Get Started

Privacy Policy

HotKup Privacy Policy

Effective Date: 19 February 2026

Last Updated: 19 February 2026

HotKup Incorporated (“HotKup,” “we,” “our,” or “us”) is a Canadian Company Corporation that provides a cloud-based client relationship management and workflow automation platform. We are committed to protecting the personal information of our users and the individuals whose data our users store within HotKup. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.

HotKup is Incorporated in Canada and is subject to Personal Information Protection Protection and Electronic Documents Act (PIPEDA). Our primary customer base is located in South Africa, and we also comply with the Protection of Personal Information Act (POPIA). Where there is conflict between these laws, we apply the stricter standard. 

  1. Definitions
  • Platform: The HotKup web application, mobile application, and associated services accessible at myhotkup.com and hotkup.com.
  • User: An individual who registers for and uses the HotKup Platform on behalf of Subscriber.
  • Subscriber: The business entity that purchases a HotKup subscription and enters into a service agreement with us.  
  • Client Data: Any personal information, documents, files or other data that a Subscriber or User uploads, creates, or stores within the platform relating to the Subscriber’s own clients or business operations. 
  • Account Data: Information provided during registration and account management, including names, email addresses, and login credentials.

2. Our Role in Data Processing 

2.1 As a Responsible Party / Data Controller

We act as the Responsible Party (under POPIA) or Data Controller (under PIPEDA) for the Account Data – the personal information we collect directly from Users to provide and manage the Platform. This includes registration details, login credentials, usage analytics, and billing information.

2.2 As an Operator / Data Processor

We act as a Operator (under POPIA)  or Data Processor (under PIPEDA) for Client Data – the personal information that Subscribers stores within the Platform relating to their own clients and business operations. The Subscriber remains the Responsible Party for this data. We process it only on their instructions and in accordance with our agreement with them. 

A Data Processing Agreement (DPA) is available to all Subscribers upon request. The DPA sets out the obligations of both parties regarding the processing of the Client Data, including security measures, sub-processor disclosures data breach notification procedures, and data deletion upon termination.

3. Information We Collect

3.1 Account Data

  • Full name 
  • E-mail address
  • Company name and role
  • Phone number (if provided)
  • Login credentials (passwords are stored in hashed form only)
  • Billing information (processed by our payment provider; we do not store credit card number)

3.2 Usage Data 

  • IP address and browser type 
  • Pages visited and features used within the Platform
  • Device information and operating system
  • Session duration and frequency of use

3.3 Client Data (Processed on Behalf of Subscribers)

Subscribers may upload or create data within the Platform includes personal information about their clients. This may include names, contact details, identification numbers, financial records, documents, images, correspondence, and any other information relevant to the Subscriber’s business operations. The type and volume of Client Data is determined entirely by the Subscriber.

HotKup does not access, use, or analyse Client Data except as necessary to provide the Platform, to respond to technical support requests, or as instructed by the Subscriber.

3.4 Google Calendar Data

If you choose to integrate Google Calendar with HotKup, we access your calendar data solely to create, update, and manage task events We do not read, store, or share calendar data beyond what is required for event management. Revoking HotKup’s access through your Google account settings immediately terminates our ability to access your calendar data.

4. How we use your Information

4.1 Account Data

  • To create and manage your account
  • To provide, maintain, and improve the Platform
  • To communicate with you about your account, including services updates and support
  • To process payments and manage subscriptions
  • To detect and prevent frauds or security incidents 
  • To comply with legal obligations 

4.2 Usage Data

  • To monitor and improve Platform performance and reliability
  • To understand how features are used and guide product development
  • To detect and address technical issues

4.3 Client Data

Client Data is processed solely for the purpose of providing the Platform to the Subscriber, including data storage, retrieval, workflow execution, reporting, and any functionality the Subscriber uses. We do not use Client Data for our own purposes, marketing, analytics, or any purpose other than service delivery. 

5. Legal Basis for Processing

5.1 Under POPIA

  • Contractual necessity (Section 11(1)(b)): Processing Account Data is necessary to perform our contract with the Subscriber.
  • Legitimate interest (Section 11(1)(d)): Usage Data is processed for the legitimate interest of maintaining and improving the Platform.
  • Operator obligations (Section 21): Client Data is processed as an Operator under the instructions of the Subscriber as Responsible Party.

5.2 Under PIPEDA

  • Processing is based on implied consent through your use of the Platform and explicit consent where required.
  • We limit collection to what is necessary for the identified purposes.

6. Data Sharing and Disclosure

We do not sell, rent, or trade personal information. We share information only in the following circumstances:

6.1 Sub-processors

We use the following third-party service providers to deliver the Platform. Each processes data only as necessary to provide their services to us:

  • Amazon Web Services (AWS) — Cloud hosting infrastructure. Primary data centre: Africa (Cape Town) region, af-south-1.
  • MongoDB Atlas — Database management services.
  • Mailgun (Sinch) — Transactional email delivery.

We maintain Data Processing Agreements with each sub-processor. A complete and current list of sub-processors is available upon request.

6.2 Legal Requirements

We may disclose personal information if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of HotKup, our users, or the public.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction. We will notify affected Subscribers before any such transfer and provide them an opportunity to retrieve or delete their data.

7. International Data Transfers

HotKup is incorporated in Canada. Our primary hosting infrastructure is located in South Africa (AWS af-south-1). Some processing may occur in Canada or other jurisdictions where our sub-processors operate.

For transfers of personal information from South Africa to Canada or other countries, we rely on the following safeguards under POPIA Section 72:

  • Canada has been recognised by the European Commission as providing an adequate level of data protection, which satisfies the POPIA requirement for adequate protection in the recipient country.
  • We maintain binding contractual agreements with all sub-processors that include Standard Contractual Clauses or equivalent protections.

8. Data Retention

8.1 Account Data

We retain Account Data for as long as the Subscriber maintains an active subscription, plus 90 days following termination to allow for account reactivation or data retrieval. After this period, Account Data is permanently deleted.

8.2 Client Data

Client Data is retained for as long as the Subscriber maintains an active subscription. Upon termination of a subscription, Client Data is retained for 90 days to allow the Subscriber to export their data. After this period, Client Data is permanently deleted from our production systems. Backup copies are purged within 30 days of production deletion.

8.3 Usage Data

Usage Data is retained in aggregated, anonymised form for up to 24 months for the purpose of Platform improvement.

9. Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Role-based access controls and principle of least privilege
  • Regular security assessments and monitoring
  • Secure software development practices
  • Employee access limited to authorised personnel only

No system is completely secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.

10. Data Branch Notification

In the event of a data breach that compromises personal information, we will:

  • Notify the South African Information Regulator as required under POPIA Section 22, as soon as reasonably possible after becoming aware of the breach.
  • Notify the Canadian Office of the Privacy Commissioner as required under PIPEDA.
  • Notify affected Subscribers without unreasonable delay, providing details of the breach, the data affected, and the steps we are taking to address it.
  • Take immediate steps to contain and remediate the breach.

11. Your Rights 

11.1 Under POPIA

If you are a South African resident, you have the right to:

  • Request access to your personal information (Section 23)
  • Request correction of inaccurate personal information (Section 24)
  • Request deletion of your personal information (Section 24)
  • Object to the processing of your personal information (Section 11(3))
  • Lodge a complaint with the Information Regulator (Section 74)

11.2 Under PIPEDA

If you are a Canadian resident, you have the right to:

  • Access your personal information held by us
  • Challenge the accuracy and completeness of your information
  • Withdraw consent for processing (subject to legal or contractual restrictions)

To exercise any of these rights, contact us using the details in Section 15 below. We will respond within 30 days.

12. Children’s Privacy

HotKup is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

13. Special Personal Information

Under POPIA, “special personal information” includes data about religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, biometric information, or criminal behaviour. HotKup does not require Subscribers to provide special personal information. If Subscribers choose to store special personal information as Client Data within the Platform, they do so as the Responsible Party and are responsible for ensuring lawful processing. HotKup processes such data solely as an Operator under the Subscriber’s instructions.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered Users of material changes by email at least 14 days before they take effect. The current version is always available on our website. Previous versions are available upon request.

15. Information Officer and Contact Details

Information Officer: Pawan Bhojanala

Email: hello@myhotkup.com

Canada: Suite 201, 12-255 Dundas St. East, Waterdown, ON L8B 0E5

South Africa: 61 Waterfront Drive, Knysna, 6571

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with:

  • South African Information Regulator: https://inforegulator.org.za
  • Office of the Privacy Commissioner of Canada: https://priv.gc.ca