Privacy Policy

Last updated: March 12, 2026

1. Introduction

Vorim AI ("we", "our", "us") operates the Vorim AI platform, including the API, web dashboard, SDK, and related services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our services.

By using Vorim AI, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information: When you register, we collect your name, email address, organisation name, and password (stored as a bcrypt hash — we never store plaintext passwords). If you sign in with Google or GitHub OAuth, we collect your email address, name, profile picture URL, and the OAuth provider's unique user ID.

Agent Data: When you register agents, we store agent metadata (name, type, capabilities, status), public keys, and key fingerprints. Private keys are generated server-side and returned once — we never persist agent private keys.

Audit Events: Events submitted through the API or SDK are stored in our TimescaleDB infrastructure. Audit events include agent IDs, event types, actions, resources, results, and metadata you provide.

Usage Data: We collect anonymised usage metrics including API request counts, permission check volumes, and feature usage to improve our service.

Technical Data: Server logs may include IP addresses, request timestamps, user agents, and API endpoints accessed. These logs are retained for 30 days for security and debugging purposes.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Vorim AI platform
• Authenticate users and agents, and enforce permissions
• Generate trust scores based on agent behavior data
• Produce audit bundles and compliance reports
• Send service-related communications (security alerts, billing, product updates)
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

4. Data Sharing and Disclosure

Public Trust API: Agent public keys, fingerprints, trust scores, and registration dates are available through our public Trust API. This is by design — the Trust API enables third-party verification of agent identity. No private data (audit events, permissions, account details) is exposed through the Trust API.

Third Parties: We do not sell, rent, or share your personal information with third parties for marketing purposes. We may share data with:

• Infrastructure providers (hosting, database, CDN) under data processing agreements
• OAuth providers (Google, GitHub) for authentication purposes
• Law enforcement when required by valid legal process
• Successors in the event of a merger, acquisition, or asset sale

5. Data Retention

Audit event retention depends on your plan:

• Free: 30 days
• Starter: 90 days
• Growth: Unlimited
• Enterprise: Custom retention as defined in your contract

Account data is retained for the duration of your account. Server logs are retained for 30 days. Upon account deletion, all personal data is permanently deleted within 30 days unless retention is required for legal or regulatory compliance.

6. Data Security

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Ed25519 cryptographic signatures for audit trails
• Bcrypt password hashing (cost factor 12)
• Role-based access control (RBAC) for internal access
• Regular security audits and penetration testing
• SOC 2 Type II compliance (in progress)

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent for data processing

To exercise these rights, contact us at privacy@vorim.ai.

8. International Data Transfers

Vorim AI operates servers in the European Union and United States. Data may be transferred between these regions for service operation. We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to non-EU countries.

9. Cookies and Tracking

We use essential cookies for authentication and session management. With your consent, we use Google Analytics for anonymised usage metrics. You can control cookie preferences in your browser settings.

10. Children's Privacy

Vorim AI is not intended for use by individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

• Email: privacy@vorim.ai
• General contact: kwame@vorim.ai
• Website: vorim.ai

© 2026 Vorim AI. All rights reserved. Terms of Service | About | Contact