VENNOR

VENNOR Campus Partner Privacy Notice

Version 1.0.0 · Effective 2026-07-02 · Vennor (Pty) Ltd (registration 2024/814236/07), South Africa

1. About this notice

Last updated: 16 June 2026  |  Document version: 1.0.0

This Campus Partner Privacy Notice (the "Notice") explains how Vennor (Pty) Ltd ("Vennor", "we", "us", "our") processes the additional personal information that we collect from and about you because you have applied to join, or have joined, the VENNOR Campus Partner programme (the "Programme").

Vennor is a private company incorporated in the Republic of South Africa under company registration number 2024/814236/07, with its registered office at KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835. We operate the VENNOR web app, the VENNOR desktop app (Windows) and the VENNOR mobile app (together, the "Services" or the "Platform"), available through https://vennor.co.za.

This Notice is a supplement to, and not a replacement of, the main VENNOR Privacy Policy. The main Privacy Policy continues to govern the personal information we process about you in your ordinary capacity as a user of the Services (for example, your account details, your study activity, and your use of our AI study tools). This Notice covers only the extra personal information that arises specifically from the Programme - chiefly the identity-verification (KYC), banking, tax and commission/payout information that we are required to handle when we pay you. Where this Notice and the main Privacy Policy address the same matter, this Notice prevails to the extent of any inconsistency in respect of Programme information only.

Your participation in the Programme is also governed by the VENNOR Campus Partner Terms, and your processing as a user generally is governed by the VENNOR Terms of Service and the VENNOR Privacy Policy. Where you may refer a student into a competition, the VENNOR Competition Rules may also apply. We have prepared this Notice in plain and understandable language as contemplated by the Consumer Protection Act 68 of 2008 (CPA) and the openness condition of the Protection of Personal Information Act 4 of 2013 (POPIA).

By applying to or participating in the Programme, you acknowledge that you have read and understood this Notice. Where we rely on your consent for a particular processing activity, we will say so and you may withdraw that consent as described in section 10.

2. Who is responsible (responsible party) and our Information Officer

For the purposes of POPIA, Vennor (Pty) Ltd is the responsible party that determines the purpose of and means for processing your Campus Partner personal information. Our company and contact details are set out in section 1 and in section 14 below.

Our Information Officer

We have appointed an Information Officer who is responsible for ensuring our compliance with POPIA, including dealing with requests made to us and working with the Information Regulator:

Our Information Officer is registered with the Information Regulator of South Africa. For privacy and data-protection queries that relate to the Programme you may contact our Information Officer at the address above, or our privacy team at privacy@vennor.co.za. For Programme-operational queries (eligibility, commission, payouts), contact partners@vennor.co.za.

3. Purpose and scope of this notice

Why we collect more from Campus Partners. When you become a Campus Partner, you enter into a commercial relationship with Vennor under which we pay you recurring commission in respect of the students you refer who take up a paid plan. Paying you money triggers legal duties that do not apply to ordinary users - in particular duties under the Financial Intelligence Centre Act 38 of 2001 (FICA) and under South African tax law. To meet those duties, and to run the Programme honestly and accountably, we must collect and verify certain additional information about you, such as your identity, your bank account and your tax number.

Scope. This Notice applies to:

What it does not cover. This Notice does not deal with the personal information of the students you refer, except to explain in section 12 what limited referral information you may see and the obligations that come with it. Students' personal information is governed by the main Privacy Policy, and you are not entitled to receive students' personal information beyond what the Programme strictly requires.

4. The additional personal information we collect from Campus Partners

In addition to the account and usage information described in the main Privacy Policy, we collect and process the following categories of personal information because you are a Campus Partner. Not every item applies to every partner; what we collect depends on what is needed to verify you and to pay you lawfully.

4.1 Identity and FICA verification

4.2 Address and contact information

4.3 Banking and payout information

4.4 Tax information

4.5 Referral and performance analytics

4.6 Communications

We collect most of this information directly from you. Some information (for example, identity-match or bank-verification results, or confirmation that a referred student's email qualifies) is generated by, or received from, our verification providers and payment partner.

5. Why we process it and our lawful basis under POPIA

Under POPIA we must have a lawful justification for each processing activity and must process your information only for the specific, explicitly defined purposes set out below (the purpose-specification and further-processing-limitation conditions).

5.1 To perform the Campus Partner Terms (contract)

We process your identity, contact, banking, affiliate, performance and commission information because it is necessary to perform the contract between you and us, namely the Campus Partner Terms - to register you, attribute referrals to your code, calculate recurring commission, process your withdrawal requests, and pay you. This corresponds to POPIA section 11(1)(b) (processing necessary to conclude or perform a contract to which the data subject is a party).

5.2 To comply with legal obligations (FICA and tax law)

We process your KYC / identity-verification documents, your proof of address, your tax number, and the records of payments to you because the law obliges us to - in particular to support anti-money-laundering and customer-due-diligence requirements connected to FICA-regulated payment flows, and to meet record-keeping, reporting and (where applicable) withholding obligations under tax law administered by the South African Revenue Service (SARS). This corresponds to POPIA section 11(1)(c) (processing to comply with an obligation imposed by law).

5.3 Legitimate interests

We process referral and performance analytics and communications to operate, secure, audit and improve the Programme, to detect and prevent fraud or abuse of affiliate codes, and to protect our legitimate interests and those of the students and other partners on the Platform. This corresponds to POPIA section 11(1)(d) and (f).

5.4 Consent

Where we rely on your consent for a specific activity (for example, an optional marketing communication, or any processing not covered by the bases above), we will ask for it separately and you may withdraw it at any time without affecting processing already carried out or processing we are required by law to continue.

If you do not provide the identity, banking and tax information we reasonably require, we may be unable to verify you or pay you, and we may be unable to allow you to continue in the Programme.

6. Special protection for your KYC and identity documents

Your identity-verification (KYC) documents - copies of your identity document or passport, your identity number, your photograph, and your proof of address - are particularly sensitive. While not all of this is "special personal information" as narrowly defined in POPIA sections 26 and 34, we treat it with a heightened standard of care because misuse of identity and banking data can cause serious harm, including identity theft and fraud.

Accordingly, we apply the following additional safeguards to KYC and banking information, over and above the general measures in section 9:

If you are aged 13 to 17 you cannot participate in the Programme on your own behalf in a way that requires you to receive payment without the involvement and consent of your parent or legal guardian. Where a minor's information is involved in any referral context, the protections for children's information in POPIA sections 34 and 35 apply, and we will not knowingly process a child's information for the Programme without the lawful, verifiable consent of a competent person.

7. Who we share Campus Partner information with

We do not sell your personal information. We share it only with the following categories of recipient, and only to the extent necessary for the purposes in section 5.

7.1 Payment partner - Paystack

We use Paystack, a licensed and FICA-accountable payment service provider, to process payouts to your South African bank account. We share with Paystack the information needed to make and verify those payments (for example, your name and bank account details).

7.2 Identity and bank-verification providers

We use identity-verification and bank-account-verification providers (which may include Paystack and other accredited providers) to confirm that you are who you say you are and that the bank account is valid and belongs to you. We share the minimum information needed for these checks and receive back the verification result.

7.3 Hosting and infrastructure sub-operators

Programme data is hosted and processed within our infrastructure providers, who act as operators (processors) under written agreements:

7.4 Authorities - SARS and the Financial Intelligence Centre

We may disclose information to SARS, the Financial Intelligence Centre (FIC), the Information Regulator, law-enforcement agencies, courts or other authorities where we are required or permitted by law to do so, including for tax reporting, suspicious-transaction or regulatory reporting, or in response to a lawful request.

7.5 Professional advisors and auditors

We may share information with our auditors, accountants, lawyers and other professional advisors under duties of confidentiality, where reasonably necessary to run, audit or protect the business.

7.6 Corporate transactions

If Vennor is involved in a merger, acquisition, financing or sale of assets, Programme information may be disclosed to the parties and their advisors, subject to appropriate confidentiality and to this Notice.

Each operator is bound by a written agreement requiring it to process the information only on our instructions and to maintain appropriate security, as required by POPIA section 21.

8. Cross-border processing

Some of the providers listed in section 7 process personal information outside the Republic of South Africa. In particular, Cloudflare, Amazon Web Services / Amazon SES, and certain Supabase infrastructure may store or process data in other countries.

Where we transfer your personal information outside South Africa, we do so in accordance with POPIA section 72, relying on one or more of the following:

We take reasonable steps to ensure that any cross-border recipient handles your Programme information with protections consistent with this Notice. Further detail on our international transfers and sub-processors is set out in the main Privacy Policy.

9. How long we keep Campus Partner information

We keep your Programme personal information only for as long as necessary to fulfil the purposes for which it was collected, and for as long as the law requires us to retain it.

When a retention period ends and we have no continuing lawful basis to keep the information, we will delete, destroy or de-identify it in line with POPIA section 14. Because of our FICA and tax duties, we may be unable to delete certain records on request until the applicable retention period has expired (see section 10).

10. How we protect Campus Partner information

As required by POPIA section 19, we maintain appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of your Programme personal information and to prevent its loss, damage, unauthorised access or unlawful processing.

These measures include:

Breach notification. If we have reasonable grounds to believe that your Programme personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and you as soon as reasonably possible after discovering and containing the compromise, in line with POPIA section 22, unless a public body or the Regulator directs us to delay notification.

No system is completely secure, and you also play a part: keep your account credentials and banking details confidential and tell us promptly if you suspect any unauthorised use.

11. Your POPIA rights and how to exercise them

As a data subject under POPIA you have the following rights in respect of your Programme personal information:

How to exercise your rights

To make a request, contact our Information Officer at informationofficer@vennor.co.za or our privacy team at privacy@vennor.co.za. We may ask you to verify your identity before we act, and a formal access request may be made on the prescribed form under the Promotion of Access to Information Act 2 of 2000 (PAIA); a fee may apply for access requests as allowed by law.

Limits where the law requires retention

Please note that some rights are limited for Programme information. Because FICA and tax law require us to retain your identity-verification, banking and payment records for prescribed periods, we may decline a request to delete those records until the applicable retention period has expired, and we may continue to process them to meet our legal obligations. We will, however, restrict their use to those legal purposes.

12. Information about students you refer

The Programme works by attributing students who sign up and subscribe to your affiliate code. To protect students' privacy, we deliberately limit what you can see about them.

These obligations are set out in more detail in the Campus Partner Terms. Misuse of student information may result in suspension or termination from the Programme and may expose you to liability under POPIA and other laws.

13. Complaints to the Information Regulator

If you believe that we have not handled your Programme personal information in accordance with POPIA, we ask that you first raise it with us at privacy@vennor.co.za or with our Information Officer at informationofficer@vennor.co.za so that we can try to resolve it.

You also have the right to lodge a complaint with the Information Regulator of South Africa:

These are the same Regulator contact details referenced in the main Privacy Policy.

14. Changes to this notice

We may update this Notice from time to time to reflect changes in the Programme, in our providers, or in the law. When we make material changes, we will update the "Last updated" date at the top of this Notice and, where appropriate, notify you by in-app notification or email (for example, an earnings or Programme update sent via Amazon SES).

The version published at https://vennor.co.za is the current version. Your continued participation in the Programme after a change takes effect constitutes your acknowledgement of the updated Notice, except where your fresh consent is required by law, in which case we will ask for it.

15. How to contact us

For any question about this Notice or about how we process your Campus Partner personal information, please contact us:

Vennor (Pty) Ltd  |  Company registration number 2024/814236/07  |  Registered office: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835  |  https://vennor.co.za

This Notice should be read together with the VENNOR Privacy Policy, the VENNOR Campus Partner Terms, the VENNOR Terms of Service and, where relevant, the VENNOR Competition Rules.