Pre-Seed · Confidential Investor Brief

DataStop

Hardware-Enforced Compliance + Improved WiFi at Peak Times

A network-edge appliance that enforces Oklahoma's new Consumer Data Privacy Act at the wire — with the added benefit of stable, high-performing guest WiFi during peak occupancy.

Stage
Pre-Seed
Status
Pre-Revenue
Tailwind
OCDPA · 2027
Base
Muskogee, OK
01The Problem

Compliance theater is about to get expensive.

  • 01
    Guest WiFi slows down or fails at peak occupancy — hurting guest experience and revenue.
  • 02
    Oklahoma's new privacy law (OCDPA) classifies precise geolocation as sensitive, requiring real technical controls.
  • 03
    Most properties have no effective way to enforce consent or minimize data at the network level.
Recent example: Tractor Supply was fined $1.35 million because their "Do Not Sell" button didn't actually stop data from flowing.
01bEvidence — Osano 2026 Playbook

Software begs. Hardware enforces. The fines prove it.

These are pulled directly from Osano's 2026 State of US Privacy Enforcement report — the playbook for how state regulators are now testing privacy controls at the wire, not just on paper.

$23M+
Privacy penalties in 16 months (ex-Google)
$2.07M
Average penalty size
~150
CCPA complaints per week to CPPA
Hundreds
Open CPPA investigations, mostly undisclosed
  • The sixteen months between January 2025 and May 2026 produced more enforcement activity under comprehensive state privacy laws than the preceding five years combined.
    Osano, State of US Privacy Enforcement 2026
  • The privacy program looked fine on paper, but the technology told a different story.
    Osano, on the common thread across enforcement actions
  • In Healthline, investigators found 118 tracking cookies continued transmitting data even after consumers exercised all three available opt-out methods simultaneously — a Do Not Sell link, a GPC signal, and a cookie banner.
    Osano, Section 2 — Opt-Out Mechanism Failures
  • Regulators are technically testing mechanisms, not reviewing policies. Companies that rely on a consent management platform to display a banner — without verifying that the downstream suppression of tracking technologies actually works — are operating with false confidence.
    Osano, Section 2
  • We're receiving about 150 complaints every single week. That number has been increasing over time.
    Michael Macko, CPPA Deputy Director of Enforcement, Sept. 26, 2025
  • The opt-out existed in the interface but failed in the technology.
    Osano, on the pattern across every major California enforcement action

Source: Osano, 2026 State of US Privacy Enforcement. Excerpts used for commentary and analysis.

02Our Solution

A hybrid pre-ingestion appliance at the guest WiFi edge.

DataStop intelligently manages traffic for better performance while providing enforceable network privacy controls:

  • Real-time geolocation signal stripping and tracking prevention
  • Captive portal consent enforcement that actually works
  • Data minimization and audit logging
  • Automatic privacy notice delivery

Result: properties get stable, high-performing WiFi today — and a strong technical foundation for OCDPA compliance.

How DataStop Is Architected

DataStop is a hybrid hardware + cloud system: an edge appliance at the property enforces privacy in-line, and a separate cloud plane gives operators visibility and reporting. The specific enforcement techniques are part of the IP and are shared under NDA in the technical deep-dive.

Edge Appliance
Property-installed network gateway

A compact, purpose-built device that sits inline at the guest WiFi boundary. It inspects outbound traffic before it leaves the property — the layer where enforcement actually happens.

Consent Layer
Branded captive portal

Mobile-first portal that delivers a plain-language privacy notice and captures explicit, per-session consent — producing the documented evidence regulators look for.

Policy Engine
Configurable, jurisdiction-aware rules

Privacy obligations are expressed as policy, not hard-coded. As new state laws activate, properties get updated rule packs without swapping hardware.

Cloud Plane
DataStopDGM management dashboard

Where operators see consent rates, network performance, and download regulator-ready reports. Only de-identified metadata leaves the property — raw guest traffic never reaches our cloud, by design.

How Guest Traffic Flows

The appliance lives between the property's WiFi infrastructure and the upstream internet, so every privacy decision is enforced before data ever leaves the building.

Step 1
Connect
Guest joins property WiFi through the existing access points.
Step 2
Consent
Captive portal records the guest's privacy choices for the session.
Step 3
Enforce
Appliance applies those choices to outbound traffic in real time.
Step 4
Report
Aggregated, de-identified metrics flow to the DataStopDGM cloud.
Deployment
Drops into existing networks

Designed to sit alongside the access-point and controller hardware properties already own — no rip-and-replace of the guest WiFi.

Performance
Built for peak occupancy

Sized so privacy enforcement does not become a bottleneck during conference check-ins, restaurant rushes, or casino floor events.

Data Posture
Property-local by default

Raw guest traffic and audit logs stay on the appliance. DataStop's cloud only ever sees de-identified summaries — minimizing both property and vendor exposure.

Standards & Roadmap

Designed against
  • • Oklahoma Consumer Data Privacy Act (OCDPA) — Jan 2027
  • • The 20+ state privacy laws expanding the same obligations
  • • Hospitality network realities (mixed controller vendors, peak load)
  • • Hardware certification requirements for U.S. deployment
On the roadmap
  • • Multi-property fleet management for hotel groups
  • • Tribal sovereignty data-residency mode for casinos
  • • Regulator-ready compliance reporting
  • • Per-state policy packs as new privacy laws activate

A note on the secret sauce: the enforcement methods inside the appliance are intentionally not detailed publicly. Serious investors and design partners receive a deeper technical walkthrough under NDA.

03Why Hybrid Matters

Software-only compliance fails when data has already left the network.

Every guest who connects to hotel or casino WiFi generates a trail of sensitive data: device identifiers, MAC addresses, precise geolocation, and behavioral patterns. Oklahoma's OCDPA — and similar laws in 20+ other states — now classify this as sensitive personal information requiring explicit opt-in consent and enforceable opt-out controls.

Pure software solutions trust third-party ad-tech and analytics SDKs to "respect" a privacy flag. But by the time that flag is checked, the data has already been transmitted to external servers. That is exactly what happened to Tractor Supply — a $1.35 million fine because their "Do Not Sell" button never actually stopped data from flowing.

Software-only
  • • Relies on downstream vendors to honor a privacy flag
  • • Data leaves the property before consent is checked
  • • No audit trail at the network boundary
  • • Vulnerable to SDK updates that bypass flags
  • • Properties remain legally exposed
DataStop Hybrid
  • • Physical appliance intercepts traffic at the network edge
  • • Strips, anonymizes, or blocks data before it leaves the property
  • • Local audit logging for regulatory inspection
  • • Captive portal enforces consent at the point of connection
  • • Opt-out is technically enforced — not just requested

How the Hybrid Model Works

01
Guest Connects
Visitor joins property WiFi. The DataStop appliance sits between the guest device and the public internet, acting as a privacy-enforcing gateway.
02
Consent Captured
Custom captive portal presents OCDPA-compliant privacy notice and collects explicit opt-in consent before any data flows outbound.
03
Edge Enforcement
The appliance inspects outbound packets in real time. Geolocation signals, tracking headers, and device fingerprints are stripped or anonymized based on the guest's consent choice.
04
Cloud Visibility
Encrypted metadata flows to DataStop's cloud dashboard for compliance reporting and network performance optimization — never raw sensitive data.

Two Problems. One Appliance.

Guest Experience Layer

DataStop shapes and prioritizes WiFi traffic during peak occupancy — when conference check-ins, restaurant rushes, and casino floor events all hit the network at once. The result is stable, high-performing connectivity that guests actually notice and appreciate. Better reviews. Fewer complaints. Stronger brand loyalty.

Compliance Layer

The same appliance enforces privacy controls at the network boundary. Every outbound connection is inspected. Consent decisions are respected by the infrastructure itself — not by hoping a third-party SDK reads a flag correctly. Properties get defensible audit trails and a clear technical answer when regulators ask, "How do you enforce this?"

The Investor View: Defensibility & Moat

Software-only solutions cannot intercept traffic before it leaves the property, so they cannot adequately enforce privacy laws. A network-edge appliance with certified hardware, captive portal integration, and real-time packet inspection requires embedded engineering, FCC compliance, and property-level installation relationships. Once DataStop is in a property, switching costs are high — the device is physically wired into the network, and the compliance audit trail lives on it. That hardware footprint becomes a barrier to entry that pure SaaS players cannot easily cross.

04Market Opportunity

A regulated wedge with a published deadline.

900+
Hotels & motels in Oklahoma
Major
Tribal casino resorts with heavy WiFi load
Jan 2027
OCDPA enforcement deadline
20+ states
Expanding regulatory footprint nationwide

Market Sizing

TAM
$1.3B
~54,000 U.S. hotels, motels & casinos × $23.5K 6-yr LTV per property
SAM
$106M
Oklahoma + 5 neighboring states (~4,500 properties) under incoming privacy laws
SOM
$35M
1,500 properties captured by Year 5 across the regulated wedge

Revenue Model & Unit Economics

Hardware Appliance
$1,500
One-time per property · ~$300 BOM (incl. fail-safe circuit) · ~80% gross margin
Compliance SaaS
$299/mo
Per property, recurring · ~85% gross margin at scale
Onboarding
$500
One-time setup, install & training
Year-1 Revenue / Property
$5,588
6-Yr LTV / Property
$23,528
Gross Profit / Property (6yr)
~$19,800
CAC Payback
< 8 mo

Hardware ($1,500) + onboarding ($500) + SaaS ($299/mo × 72 mo) = $23,528 per property over a 6-year refresh cycle. Hardware sale clears manufacturing cost ($300 BOM) on day one; SaaS compounds gross margin thereafter.

5-Year Revenue Projection

Period
Cumulative Properties
Revenue
Phase
Year 1
10
$40K
OK pilot — paid deployments
Year 2
75
$290K
Oklahoma saturation begins
Year 3
300
$1.1M
Multi-state expansion (TX, KS, MO)
Year 4
800
$2.9M
Regional scale — channel partners
Year 5
1,800
$6.5M
$6.5M ARR run-rate / national platform

Projections, not guarantees. Modeled on bottom-up unit economics ($5,588 Y1 / $3,588 recurring per property) and staged sales capacity. Exiting Y5 ARR: ~$6.5M.

Investment & Returns

Pre-Seed Ask
$500K
Target Equity
~20%
$2.5M post-money valuation
Use of Funds
  • • Finalize Compliance Module & hardware v1
  • • 5-property Oklahoma pilot program
  • • Founder + 2 key hires (engineering, sales)
  • • Regulatory certification & legal
Projected Exit Scenarios
Series A (18–24 months)$8–12M

Raise $2–3M at 3–5x step-up on proven Oklahoma traction (~75 properties, ~$215K ARR).

Strategic Acquisition (5–6 years)$30–50M

5–8× ARR multiple on ~$6.5M run-rate. Likely buyers: hospitality tech (Cloud5, Nomadix), MSPs, or network infrastructure vendors needing a compliance moat.

Target Investor ROI
12–25x

At $30–50M exit on $500K pre-seed entry at $2.5M post-money.

05 — The Ask

Pre-seed capital to finalize the Compliance Module and run Oklahoma pilots before the 2027 deadline.

We're seeking aligned investors who understand hospitality, regulatory tailwinds, network infrastructure, or Oklahoma / tribal opportunities.