VENNOR Campus Partner Privacy Notice
1. About this notice
Last updated: 16 June 2026 | Document version: 1.0.0
This Campus Partner Privacy Notice (the "Notice") explains how Vennor (Pty) Ltd ("Vennor", "we", "us", "our") processes the additional personal information that we collect from and about you because you have applied to join, or have joined, the VENNOR Campus Partner programme (the "Programme").
Vennor is a private company incorporated in the Republic of South Africa under company registration number 2024/814236/07, with its registered office at KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835. We operate the VENNOR web app, the VENNOR desktop app (Windows) and the VENNOR mobile app (together, the "Services" or the "Platform"), available through https://vennor.co.za.
This Notice is a supplement to, and not a replacement of, the main VENNOR Privacy Policy. The main Privacy Policy continues to govern the personal information we process about you in your ordinary capacity as a user of the Services (for example, your account details, your study activity, and your use of our AI study tools). This Notice covers only the extra personal information that arises specifically from the Programme - chiefly the identity-verification (KYC), banking, tax and commission/payout information that we are required to handle when we pay you. Where this Notice and the main Privacy Policy address the same matter, this Notice prevails to the extent of any inconsistency in respect of Programme information only.
Your participation in the Programme is also governed by the VENNOR Campus Partner Terms, and your processing as a user generally is governed by the VENNOR Terms of Service and the VENNOR Privacy Policy. Where you may refer a student into a competition, the VENNOR Competition Rules may also apply. We have prepared this Notice in plain and understandable language as contemplated by the Consumer Protection Act 68 of 2008 (CPA) and the openness condition of the Protection of Personal Information Act 4 of 2013 (POPIA).
By applying to or participating in the Programme, you acknowledge that you have read and understood this Notice. Where we rely on your consent for a particular processing activity, we will say so and you may withdraw that consent as described in section 10.
2. Who is responsible (responsible party) and our Information Officer
For the purposes of POPIA, Vennor (Pty) Ltd is the responsible party that determines the purpose of and means for processing your Campus Partner personal information. Our company and contact details are set out in section 1 and in section 14 below.
Our Information Officer
We have appointed an Information Officer who is responsible for ensuring our compliance with POPIA, including dealing with requests made to us and working with the Information Regulator:
- Information Officer: [Information Officer name]
- Email: informationofficer@vennor.co.za
- Postal / physical address: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835
Our Information Officer is registered with the Information Regulator of South Africa. For privacy and data-protection queries that relate to the Programme you may contact our Information Officer at the address above, or our privacy team at privacy@vennor.co.za. For Programme-operational queries (eligibility, commission, payouts), contact partners@vennor.co.za.
3. Purpose and scope of this notice
Why we collect more from Campus Partners. When you become a Campus Partner, you enter into a commercial relationship with Vennor under which we pay you recurring commission in respect of the students you refer who take up a paid plan. Paying you money triggers legal duties that do not apply to ordinary users - in particular duties under the Financial Intelligence Centre Act 38 of 2001 (FICA) and under South African tax law. To meet those duties, and to run the Programme honestly and accountably, we must collect and verify certain additional information about you, such as your identity, your bank account and your tax number.
Scope. This Notice applies to:
- the personal information we collect when you apply to join the Programme and during the onboarding / KYC process;
- the information we generate while you participate in the Programme (your referral activity, performance analytics, commission ledger and payout history); and
- the information we retain after the Programme relationship ends, where the law requires us to keep it.
What it does not cover. This Notice does not deal with the personal information of the students you refer, except to explain in section 12 what limited referral information you may see and the obligations that come with it. Students' personal information is governed by the main Privacy Policy, and you are not entitled to receive students' personal information beyond what the Programme strictly requires.
4. The additional personal information we collect from Campus Partners
In addition to the account and usage information described in the main Privacy Policy, we collect and process the following categories of personal information because you are a Campus Partner. Not every item applies to every partner; what we collect depends on what is needed to verify you and to pay you lawfully.
4.1 Identity and FICA verification
- Full legal name and any former names.
- South African identity number, or, if you are a foreign national, your passport number and nationality.
- Date of birth and, where required for verification, your photograph / image of your identity document.
- Verification / KYC documents and results, including copies of your identity document or passport and the outcome of identity checks (see section 8 on the sensitivity of these documents).
4.2 Address and contact information
- Proof of residential or business address (for example, a utility bill or bank statement) and the address itself.
- The contact details linked to your Programme account (email address, and any phone number you provide).
4.3 Banking and payout information
- Your South African bank account details - account holder name, bank name, branch / branch code and account number - used to pay your commission.
- Bank-account verification results (confirmation that the account exists and matches your identity).
- Payout and commission history, including the amounts earned, the commission ledger, the referrals to which earnings relate, withdrawal / payout requests, payout dates, references and payslips you generate or download.
4.4 Tax information
- Your SARS income-tax reference number (where you provide it or where we are required to request it).
- Any withholding or reporting records we are obliged to keep or issue in respect of payments to you.
4.5 Referral and performance analytics
- Your affiliate code(s) and the analytics generated by their use - number of referrals, conversions to paid plans, active referred subscriptions, churn, and earnings performance over time.
4.6 Communications
- Correspondence between you and us about the Programme - support tickets, emails (including earnings summaries and invites sent via Amazon SES), in-app notifications, and records of disputes or queries.
We collect most of this information directly from you. Some information (for example, identity-match or bank-verification results, or confirmation that a referred student's email qualifies) is generated by, or received from, our verification providers and payment partner.
5. Why we process it and our lawful basis under POPIA
Under POPIA we must have a lawful justification for each processing activity and must process your information only for the specific, explicitly defined purposes set out below (the purpose-specification and further-processing-limitation conditions).
5.1 To perform the Campus Partner Terms (contract)
We process your identity, contact, banking, affiliate, performance and commission information because it is necessary to perform the contract between you and us, namely the Campus Partner Terms - to register you, attribute referrals to your code, calculate recurring commission, process your withdrawal requests, and pay you. This corresponds to POPIA section 11(1)(b) (processing necessary to conclude or perform a contract to which the data subject is a party).
5.2 To comply with legal obligations (FICA and tax law)
We process your KYC / identity-verification documents, your proof of address, your tax number, and the records of payments to you because the law obliges us to - in particular to support anti-money-laundering and customer-due-diligence requirements connected to FICA-regulated payment flows, and to meet record-keeping, reporting and (where applicable) withholding obligations under tax law administered by the South African Revenue Service (SARS). This corresponds to POPIA section 11(1)(c) (processing to comply with an obligation imposed by law).
5.3 Legitimate interests
We process referral and performance analytics and communications to operate, secure, audit and improve the Programme, to detect and prevent fraud or abuse of affiliate codes, and to protect our legitimate interests and those of the students and other partners on the Platform. This corresponds to POPIA section 11(1)(d) and (f).
5.4 Consent
Where we rely on your consent for a specific activity (for example, an optional marketing communication, or any processing not covered by the bases above), we will ask for it separately and you may withdraw it at any time without affecting processing already carried out or processing we are required by law to continue.
If you do not provide the identity, banking and tax information we reasonably require, we may be unable to verify you or pay you, and we may be unable to allow you to continue in the Programme.
6. Special protection for your KYC and identity documents
Your identity-verification (KYC) documents - copies of your identity document or passport, your identity number, your photograph, and your proof of address - are particularly sensitive. While not all of this is "special personal information" as narrowly defined in POPIA sections 26 and 34, we treat it with a heightened standard of care because misuse of identity and banking data can cause serious harm, including identity theft and fraud.
Accordingly, we apply the following additional safeguards to KYC and banking information, over and above the general measures in section 9:
- Minimisation and purpose-locking. We request KYC documents only when needed to verify you, and we use them only for verification, FICA compliance and the prevention of fraud - never for marketing or unrelated purposes.
- Restricted access. Access to KYC and banking documents is limited to a small number of authorised personnel and to the verification / payment providers who must process them to do their job, on a strict need-to-know basis.
- Encryption. KYC and banking data is encrypted in transit and at rest within our hosting and storage infrastructure.
- Verification-then-minimise. Where a provider performs the identity or bank check, we retain the outcome of the check and the minimum supporting records the law requires, rather than unnecessary copies.
If you are aged 13 to 17 you cannot participate in the Programme on your own behalf in a way that requires you to receive payment without the involvement and consent of your parent or legal guardian. Where a minor's information is involved in any referral context, the protections for children's information in POPIA sections 34 and 35 apply, and we will not knowingly process a child's information for the Programme without the lawful, verifiable consent of a competent person.
8. Cross-border processing
Some of the providers listed in section 7 process personal information outside the Republic of South Africa. In particular, Cloudflare, Amazon Web Services / Amazon SES, and certain Supabase infrastructure may store or process data in other countries.
Where we transfer your personal information outside South Africa, we do so in accordance with POPIA section 72, relying on one or more of the following:
- the recipient is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection broadly similar to POPIA and that upholds the principles for lawful processing and onward-transfer restrictions;
- the transfer is necessary for the performance of the Campus Partner Terms with you, or for the conclusion or performance of a contract concluded in your interest; or
- you have consented to the transfer.
We take reasonable steps to ensure that any cross-border recipient handles your Programme information with protections consistent with this Notice. Further detail on our international transfers and sub-processors is set out in the main Privacy Policy.
9. How long we keep Campus Partner information
We keep your Programme personal information only for as long as necessary to fulfil the purposes for which it was collected, and for as long as the law requires us to retain it.
- FICA and identity / KYC records, and payment records. Records relating to your identity verification and to the payments we make to you are retained for the period required by law - at least five (5) years after the Programme business relationship ends (or after the relevant transaction), and longer where a longer period is prescribed or where the records are relevant to an ongoing investigation, dispute or legal proceeding.
- Tax records. Information needed to support our tax reporting obligations is kept for the period required under tax law.
- Commission, payout and analytics records. These are retained for as long as needed to administer the Programme, to resolve disputes, and to comply with our accounting and audit obligations.
- Communications. Programme correspondence is retained for as long as reasonably necessary to evidence and resolve queries and disputes.
When a retention period ends and we have no continuing lawful basis to keep the information, we will delete, destroy or de-identify it in line with POPIA section 14. Because of our FICA and tax duties, we may be unable to delete certain records on request until the applicable retention period has expired (see section 10).
10. How we protect Campus Partner information
As required by POPIA section 19, we maintain appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of your Programme personal information and to prevent its loss, damage, unauthorised access or unlawful processing.
These measures include:
- encryption of data in transit (HTTPS/TLS) and at rest within our hosting and storage providers;
- access controls that limit access to KYC, banking and tax data to authorised personnel and authorised operators on a need-to-know basis, with authentication safeguards;
- operator agreements that bind Supabase, Cloudflare, Paystack, Amazon Web Services and our verification providers to maintain appropriate security and to process data only on our instructions;
- segregation and minimisation of sensitive identity and banking documents, as described in section 6; and
- monitoring, logging and incident-response procedures.
Breach notification. If we have reasonable grounds to believe that your Programme personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and you as soon as reasonably possible after discovering and containing the compromise, in line with POPIA section 22, unless a public body or the Regulator directs us to delay notification.
No system is completely secure, and you also play a part: keep your account credentials and banking details confidential and tell us promptly if you suspect any unauthorised use.
11. Your POPIA rights and how to exercise them
As a data subject under POPIA you have the following rights in respect of your Programme personal information:
- to be notified that we are collecting your information and where it has been accessed without authorisation;
- to request access to the personal information we hold about you and to be told the identities of third parties who have, or have had, access to it;
- to request correction, completion or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;
- to object, on reasonable grounds, to processing based on legitimate interests, and to object to direct marketing;
- to withdraw consent where we relied on your consent (without affecting processing already lawfully carried out);
- to not have your information processed for unsolicited direct marketing by electronic means except as permitted by law; and
- to submit a complaint to the Information Regulator (see section 13).
How to exercise your rights
To make a request, contact our Information Officer at informationofficer@vennor.co.za or our privacy team at privacy@vennor.co.za. We may ask you to verify your identity before we act, and a formal access request may be made on the prescribed form under the Promotion of Access to Information Act 2 of 2000 (PAIA); a fee may apply for access requests as allowed by law.
Limits where the law requires retention
Please note that some rights are limited for Programme information. Because FICA and tax law require us to retain your identity-verification, banking and payment records for prescribed periods, we may decline a request to delete those records until the applicable retention period has expired, and we may continue to process them to meet our legal obligations. We will, however, restrict their use to those legal purposes.
12. Information about students you refer
The Programme works by attributing students who sign up and subscribe to your affiliate code. To protect students' privacy, we deliberately limit what you can see about them.
- You receive only limited and necessary referral information - generally aggregated or de-identified performance data (such as the number of referrals, the number that converted to a paid plan, and the resulting commission). You do not receive a referred student's study content, documents, chat history or other personal information beyond what the Programme strictly requires.
- Student eligibility is checked through student-email verification. You should not collect, store or use a prospective student's personal information for the Programme beyond sharing your affiliate code or sending a permitted invitation, and you must have a lawful basis (such as the student's consent) to contact anyone.
- Where you do come into contact with any student personal information through the Programme, you must treat it as confidential and process it lawfully - only for the purpose of the referral, in compliance with POPIA, and never for spam, resale or any unrelated purpose. In respect of any student information that you process on our behalf, you act as an operator / third party and must process it only on our instructions, keep it secure, and notify us immediately of any suspected compromise.
These obligations are set out in more detail in the Campus Partner Terms. Misuse of student information may result in suspension or termination from the Programme and may expose you to liability under POPIA and other laws.
13. Complaints to the Information Regulator
If you believe that we have not handled your Programme personal information in accordance with POPIA, we ask that you first raise it with us at privacy@vennor.co.za or with our Information Officer at informationofficer@vennor.co.za so that we can try to resolve it.
You also have the right to lodge a complaint with the Information Regulator of South Africa:
- The Information Regulator (South Africa)
- Physical / postal: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 / P.O. Box 31533, Braamfontein, Johannesburg, 2017
- General enquiries: enquiries@inforegulator.org.za
- POPIA complaints: POPIAComplaints@inforegulator.org.za
- Website: https://inforegulator.org.za
These are the same Regulator contact details referenced in the main Privacy Policy.
14. Changes to this notice
We may update this Notice from time to time to reflect changes in the Programme, in our providers, or in the law. When we make material changes, we will update the "Last updated" date at the top of this Notice and, where appropriate, notify you by in-app notification or email (for example, an earnings or Programme update sent via Amazon SES).
The version published at https://vennor.co.za is the current version. Your continued participation in the Programme after a change takes effect constitutes your acknowledgement of the updated Notice, except where your fresh consent is required by law, in which case we will ask for it.
15. How to contact us
For any question about this Notice or about how we process your Campus Partner personal information, please contact us:
- Privacy & data protection: privacy@vennor.co.za
- POPIA Information Officer: informationofficer@vennor.co.za - [Information Officer name]
- Campus Partner programme (eligibility, commission, payouts): partners@vennor.co.za
- General help & support: help@vennor.co.za
- Formal legal notices: legal@vennor.co.za
Vennor (Pty) Ltd | Company registration number 2024/814236/07 | Registered office: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835 | https://vennor.co.za
This Notice should be read together with the VENNOR Privacy Policy, the VENNOR Campus Partner Terms, the VENNOR Terms of Service and, where relevant, the VENNOR Competition Rules.