Privacy Policy

This Privacy Policy describes how Vormur, Inc. ("Vormur," "we," "us," or "our") collects, uses, and protects information in connection with our compliance operations platform and related services.

Effective date: March 15, 2026

1. Information We Process

Customer Platform Data

When you use Vormur's integration mode, our service processes data from your existing compliance platforms (such as transaction monitoring systems and case management tools) on your behalf. This data may include alert metadata, transaction patterns, transaction amounts, entity identifiers, and investigation workflow data.

This data is processed transiently in memory only. Vormur does not persist Customer Platform Data to disk, to any database, or to any long-term storage. All data is discarded after each investigation cycle completes.

PII Tokenization

Before any Customer Platform Data is sent for AI inference, all personally identifiable information — including names, Social Security numbers, account numbers, dates of birth, and addresses — is stripped and replaced with opaque, non-reversible tokens. The AI model processes only de-identified transaction patterns and behavioral signals. Identifiers are re-mapped only when writing results back to your platform.

Account Information

When you create a Vormur account or request a demo, we collect business contact information such as your name, email address, company name, and role. This information is used to provide our services, communicate with you, and manage your account.

Usage Data

We collect aggregated, non-identifying usage metrics such as investigation volumes, response times, and platform performance data. This data is used to improve our service and does not contain customer PII or transaction details.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Vormur platform and investigation services.
  • Process compliance alerts and generate investigation results on your behalf.
  • Write investigation results, narratives, and disposition recommendations back to your designated platform.
  • Communicate with you about your account, service updates, and support requests.
  • Monitor and improve platform performance, reliability, and security.
  • Comply with applicable legal obligations.

3. Information Sharing

We do not sell, rent, or trade any customer information. We share information only in the following limited circumstances:

AI Inference Providers

To perform AI-powered investigations, de-identified and PII-tokenized data is transmitted to our AI inference providers for processing. Our inference providers are contractually bound not to use this data for model training, do not persist prompts or completions beyond short-term abuse monitoring, maintain SOC 2 Type II certification, and process data exclusively on US-based infrastructure.

Your Designated Platforms

Investigation results, narratives, and disposition recommendations are written back to the compliance platforms you designate (e.g., your case management system or transaction monitoring platform).

Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request.

4. Data Retention

Customer Platform Data (alert data, transaction data, investigation context) is processed transiently in memory and is not retained after the investigation cycle completes. No customer compliance data is persisted to disk or stored in any Vormur-controlled database.

Account Information (business contact details) is retained for the duration of your service agreement and for a reasonable period thereafter for record-keeping and legal compliance purposes.

Aggregated Usage Data (non-identifying performance metrics) may be retained indefinitely to improve our services.

5. Data Security

We implement industry-standard security measures to protect the information we process, including TLS 1.3 encryption on all data in transit, stateless architecture with no persistent customer data storage, PII tokenization before AI inference, US-based infrastructure for all data processing, and access controls with authentication on all API endpoints. For more detail, see our Security page.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or restrict the processing of your personal information. Because Vormur's core processing is stateless and transient, customer compliance data is not retained in our systems after processing. For requests related to Account Information, please contact us at the address below.

7. Cookies and Website Analytics

The Vormur website (vormur.com) may use essential cookies to ensure proper site functionality. We do not use third-party advertising cookies or tracking pixels. Any analytics we use are privacy-respecting and do not track individual users across sites.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, notify affected customers directly.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@vormur.com.

Vormur, Inc.
United States