POPIA Compliance
Last updated 23 June 2026
Vorra is based in South Africa, so our handling of personal information is governed by the Protection of Personal Information Act, 2013 (POPIA). This page explains, in plain terms, how Vorra Review (the "Service") complies with POPIA. It sits alongside our Privacy Policy and Terms of Service; where this page and the Privacy Policy describe the same processing, they are intended to be read together.
Who the Responsible Party is
Under POPIA, the "responsible party" is the person who determines why and how personal information is processed. For Vorra Review that is Vorra, operating from South Africa. Vorra is accountable for the personal information processed through the Service and for the conditions for lawful processing set out below.
You can reach our Information Officer on WhatsApp at +27 73 850 7252 or through the support page.
The eight conditions for lawful processing
POPIA sets out eight conditions that a responsible party must meet. Here is how each one applies to Vorra Review:
1. Accountability
Vorra takes responsibility for meeting these conditions across the lifetime of the personal information it processes, and has appointed an Information Officer who is your point of contact for POPIA matters.
2. Processing limitation
We process personal information lawfully and in a way that does not unreasonably intrude on your privacy. We collect only what we need to run the Service, and we rely on a lawful ground for each kind of processing (see the lawful basis section below).
3. Purpose specification
We collect personal information for the specific, explicitly defined purpose of letting invited users review videos, leave timecoded comments, and share feedback. We do not keep information for longer than is necessary for that purpose.
4. Further processing limitation
We do not reuse your personal information for purposes that are incompatible with the reason it was collected. We do not sell your data, and we do not use it for advertising or third-party profiling.
5. Information quality
We take reasonable steps to keep the personal information we hold accurate and up to date. You can ask us to correct anything that is wrong or incomplete at any time.
6. Openness
We are transparent about what we collect and why. This page, together with the Privacy Policy, documents our processing so you can understand it before and while you use the Service.
7. Security safeguards
We protect personal information with appropriate technical and organisational measures, described in the Security safeguards section below.
8. Data subject participation
You have the right to know what we hold about you and to ask us to access, correct, or delete it. See the Your rights section below.
What personal information we process
To provide the Service, Vorra processes:
- Your email address — used for email-link sign-in (we never collect or store a password).
- Your Firebase user ID and sign-in timestamps — used to identify your account and to secure access.
- The comments you write, including the timecode a comment relates to and the time it was created.
- Video metadata and file identifiers for the videos shared with you, so the Service can stream the right file and attach your comments to it.
- Standard technical request metadata (such as IP address and user agent) logged by our hosting provider for operating and securing the Service.
For the full detail of how each category is stored and shared, see the Privacy Policy.
Lawful basis and purpose
Most of our processing is necessary to perform the Service you were invited to use — authenticating you, showing you only the videos shared with your email, and storing and displaying your comments. We also process information to pursue our legitimate interest in operating and securing the Service, to comply with our legal obligations, and, where required, with your consent. Where we rely on consent you may withdraw it at any time, although some processing is necessary for us to keep providing the Service.
Your rights as a data subject
Under POPIA you have the right to:
- Be told what personal information we hold about you and request access to it.
- Ask us to correct or update information that is inaccurate or incomplete.
- Ask us to delete your account and the personal information we hold about you.
- Object, on reasonable grounds, to the processing of your personal information.
- Lodge a complaint with the Information Regulator of South Africa if you believe your information has been handled unlawfully.
To exercise any of these rights, message our Information Officer on WhatsApp at +27 73 850 7252. You can also start the deletion flow from your settings page.
The supervisory authority
The supervisory authority for POPIA is the Information Regulator of South Africa. If you are not satisfied with how we have handled your personal information or a request you have made, you may lodge a complaint with the Regulator. You can find their contact details and complaint process at inforegulator.org.za.
Security safeguards
We take the security of personal information seriously. We serve all traffic over HTTPS, use HTTP-only session cookies for authentication, and re-check each video's viewer list before serving any video or comment. Uploaded videos are streamed only through short-lived signed URLs, and OAuth tokens for any external storage an admin connects are kept server-side and encrypted at rest. No system is perfectly secure — if you become aware of a vulnerability, please tell us straight away.
Operators and cross-border transfers
POPIA allows a responsible party to use "operators" (processors) who process personal information on its behalf under a written contract. Vorra relies on Google Firebase as an operator for authentication (Firebase Auth), the Firestore database where comments and metadata are stored, and Firebase Storage where uploaded videos are kept. Our hosting provider also acts as an operator in running the Service.
These operators may process personal information in regions outside South Africa, including the European Union and the United States. As contemplated by section 72 of POPIA, we rely on these providers' contractual and technical safeguards — which offer protection substantially similar to POPIA — to keep your information secure during these transfers. Where a workspace admin connects an external storage provider, file metadata may also be handled in that provider's regions, as described in the Privacy Policy.
Changes
We may update this page from time to time. If we make material changes we will update the date at the top and, where it makes sense, notify you in-app.