Privacy Policy

This Privacy Policy describes how Vormur, Inc. ("Vormur," "we," "us," or "our") collects, uses, and protects information in connection with our compliance operations platform and related services.

Effective date: May 12, 2026 · Updated to describe persistent, encrypted data handling.

1. Information We Process

Customer Platform Data

When you use Vormur's integration mode, our service processes data from your existing compliance platforms (such as transaction monitoring systems and case management tools) on your behalf. This data may include alert metadata, transaction patterns, transaction amounts, entity identifiers, and investigation workflow data.

Customer Platform Data is processed by the Vormur application and persisted in an encrypted, US-hosted PostgreSQL database for the duration of your engagement so that completed investigations can be reviewed, audited, and re-opened. It is encrypted at rest using AES-256, encrypted in transit using TLS 1.3, segregated by customer, and accessible only via role-based access controls, with all accesses recorded in an append-only audit log. See Section 4 for how long we keep this data and how it is deleted.

PII Tokenization

AI deliberation & drafting. Before case data is sent to our general-purpose AI providers (such as OpenAI and Anthropic) for analysis or SAR-narrative drafting, designated subject identifiers — name, account number, Social Security or tax identification number, date of birth, address, phone, and email — are replaced with opaque tokens. The token-to-value mapping is encrypted and held inside the Vormur environment and is never transmitted to the provider; provider outputs are de-tokenized inside Vormur before results are written back to your platform. These providers operate under zero-data-retention terms.

Screening & enrichment. Customer due-diligence and open-source (OSINT) screening necessarily use real identifiers to query public-records, sanctions, and search providers — a token cannot be matched against public records. These named sub-processors are listed in our Sub-processor Register and operate under data-processing agreements, and this processing occurs under the financial-institution customer's authorization.

Account Information

When you create a Vormur account or request a demo, we collect business contact information such as your name, email address, company name, and role. This information is used to provide our services, communicate with you, and manage your account.

Usage Data

We collect aggregated, non-identifying usage metrics such as investigation volumes, response times, and platform performance data. This data is used to improve our service and does not contain customer PII or transaction details.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Vormur platform and investigation services.
  • Process compliance alerts and generate investigation results on your behalf.
  • Write investigation results, narratives, and disposition recommendations back to your designated platform.
  • Communicate with you about your account, service updates, and support requests.
  • Monitor and improve platform performance, reliability, and security.
  • Comply with applicable legal obligations.

3. Information Sharing

We do not sell, rent, or trade any customer information. We share information only in the following limited circumstances:

AI Inference Providers

To perform AI-powered investigations, de-identified and PII-tokenized data is transmitted to our AI inference providers for processing. Our inference providers are contractually bound not to use this data for model training, do not persist prompts or completions beyond short-term abuse monitoring, maintain SOC 2 Type II certification, and process data exclusively on US-based infrastructure.

Your Designated Platforms

Investigation results, narratives, and disposition recommendations are written back to the compliance platforms you designate (e.g., your case management system or transaction monitoring platform).

Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request.

4. Data Retention

Customer Platform Data (alert data, transaction data, investigation context, evidence items) is retained in encrypted form for the duration of your service agreement so that completed investigations can be reviewed, audited, and re-opened. On termination of your service agreement, Vormur deletes this data from active systems within thirty (30) days; copies present in operational backups age out in accordance with our backup retention schedule, typically within sixty (60) days. On written request, we will confirm completion of deletion.

Application audit events (records of authentication, authorization, and access to your data) are retained for one (1) year in active storage and archived for an additional six (6) years to support security investigations and regulatory inquiries.

Account Information (business contact details) is retained for the duration of your service agreement, and thereafter for a reasonable period for record-keeping and legal compliance purposes. Booking submissions and lead inquiries from non-customers are retained for up to twenty-four (24) months from last contact and then deleted.

Aggregated Usage Data (non-identifying performance metrics) may be retained indefinitely to improve our services.

5. Data Security

We implement industry-standard security measures to protect the information we process, including TLS 1.3 encryption on all data in transit, AES-256 encryption at rest on all customer data persisted in our managed PostgreSQL database, tokenization of designated PII fields before any payload is sent to an AI inference provider, US-based infrastructure for all data processing and storage, role-based access controls with multi-factor authentication on administrative interfaces, and an append-only audit log of access to customer data. For more detail, see our Security page.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or restrict the processing of your personal information. To exercise these rights, please contact us at privacy@vormur.com. We will acknowledge your request within five (5) business days and complete it within thirty (30) days, subject to identity verification and any applicable legal hold. For Customer Platform Data, requests should be made through the customer's authorized administrative contact.

7. Cookies and Website Analytics

The Vormur website (vormur.com) may use essential cookies to ensure proper site functionality. We do not use third-party advertising cookies or tracking pixels. Any analytics we use are privacy-respecting and do not track individual users across sites.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, notify affected customers directly.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@vormur.com.

Vormur, Inc.
United States