VENNOR Privacy Policy
1. About this Privacy Policy and who we are
Last updated: 2 July 2026. Version 1.0.0.
This Privacy Policy explains how Vennor (Pty) Ltd ("Vennor", "we", "us" or "our") collects, uses, shares, stores and otherwise processes your personal information when you access or use the VENNOR web app, the VENNOR desktop app (Windows) and the VENNOR mobile app, together with our website at https://vennor.co.za and all related features (together, the "Services" or the "Platform").
Vennor is a private company incorporated in the Republic of South Africa under registration number 2024/814236/07, with its registered office at KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835.
We are committed to protecting your personal information and to processing it lawfully, reasonably and transparently. This Policy is led by the Protection of Personal Information Act 4 of 2013 ("POPIA") and is written, as required by the Consumer Protection Act 68 of 2008 ("CPA"), in plain and understandable language.
Vennor is the responsible party
For the purposes of POPIA, Vennor is the "responsible party" (sometimes called a controller) in respect of the personal information described in this Policy. This means we determine the purpose of and means for processing your personal information, and we are accountable to you and to the Information Regulator for doing so lawfully.
Your acceptance
By creating an account, signing in or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent for a particular processing activity, we will ask for that consent separately and you may withdraw it as described in section 12 (Your rights under POPIA). This Policy forms part of, and should be read together with, our Terms of Service. Additional processing relating to the Campus Partner (affiliate) programme is described in a separate Campus Partner Privacy Notice, and our use of cookies is described in section 10 (Cookies and similar technologies).
2. Scope of this Policy and our Information Officer
Who and what this Policy covers
This Policy applies to:
- students who use the Services to learn and study;
- Campus Partners (affiliates) who refer students to Vennor and earn commission; and
- visitors to our website and anyone who contacts us for support or other reasons.
It covers personal information we process across all of our Services, regardless of the device or channel through which you interact with us.
What this Policy does not cover
This Policy does not cover the privacy practices of third parties whose services you access through or alongside the Platform (for example, Google, LinkedIn, Paystack or any website you ask our AI tools to read). Those third parties are responsible for their own processing under their own privacy notices. We identify our key service providers in section 8 (Who we share your information with).
Our Information Officer
In line with POPIA, Vennor has appointed an Information Officer who is responsible for ensuring our compliance with POPIA and for dealing with requests and complaints relating to personal information. Our Information Officer is [Information Officer name], registered with the Information Regulator of South Africa.
You can contact our Information Officer at:
- Email: informationofficer@vennor.co.za
- Postal / physical address: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835
For day-to-day privacy and data-protection queries you may also write to privacy@vennor.co.za.
3. Categories of personal information we collect
We collect and process the following categories of personal information. The exact information collected depends on which features you use and your role on the Platform.
3.1 Account and identity information
Your name, email address, password (stored in hashed/encrypted form and never in plain text), account role (student or Campus Partner), the authentication method you use (email and password, or Google or LinkedIn sign-in) and any unique identifiers we assign to your account. Where you are aged 13–17, we also process information confirming parental or guardian consent (see section 11).
3.2 Profile information
Profile details you choose to provide, such as your display name, institution or study area, profile statistics, weekly goals and preferences (for example, appearance/theme settings).
3.3 Learning activity and content
The study content you create or generate on the Platform, including quizzes, exams, flashcards, notes, study plans, essays and project work; your modules and folders; your exam attempts, answers, marks and attempt-review data; flashcard spaced-repetition progress; study-planner entries; and exam-readiness data.
3.4 AI tutor conversations and prompts
The messages, questions and prompts you send to our AI tutor chat and AI Voice Assistant, the AI-generated responses, any content or documents you attach to a prompt, and (where you use the optional in-chat web search) the web addresses you reference. We also process audio streamed to and from the AI Voice Assistant during a real-time session, and the contents of the in-browser coding sandbox where you use it.
3.5 Uploaded documents
Documents you upload to study from. "Filed" uploads (up to 100MB each) are stored in our cloud storage and counted against your storage quota. "Unfiled" uploads (up to 50MB) are read only to answer a specific question and are not retained after the response is produced.
3.6 Study-time, usage, progress and streak data
Automatically tracked study time and study sessions; activity and time-by-activity charts; daily missions; streaks; Streak Sprint partner-pairing data (your active partner and partner-comparison data); and Streak Competition data, including the quizzes/exams you complete to qualify, your scores and any vouchers awarded.
3.7 Payment and subscription information
Your plan (Exam Pro or Semester Master), subscription status, renewal and cancellation details, billing currency (ZAR) and transaction records. We do not store your full payment card details. Card and payment-instrument data is collected and processed directly by our licensed payment partner Paystack; we receive only limited transaction information (such as a payment reference, status and the last digits/card type) needed to manage your subscription.
3.8 Device, technical, log and approximate-location data
Technical information generated when you use the Services, such as your IP address, device and operating-system type, app version, browser type, identifiers, log and diagnostic data, timestamps and error reports. From your IP address we may derive an approximate (city/region-level) location; we do not collect precise GPS location.
3.9 Communications and support information
The content of communications you send us (for example, support requests to help@vennor.co.za), in-app notifications, and transactional emails we send you (such as sign-in/verification codes, invites and earnings summaries).
3.10 Campus Partner information
If you are a Campus Partner, we additionally process your affiliate code, referral and commission records, South African bank-account/banking details for payouts, your tax (SARS) number where requested, and identity-verification / KYC records required under the Financial Intelligence Centre Act 38 of 2001 ("FICA") before we make any payout. This processing is described further in the Campus Partner Privacy Notice.
Special and children's information
We do not seek to collect special personal information (as defined in POPIA, such as health, religion, race or political beliefs). Please do not submit special personal information through AI prompts, documents or other content unless it is necessary, and understand that if you do so you consent to our processing it to provide the Services. Processing of children's information is addressed in section 11.
4. How we collect your personal information
We collect personal information in three main ways.
4.1 Directly from you
When you create an account, complete your profile, generate or upload content, send prompts to our AI tools, subscribe to a paid plan, apply to or participate in the Campus Partner programme, enter the Streak Competition, or contact us for support.
4.2 Automatically
When you use the Services, we and our infrastructure providers automatically collect device, technical, log, usage and approximate-location data, and study-time and activity data, as described in section 3. Some of this is collected through cookies and similar technologies (see section 10).
4.3 From third parties
We receive certain information from third parties, including:
- Google and LinkedIn, when you choose to sign in using those accounts (for example, your name and email address, in line with the permissions you grant);
- Google Calendar, where you enable optional two-way calendar synchronisation (calendar events you choose to sync);
- Paystack, which confirms payment status and provides limited transaction details when you pay or when commission is paid out; and
- where relevant to the Campus Partner programme, information used to verify the eligibility of referred students through student-email verification.
Where POPIA requires it and an exemption does not apply, we will take reasonably practicable steps to ensure you are aware that we have collected information about you from a source other than yourself.
5. Why we process your information and our lawful basis
POPIA requires that we have a lawful basis (a "justification") for each processing activity and that we use your information only for the specific, explicitly defined purpose for which it was collected (the purpose-limitation condition). The main purposes and the corresponding lawful bases are set out below.
To provide and operate the Services
To create and manage your account, authenticate you, deliver the learning, AI, document, progress and social features, and provide support.
- Lawful basis: performance of our contract with you (our Terms of Service); and, for optional features, your consent.
To process payments and manage subscriptions
To charge for Exam Pro and Semester Master, manage automatic renewals and cancellations, prevent fraud and keep accounting records.
- Lawful basis: performance of the contract; and compliance with a legal obligation (for example, tax and accounting laws).
To run the Campus Partner programme
To issue affiliate codes, track referrals and commission, verify referred students, verify partner identity (KYC) and make payouts.
- Lawful basis: performance of the contract (the Campus Partner Terms); and compliance with legal obligations under FICA and tax law.
To run competitions
To operate the daily Streak Competition, calculate scores, determine winners and award vouchers.
- Lawful basis: performance of the contract (the Competition Rules); and our legitimate interest in running promotional activities, balanced against your rights.
To communicate with you
To send transactional messages (verification codes, invites, earnings summaries, service notices) and in-app notifications.
- Lawful basis: performance of the contract; legitimate interest; and, for any non-transactional/marketing messaging, your consent.
To secure, improve and protect the Services
To monitor for abuse and security incidents, debug and improve features, and analyse usage in aggregated or de-identified form.
- Lawful basis: our legitimate interest in maintaining a safe, reliable and improving Platform, balanced against your rights; and compliance with legal obligations relating to security.
To comply with law and protect rights
To meet legal and regulatory obligations, respond to lawful requests, and establish, exercise or defend legal claims.
- Lawful basis: compliance with a legal obligation; and protection of a legitimate interest of you, us or a third party.
Where we rely on consent, you may withdraw it at any time (see section 12), although this will not affect the lawfulness of processing carried out before withdrawal and may mean we can no longer provide a particular feature.
6. How our AI features process your data
Our AI study tools - the AI tutor chat, AI-generated study material, the optional in-chat web search, the in-browser coding sandbox and the AI Voice Assistant - rely on third-party large language model (LLM) providers, currently Anthropic (Claude) and OpenAI (including OpenAI's Realtime API for voice).
What is sent to the AI providers
When you use these features, the content of your prompts, the relevant context (which may include text from documents you attach, the web pages you ask us to read, and parts of your study content) and, for the Voice Assistant, your audio, are transmitted to the applicable AI provider so that a response can be generated and returned to you. For real-time voice tutoring, audio is streamed via WebRTC to OpenAI's Realtime API through our Cloudflare Worker.
Processing outside South Africa
The AI providers may process this information outside the Republic of South Africa. We rely on the cross-border safeguards described in section 9 (Cross-border transfers) for these transfers.
We do not use your private content to train third-party base models
We do not authorise our AI providers to use your literal private content - your prompts, conversations, documents or generated work - to train their general/base models beyond what is necessary to process your request and return a response. We engage these providers under business/enterprise terms that are intended to prevent your content from being used to train their foundation models. We may use aggregated or de-identified information (which does not identify you) to monitor, evaluate and improve our own Services.
AI output is a study aid, not professional advice
AI output can be inaccurate, incomplete or out of date and must not be relied upon as legal, financial, medical, academic or other professional advice. The AI tools are a study aid; they are not a substitute for your own work, your own judgement, or your institution's academic-integrity rules. You are responsible for how you use AI output. Please avoid submitting sensitive personal information about yourself or others into prompts unless it is necessary.
7. How we handle your content and documents
Filed versus unfiled documents
Documents you choose to file are stored securely in our cloud storage (Supabase Storage), count against your storage quota (up to 100MB per file) and remain available to you until you delete them or close your account.
Documents you upload as unfiled (up to 50MB) are processed only to answer the specific question you ask and are not retained by us after the response is generated.
Your study content and conversations
Your learning content (quizzes, exams, flashcards, notes, study plans, essays and projects), your modules and folders, and your AI conversation history are retained so that you can return to and continue your work, subject to the retention periods in section 13. You can delete individual items, and you can request deletion of your content as described in section 12.
The document reader and coding sandbox
Our built-in document reader renders your PDFs within the Services. The in-browser coding sandbox runs code you write or generate; we process the contents of the sandbox to provide the feature and to keep the Platform secure.
9. Google user data (Sign-In and Calendar)
This section explains, specifically, how we handle Google user data - the information we receive from Google APIs when you use Google Sign-In or connect the optional Google Calendar synchronisation. It applies in addition to the rest of this Privacy Policy. A plain-language summary is also published at https://vennor.co.za/google-calendar.
Google Sign-In
If you sign in with Google, Google shares your name, email address and profile picture with us, in line with the permissions shown on Google's consent screen. We use this only to create and operate your Account.
Google Calendar synchronisation (optional)
The study planner offers an optional, strictly opt-in two-way synchronisation with Google Calendar. Nothing is connected until you press "Connect Google Calendar" in the planner and approve access on Google's own consent screen. If you connect, we request only the narrowest permissions (OAuth scopes) the feature needs:
calendar.events- to read events on the calendars you selected so they can be shown in your planner, and to create, update and delete the study events you manage in VENNOR;calendar.calendarlist.readonly- to list your calendars so you can choose which ones appear alongside your study plan; andcalendar.freebusy- to check when you are free or busy so the planner can schedule study sessions around your existing commitments.
How we use, store and share Google user data
- Calendar data is used solely to provide the planner features you see in the app - displaying your schedule and syncing the study events you manage. It is never sold, never used for advertising, never used to train AI models (it is not fed into the AI Features), and never transferred to third parties other than the infrastructure sub-processors that host the feature (listed in this Policy).
- The authorisation tokens Google issues us are stored in our database and used only to perform the synchronisation you asked for. All communication with Google happens over encrypted (HTTPS/TLS) connections. Event details are fetched on demand to render your planner.
- Our staff do not read your calendar data, except with your explicit permission (for example, when you ask us to investigate a sync problem), where necessary for security purposes such as investigating abuse, or where the law requires it.
Limited Use
VENNOR's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Disconnecting and deleting Google user data
You can disconnect Google Calendar at any time in the planner's calendar settings - we then delete our stored Google authorisation tokens and our access ends. You can also revoke VENNOR's access from your Google Account permissions, or email help@vennor.co.za and we will disconnect the integration and delete the associated data for you.
10. Cross-border transfers of personal information
Several of our service providers (including Supabase, Cloudflare, Paystack, Anthropic, OpenAI, AWS/SES, Google and LinkedIn) operate and may store or process personal information on servers located outside the Republic of South Africa. This means your personal information may be transferred to, and processed in, other countries.
In line with section 72 of POPIA, we will only transfer personal information outside South Africa where at least one of the following applies:
- the recipient is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection substantially similar to POPIA, including provisions for onward transfers;
- the transfer is necessary for the performance of a contract between you and us, or for the implementation of pre-contractual measures taken in response to your request;
- the transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and a third party;
- you have consented to the transfer; or
- the transfer is for your benefit and it is not reasonably practicable to obtain your consent, but you would be likely to give it.
We put appropriate contractual and security measures in place with these providers to protect your personal information when it is transferred and processed abroad.
12. Children's and young users' information
The Services are intended for users aged 13 and older. We do not knowingly create accounts for children under 13.
Users aged 13–17
Under POPIA, the personal information of a child (a person under 18 who is not legally competent, without assistance, to take the action concerned) is afforded special protection under sections 34 and 35. Accordingly:
- Users aged 13 to 17 require verifiable consent from a parent or legal guardian to create and use an account; and
- a parent or legal guardian must also consent to any payment, including any paid subscription, made through the account.
We rely on this guardian consent (a "competent person" under POPIA) as a basis for processing a young user's personal information for the purposes set out in this Policy.
If consent was not validly given
If you are a parent or guardian and you believe a child has provided us with personal information without your consent, or that a young user's account was created without proper consent, please contact our Information Officer at informationofficer@vennor.co.za. We will take reasonable steps to verify the position and, where appropriate, to delete the information or close the account.
13. Your rights under POPIA
As a data subject under POPIA, you have the following rights in respect of your personal information:
- Right of access - to ask whether we hold personal information about you and to request a copy or description of it, subject to POPIA's procedures (including any prescribed fee for access requests).
- Right to correction - to request that we correct or update personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained.
- Right to deletion / destruction - to request that we delete or destroy personal information in the circumstances permitted by POPIA, or where we no longer have a lawful basis to keep it.
- Right to object - to object, on reasonable grounds relating to your particular situation, to processing based on legitimate interest or the public interest, and to object to processing for direct marketing.
- Right to withdraw consent - where we rely on your consent, to withdraw it at any time (without affecting the lawfulness of prior processing).
- Right not to be subject to certain automated decision-making - not to be subject to a decision that has legal or similarly significant effects based solely on automated processing, except as permitted by POPIA.
- Right to complain - to lodge a complaint with the Information Regulator (see section 15), and to institute civil proceedings.
How to exercise your rights
You can exercise many of these rights directly in the app (for example, by editing your profile, deleting content or cancelling your subscription). For other requests, please contact our Information Officer at informationofficer@vennor.co.za or privacy@vennor.co.za. Formal POPIA access and correction requests may be made using the prescribed forms, available from the Information Regulator's website.
We will respond to verified requests within a reasonable time and, in any event, within the period required by law. We may need to verify your identity before acting on a request, and in limited cases we may decline a request where the law permits or requires us to (for example, where complying would breach another person's rights or a legal obligation). We will explain our reasons where we do so.
14. How long we keep your information
We keep personal information only for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.
- Active accounts - we retain your account, profile, learning content and AI conversation history for as long as your account remains active and you continue to use the Services.
- After account closure - following closure or deletion of your account, we delete or de-identify your personal information within a reasonable wind-down window (typically up to 90 days), except for information we are required or entitled to keep for longer, as set out below.
- AI conversation history - retained while your account is active to let you continue your work, and deleted (or de-identified) within the wind-down window after closure, unless retained for legal, security or dispute-resolution reasons.
- Payment, accounting and FICA records - financial records, and Campus Partner payout, tax and KYC/verification records, are retained for the periods required by law - generally approximately five (5) years under FICA, tax and company-law requirements (and longer where a specific legal requirement applies).
- Logs and security data - retained for a limited period appropriate to security, troubleshooting and abuse-prevention purposes.
- Unfiled documents - not retained beyond the processing of your request (see section 7).
When a retention period ends, we securely delete, destroy or de-identify the relevant personal information.
15. How we keep your information secure
In line with section 19 of POPIA, we take appropriate, reasonable technical and organisational measures to safeguard the confidentiality, integrity and availability of personal information and to protect it against loss, damage, unauthorised access and unlawful processing. These measures include:
- Encryption in transit (for example, TLS/HTTPS) and encryption at rest for stored data;
- least-privilege access controls, authentication and role-based permissions so that staff and systems can access only the information they need;
- secure, reputable infrastructure providers (see section 8) and secure handling of secrets and credentials;
- hashing of passwords (we never store passwords in plain text); and
- monitoring, logging and ongoing review of our security practices.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You also play an important role - please keep your password confidential, use a strong and unique password, and tell us promptly if you suspect any unauthorised use of your account.
Breach notification
In line with section 22 of POPIA, if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible after discovering and assessing the compromise, unless a public body or the Regulator directs otherwise. Our notification will provide sufficient information to allow you to take protective measures.
16. Complaints to the Information Regulator
We would prefer to resolve any concern directly, so please contact our Information Officer first at informationofficer@vennor.co.za. However, you have the right at any time to lodge a complaint with the Information Regulator (South Africa), the independent body that oversees POPIA, if you believe we have processed your personal information unlawfully.
Information Regulator (South Africa)
- Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- Postal address: PO Box 31533, Braamfontein, 2017
- Complaints email: POPIAComplaints@inforegulator.org.za
- General enquiries email: enquiries@inforegulator.org.za
You can find the official POPIA materials and complaint forms on the Information Regulator's website at https://inforegulator.org.za.
17. The legal frameworks that apply
This Policy is given effect within the framework of South African law, in particular:
- the Protection of Personal Information Act 4 of 2013 (POPIA), which governs the lawful processing of personal information and the eight processing conditions (accountability; processing limitation; purpose specification; further-processing limitation; information quality; openness; security safeguards; and data-subject participation);
- the Electronic Communications and Transactions Act 25 of 2002 (ECTA), which recognises electronic agreements and data messages and entitles you to certain supplier information (set out in our Terms of Service); and
- the Consumer Protection Act 68 of 2008 (CPA), which requires plain and understandable language and protects your non-waivable statutory consumer rights.
Where the Campus Partner programme involves payouts, additional obligations under the Financial Intelligence Centre Act 38 of 2001 (FICA) and South African tax law apply, as described in the Campus Partner Terms and Campus Partner Privacy Notice.
This Policy is governed by and construed in accordance with the laws of the Republic of South Africa, and the South African courts have jurisdiction in relation to it.
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, our practices, our service providers or the law. When we make changes, we will revise the "Last updated" date and version number at the top of this Policy and publish the updated version at https://vennor.co.za and within the apps.
Where the changes are material, we will take additional steps to bring them to your attention - for example, through an in-app notice or email - and, where the law requires your consent for a particular change, we will ask for it before that change applies to you. Your continued use of the Services after an update takes effect means you accept the updated Policy, except in respect of any processing for which we are required to obtain fresh consent.
19. How to contact us
If you have any questions, requests or concerns about this Privacy Policy or about how we handle your personal information, please contact us:
- Privacy and data protection: privacy@vennor.co.za
- POPIA Information Officer: informationofficer@vennor.co.za
- General help and support: help@vennor.co.za
- Formal legal notices: legal@vennor.co.za
- Campus Partner programme: partners@vennor.co.za
- Competitions: competitions@vennor.co.za
Vennor (Pty) Ltd (registration number 2024/814236/07)
Registered office: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835
Website: https://vennor.co.za
This Privacy Policy should be read together with our Terms of Service, our Campus Partner Privacy Notice and Campus Partner Terms, and our Competition Rules, each of which is available on our website.