service providers.

10. Children’s Privacy

HostMas is designed for use by hostel administrators, staff, and adult students. We do not knowingly collect personal data from children under the age of 13. Where student records include minors (e.g., secondary school hostels), such data is entered and managed by authorized institutional administrators, not by the minors themselves. If you believe a child’s data has been collected without proper authorization, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify active users via email or in-app notification for significant changes.
• Provide a summary of key changes where applicable.

Your continued use of HostMas after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us: