Privacy Policy

Last updated 22 June 2026

This Privacy Policy explains what information Vorra ("we", "us") collects when you use Vorra Review (the "Service"), how we use it, and the choices you have. By using the Service you agree to this policy.

Who runs Vorra Review

Vorra Review is operated by Vorra, based in South Africa. For privacy questions, contact us on WhatsApp at +27 73 850 7252.

What we collect

Account information

When you sign in we collect the email address you use, your Firebase user ID, and timestamps of sign-in events. We use email-link sign-in, so we do not collect or store any password.

Review activity

When you leave a comment on a video, we store the comment text, the timecode it relates to, the file ID of the video, your email, your user ID, and the time the comment was created.

Video files

Videos that workspace admins upload are stored in Firebase Storage (Google Cloud). When you play a video, our server mints a short-lived signed URL so your browser can stream the file directly from storage. Access to each video is gated by a per-video viewer list (the viewerEmails set by a workspace admin): admins see every video in their workspace, while reviewers only see videos where their email is on the list. Our stream and comment endpoints re-check this on every request.

External storage connections

Workspace admins can optionally connect external storage folders — Google Drive, Dropbox, OneDrive or Box — so their existing files can be searched from the library. These connections work very differently from uploaded videos:

  • Read-only, least-privilege scopes. We request only the minimum read scopes needed to search and list files (for example, Google Drive's drive.readonly). We never request write, delete, permission-modify, or admin scopes.
  • Search-only. Connected files become searchable from the library, but their bytes are never proxied or streamed through Vorra. Clicking a result links you out to the provider's own native interface.
  • Metadata only. For each connected file we store only basic metadata — name, MIME type, size, last-modified time, and the provider's native link (externalUrl). We do not download or cache file contents.
  • Server-side tokens, revoked on disconnect. OAuth access and refresh tokens are stored only on the server (in Firestore, encrypted at rest) and are never exposed to your browser. When an admin disconnects a provider, we delete the local record and call the provider's token revocation endpoint.

These guarantees are described in more detail in our internal Cross-Provider Connection Policies, which the connection screen summarises before you connect. If you'd like a copy, ask us via the support page.

Technical information

Our hosting provider may log standard request metadata such as your IP address, user agent, and request paths for the purpose of operating and securing the Service. We do not use third-party analytics or advertising trackers.

How we use it

  • To authenticate you and show you only the videos shared with your email.
  • To display your comments to other reviewers who have access to the same video.
  • To let workspace admins search files in any external folders they have connected.
  • To investigate technical issues and abuse.
  • To respond to your support requests.

We do not sell your data, and we do not use it for advertising.

Who we share it with

The Service relies on a small number of trusted processors:

  • Google Firebase — authentication (Firebase Auth), the Firestore database where comments, connection records and metadata are stored, and Firebase Storage where uploaded videos are kept.
  • Our hosting provider — runs the Next.js application that serves Vorra Review.
  • External storage providers you connect — if a workspace admin connects Google Drive, Dropbox, OneDrive or Box, we exchange read-only requests with that provider to search and list files. We only interact with the providers an admin has chosen to connect.

We do not share your data with anyone else without your consent or unless required by law.

How long we keep it

We keep your account and comment data for as long as your account is active. When you ask us to delete your account we remove your account record and your comments within 7 days. Backups may contain the data for up to 30 days after that before they expire.

Your rights

You can ask us, at any time, to:

  • Tell you what data we hold about you.
  • Correct inaccurate data.
  • Delete your account and your comments.
  • Stop sending you sign-in links.

To exercise any of these rights, message us on WhatsApp at +27 73 850 7252. You can also start the deletion flow from your settings page.

Your rights under POPIA

Because Vorra is based in South Africa, our processing of your personal information is governed by the Protection of Personal Information Act, 2013 (POPIA). This section explains how POPIA applies to you.

Responsible party and Information Officer

Vorra is the responsible party for the personal information processed through the Service. You can reach our Information Officer on WhatsApp at +27 73 850 7252.

Lawful basis for processing

We process your personal information where it is necessary to perform the Service you have been invited to use (authenticating you, showing you the videos shared with you, and storing your comments), to pursue our legitimate interests in operating and securing the Service, to comply with our legal obligations, and — where required — with your consent. You may withdraw any consent at any time, though some processing may be necessary for us to keep providing the Service.

Your data-subject rights

Under POPIA you have the right to:

  • Be told what personal information we hold about you and request access to it.
  • Ask us to correct or update information that is inaccurate or incomplete.
  • Ask us to delete your account and your personal information.
  • Object to processing of your personal information in certain circumstances.
  • Lodge a complaint with the Information Regulator of South Africa if you believe your information has been handled unlawfully.

To exercise any of these rights, contact our Information Officer using the WhatsApp number above. You can reach the Information Regulator at inforegulator.org.za.

Cross-border transfers

Vorra is based in South Africa, but our processors — including Firebase (Auth, Firestore and Storage) and our hosting provider — may process data in regions outside South Africa, including the European Union and the United States. Where an external provider you have connected is involved, file metadata may also be handled in that provider's regions. We rely on these providers' contractual and technical safeguards to protect your information, and by using the Service you consent to this transfer as contemplated by POPIA.

Security

We use HTTPS for all traffic, HTTP-only session cookies for authentication, and access controls that re-check each video's viewer list before serving any video or comment. Uploaded videos are served only through short-lived signed URLs, and OAuth tokens for connected providers are kept server-side and encrypted at rest. No system is perfectly secure — if you become aware of a vulnerability, please tell us right away.

Children

Vorra Review is a business tool and is not directed at children under 16. If you believe a child has used the Service, contact us so we can remove their data.

Changes

We may update this policy from time to time. If we make material changes we'll update the date at the top and, where it makes sense, notify you in-app.