VENNOR

VENNOR Privacy Policy

Version 1.0.0 · Effective 2026-07-02 · Vennor (Pty) Ltd (registration 2024/814236/07), South Africa

1. About this Privacy Policy and who we are

Last updated: 2 July 2026. Version 1.0.0.

This Privacy Policy explains how Vennor (Pty) Ltd ("Vennor", "we", "us" or "our") collects, uses, shares, stores and otherwise processes your personal information when you access or use the VENNOR web app, the VENNOR desktop app (Windows) and the VENNOR mobile app, together with our website at https://vennor.co.za and all related features (together, the "Services" or the "Platform").

Vennor is a private company incorporated in the Republic of South Africa under registration number 2024/814236/07, with its registered office at KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835.

We are committed to protecting your personal information and to processing it lawfully, reasonably and transparently. This Policy is led by the Protection of Personal Information Act 4 of 2013 ("POPIA") and is written, as required by the Consumer Protection Act 68 of 2008 ("CPA"), in plain and understandable language.

Vennor is the responsible party

For the purposes of POPIA, Vennor is the "responsible party" (sometimes called a controller) in respect of the personal information described in this Policy. This means we determine the purpose of and means for processing your personal information, and we are accountable to you and to the Information Regulator for doing so lawfully.

Your acceptance

By creating an account, signing in or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent for a particular processing activity, we will ask for that consent separately and you may withdraw it as described in section 12 (Your rights under POPIA). This Policy forms part of, and should be read together with, our Terms of Service. Additional processing relating to the Campus Partner (affiliate) programme is described in a separate Campus Partner Privacy Notice, and our use of cookies is described in section 10 (Cookies and similar technologies).

2. Scope of this Policy and our Information Officer

Who and what this Policy covers

This Policy applies to:

It covers personal information we process across all of our Services, regardless of the device or channel through which you interact with us.

What this Policy does not cover

This Policy does not cover the privacy practices of third parties whose services you access through or alongside the Platform (for example, Google, LinkedIn, Paystack or any website you ask our AI tools to read). Those third parties are responsible for their own processing under their own privacy notices. We identify our key service providers in section 8 (Who we share your information with).

Our Information Officer

In line with POPIA, Vennor has appointed an Information Officer who is responsible for ensuring our compliance with POPIA and for dealing with requests and complaints relating to personal information. Our Information Officer is [Information Officer name], registered with the Information Regulator of South Africa.

You can contact our Information Officer at:

For day-to-day privacy and data-protection queries you may also write to privacy@vennor.co.za.

3. Categories of personal information we collect

We collect and process the following categories of personal information. The exact information collected depends on which features you use and your role on the Platform.

3.1 Account and identity information

Your name, email address, password (stored in hashed/encrypted form and never in plain text), account role (student or Campus Partner), the authentication method you use (email and password, or Google or LinkedIn sign-in) and any unique identifiers we assign to your account. Where you are aged 13–17, we also process information confirming parental or guardian consent (see section 11).

3.2 Profile information

Profile details you choose to provide, such as your display name, institution or study area, profile statistics, weekly goals and preferences (for example, appearance/theme settings).

3.3 Learning activity and content

The study content you create or generate on the Platform, including quizzes, exams, flashcards, notes, study plans, essays and project work; your modules and folders; your exam attempts, answers, marks and attempt-review data; flashcard spaced-repetition progress; study-planner entries; and exam-readiness data.

3.4 AI tutor conversations and prompts

The messages, questions and prompts you send to our AI tutor chat and AI Voice Assistant, the AI-generated responses, any content or documents you attach to a prompt, and (where you use the optional in-chat web search) the web addresses you reference. We also process audio streamed to and from the AI Voice Assistant during a real-time session, and the contents of the in-browser coding sandbox where you use it.

3.5 Uploaded documents

Documents you upload to study from. "Filed" uploads (up to 100MB each) are stored in our cloud storage and counted against your storage quota. "Unfiled" uploads (up to 50MB) are read only to answer a specific question and are not retained after the response is produced.

3.6 Study-time, usage, progress and streak data

Automatically tracked study time and study sessions; activity and time-by-activity charts; daily missions; streaks; Streak Sprint partner-pairing data (your active partner and partner-comparison data); and Streak Competition data, including the quizzes/exams you complete to qualify, your scores and any vouchers awarded.

3.7 Payment and subscription information

Your plan (Exam Pro or Semester Master), subscription status, renewal and cancellation details, billing currency (ZAR) and transaction records. We do not store your full payment card details. Card and payment-instrument data is collected and processed directly by our licensed payment partner Paystack; we receive only limited transaction information (such as a payment reference, status and the last digits/card type) needed to manage your subscription.

3.8 Device, technical, log and approximate-location data

Technical information generated when you use the Services, such as your IP address, device and operating-system type, app version, browser type, identifiers, log and diagnostic data, timestamps and error reports. From your IP address we may derive an approximate (city/region-level) location; we do not collect precise GPS location.

3.9 Communications and support information

The content of communications you send us (for example, support requests to help@vennor.co.za), in-app notifications, and transactional emails we send you (such as sign-in/verification codes, invites and earnings summaries).

3.10 Campus Partner information

If you are a Campus Partner, we additionally process your affiliate code, referral and commission records, South African bank-account/banking details for payouts, your tax (SARS) number where requested, and identity-verification / KYC records required under the Financial Intelligence Centre Act 38 of 2001 ("FICA") before we make any payout. This processing is described further in the Campus Partner Privacy Notice.

Special and children's information

We do not seek to collect special personal information (as defined in POPIA, such as health, religion, race or political beliefs). Please do not submit special personal information through AI prompts, documents or other content unless it is necessary, and understand that if you do so you consent to our processing it to provide the Services. Processing of children's information is addressed in section 11.

4. How we collect your personal information

We collect personal information in three main ways.

4.1 Directly from you

When you create an account, complete your profile, generate or upload content, send prompts to our AI tools, subscribe to a paid plan, apply to or participate in the Campus Partner programme, enter the Streak Competition, or contact us for support.

4.2 Automatically

When you use the Services, we and our infrastructure providers automatically collect device, technical, log, usage and approximate-location data, and study-time and activity data, as described in section 3. Some of this is collected through cookies and similar technologies (see section 10).

4.3 From third parties

We receive certain information from third parties, including:

Where POPIA requires it and an exemption does not apply, we will take reasonably practicable steps to ensure you are aware that we have collected information about you from a source other than yourself.

5. Why we process your information and our lawful basis

POPIA requires that we have a lawful basis (a "justification") for each processing activity and that we use your information only for the specific, explicitly defined purpose for which it was collected (the purpose-limitation condition). The main purposes and the corresponding lawful bases are set out below.

To provide and operate the Services

To create and manage your account, authenticate you, deliver the learning, AI, document, progress and social features, and provide support.

To process payments and manage subscriptions

To charge for Exam Pro and Semester Master, manage automatic renewals and cancellations, prevent fraud and keep accounting records.

To run the Campus Partner programme

To issue affiliate codes, track referrals and commission, verify referred students, verify partner identity (KYC) and make payouts.

To run competitions

To operate the daily Streak Competition, calculate scores, determine winners and award vouchers.

To communicate with you

To send transactional messages (verification codes, invites, earnings summaries, service notices) and in-app notifications.

To secure, improve and protect the Services

To monitor for abuse and security incidents, debug and improve features, and analyse usage in aggregated or de-identified form.

To comply with law and protect rights

To meet legal and regulatory obligations, respond to lawful requests, and establish, exercise or defend legal claims.

Where we rely on consent, you may withdraw it at any time (see section 12), although this will not affect the lawfulness of processing carried out before withdrawal and may mean we can no longer provide a particular feature.

6. How our AI features process your data

Our AI study tools - the AI tutor chat, AI-generated study material, the optional in-chat web search, the in-browser coding sandbox and the AI Voice Assistant - rely on third-party large language model (LLM) providers, currently Anthropic (Claude) and OpenAI (including OpenAI's Realtime API for voice).

What is sent to the AI providers

When you use these features, the content of your prompts, the relevant context (which may include text from documents you attach, the web pages you ask us to read, and parts of your study content) and, for the Voice Assistant, your audio, are transmitted to the applicable AI provider so that a response can be generated and returned to you. For real-time voice tutoring, audio is streamed via WebRTC to OpenAI's Realtime API through our Cloudflare Worker.

Processing outside South Africa

The AI providers may process this information outside the Republic of South Africa. We rely on the cross-border safeguards described in section 9 (Cross-border transfers) for these transfers.

We do not use your private content to train third-party base models

We do not authorise our AI providers to use your literal private content - your prompts, conversations, documents or generated work - to train their general/base models beyond what is necessary to process your request and return a response. We engage these providers under business/enterprise terms that are intended to prevent your content from being used to train their foundation models. We may use aggregated or de-identified information (which does not identify you) to monitor, evaluate and improve our own Services.

AI output is a study aid, not professional advice

AI output can be inaccurate, incomplete or out of date and must not be relied upon as legal, financial, medical, academic or other professional advice. The AI tools are a study aid; they are not a substitute for your own work, your own judgement, or your institution's academic-integrity rules. You are responsible for how you use AI output. Please avoid submitting sensitive personal information about yourself or others into prompts unless it is necessary.

7. How we handle your content and documents

Filed versus unfiled documents

Documents you choose to file are stored securely in our cloud storage (Supabase Storage), count against your storage quota (up to 100MB per file) and remain available to you until you delete them or close your account.

Documents you upload as unfiled (up to 50MB) are processed only to answer the specific question you ask and are not retained by us after the response is generated.

Your study content and conversations

Your learning content (quizzes, exams, flashcards, notes, study plans, essays and projects), your modules and folders, and your AI conversation history are retained so that you can return to and continue your work, subject to the retention periods in section 13. You can delete individual items, and you can request deletion of your content as described in section 12.

The document reader and coding sandbox

Our built-in document reader renders your PDFs within the Services. The in-browser coding sandbox runs code you write or generate; we process the contents of the sandbox to provide the feature and to keep the Platform secure.

8. Who we share your information with

We do not sell your personal information. We share it only as described below, and we require our service providers ("operators" under POPIA) to process personal information only on our instructions, to keep it confidential and to apply appropriate security safeguards.

Service providers and sub-processors

Provider Purpose
Supabase Database, authentication, file storage (your filed documents) and edge functions
Cloudflare Hosting of our API at api.vennor.co.za and of the website; routing of AI/voice traffic through our Workers
Paystack Payment processing for subscriptions and commission payouts; collection and processing of card/payment-instrument data
Anthropic AI tutor and AI-generated study features (Claude)
OpenAI AI tutor, AI-generated study features and the real-time AI Voice Assistant
Amazon Web Services / Amazon SES Transactional email (sign-in/verification codes, invites, earnings summaries)
Google Google sign-in and optional two-way Google Calendar synchronisation
LinkedIn LinkedIn sign-in

Each provider receives only the information needed for its purpose.

Streak Sprint partners and competition

Where you pair with a Streak Sprint partner or take part in the Streak Competition, certain limited progress information (such as comparison data and competition standings) is shared with your partner or shown in competition results, consistent with how those features work.

Legal, regulatory and protective disclosures

We may disclose personal information where we reasonably believe it is necessary to comply with a law, regulation, legal process or enforceable governmental or regulatory request; to enforce our Terms; to detect, prevent or address fraud, security or technical issues; or to protect the rights, property or safety of Vennor, our users or the public.

Business transfers

If Vennor is involved in a merger, acquisition, reorganisation, sale of assets or insolvency, personal information may be transferred to a successor or acquirer as part of that transaction, subject to this Policy and applicable law. We will take reasonable steps to notify you where required.

Campus Partner sharing

Additional sharing relating to Campus Partner payouts and verification (including through Paystack and any FICA-related processes) is described in the Campus Partner Privacy Notice.

9. Google user data (Sign-In and Calendar)

This section explains, specifically, how we handle Google user data - the information we receive from Google APIs when you use Google Sign-In or connect the optional Google Calendar synchronisation. It applies in addition to the rest of this Privacy Policy. A plain-language summary is also published at https://vennor.co.za/google-calendar.

Google Sign-In

If you sign in with Google, Google shares your name, email address and profile picture with us, in line with the permissions shown on Google's consent screen. We use this only to create and operate your Account.

Google Calendar synchronisation (optional)

The study planner offers an optional, strictly opt-in two-way synchronisation with Google Calendar. Nothing is connected until you press "Connect Google Calendar" in the planner and approve access on Google's own consent screen. If you connect, we request only the narrowest permissions (OAuth scopes) the feature needs:

How we use, store and share Google user data

Limited Use

VENNOR's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Disconnecting and deleting Google user data

You can disconnect Google Calendar at any time in the planner's calendar settings - we then delete our stored Google authorisation tokens and our access ends. You can also revoke VENNOR's access from your Google Account permissions, or email help@vennor.co.za and we will disconnect the integration and delete the associated data for you.

10. Cross-border transfers of personal information

Several of our service providers (including Supabase, Cloudflare, Paystack, Anthropic, OpenAI, AWS/SES, Google and LinkedIn) operate and may store or process personal information on servers located outside the Republic of South Africa. This means your personal information may be transferred to, and processed in, other countries.

In line with section 72 of POPIA, we will only transfer personal information outside South Africa where at least one of the following applies:

  1. the recipient is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection substantially similar to POPIA, including provisions for onward transfers;
  2. the transfer is necessary for the performance of a contract between you and us, or for the implementation of pre-contractual measures taken in response to your request;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and a third party;
  4. you have consented to the transfer; or
  5. the transfer is for your benefit and it is not reasonably practicable to obtain your consent, but you would be likely to give it.

We put appropriate contractual and security measures in place with these providers to protect your personal information when it is transferred and processed abroad.

11. Cookies, local storage and similar technologies

We and our providers use cookies, local storage and similar technologies to make the Services work and to keep them secure. These include:

We do not use third-party advertising cookies or ad-tracking technologies, and we do not build advertising profiles of you.

Most browsers and devices let you control or delete cookies and local storage through their settings. Disabling strictly necessary technologies may prevent parts of the Services from working. Some functionality also relies on the za.co.vennor:// deep-link scheme, which allows email links to open the desktop or mobile app.

12. Children's and young users' information

The Services are intended for users aged 13 and older. We do not knowingly create accounts for children under 13.

Users aged 13–17

Under POPIA, the personal information of a child (a person under 18 who is not legally competent, without assistance, to take the action concerned) is afforded special protection under sections 34 and 35. Accordingly:

We rely on this guardian consent (a "competent person" under POPIA) as a basis for processing a young user's personal information for the purposes set out in this Policy.

If consent was not validly given

If you are a parent or guardian and you believe a child has provided us with personal information without your consent, or that a young user's account was created without proper consent, please contact our Information Officer at informationofficer@vennor.co.za. We will take reasonable steps to verify the position and, where appropriate, to delete the information or close the account.

13. Your rights under POPIA

As a data subject under POPIA, you have the following rights in respect of your personal information:

How to exercise your rights

You can exercise many of these rights directly in the app (for example, by editing your profile, deleting content or cancelling your subscription). For other requests, please contact our Information Officer at informationofficer@vennor.co.za or privacy@vennor.co.za. Formal POPIA access and correction requests may be made using the prescribed forms, available from the Information Regulator's website.

We will respond to verified requests within a reasonable time and, in any event, within the period required by law. We may need to verify your identity before acting on a request, and in limited cases we may decline a request where the law permits or requires us to (for example, where complying would breach another person's rights or a legal obligation). We will explain our reasons where we do so.

14. How long we keep your information

We keep personal information only for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

When a retention period ends, we securely delete, destroy or de-identify the relevant personal information.

15. How we keep your information secure

In line with section 19 of POPIA, we take appropriate, reasonable technical and organisational measures to safeguard the confidentiality, integrity and availability of personal information and to protect it against loss, damage, unauthorised access and unlawful processing. These measures include:

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You also play an important role - please keep your password confidential, use a strong and unique password, and tell us promptly if you suspect any unauthorised use of your account.

Breach notification

In line with section 22 of POPIA, if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible after discovering and assessing the compromise, unless a public body or the Regulator directs otherwise. Our notification will provide sufficient information to allow you to take protective measures.

16. Complaints to the Information Regulator

We would prefer to resolve any concern directly, so please contact our Information Officer first at informationofficer@vennor.co.za. However, you have the right at any time to lodge a complaint with the Information Regulator (South Africa), the independent body that oversees POPIA, if you believe we have processed your personal information unlawfully.

Information Regulator (South Africa)

You can find the official POPIA materials and complaint forms on the Information Regulator's website at https://inforegulator.org.za.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, our practices, our service providers or the law. When we make changes, we will revise the "Last updated" date and version number at the top of this Policy and publish the updated version at https://vennor.co.za and within the apps.

Where the changes are material, we will take additional steps to bring them to your attention - for example, through an in-app notice or email - and, where the law requires your consent for a particular change, we will ask for it before that change applies to you. Your continued use of the Services after an update takes effect means you accept the updated Policy, except in respect of any processing for which we are required to obtain fresh consent.

19. How to contact us

If you have any questions, requests or concerns about this Privacy Policy or about how we handle your personal information, please contact us:

Vennor (Pty) Ltd (registration number 2024/814236/07)

Registered office: KWAMAGWAZA MISSION, MELMOTH, KWAZULU-NATAL, SOUTH AFRICA, 3835

Website: https://vennor.co.za

This Privacy Policy should be read together with our Terms of Service, our Campus Partner Privacy Notice and Campus Partner Terms, and our Competition Rules, each of which is available on our website.