VorticVortic
◐ Legal

Privacy Policy

How Vortic Intelligence Ltd handles personal data on the Vortic insurance underwriting platform — what we collect, why, who else touches it, how long we keep it, and the rights you have over it.

Effective date: 10 May 2026 · Last updated: 10 May 2026

1. Who we are

Vortic is a system of action and coordination for insurance underwriting, operated by Vortic Intelligence Ltd(“Vortic”, “we”, “us”), a company registered in the United Kingdom.

For UK GDPR and GDPR purposes, Vortic Intelligence Ltd is the data controller for personal data we collect through the website www.getvortic.com and the platform you sign in to. When we process risk-bearing data on behalf of an underwriting partner (an MGA, broker, carrier, or coverholder), we act as the data processor; that engagement is governed by a separate Data Processing Addendum signed at onboarding.

Reach our privacy team at privacy@getvortic.com.

2. Data we collect

We collect and process the following categories of personal data:

Account data
Email, name, company name, country, role, password hash, sign-in timestamps, and your access-request notes (including how you intend to use Vortic). Stored in our Supabase profile records.
Submission data
Underwriting submissions you upload — insured names, addresses, postcodes/ZIPs, total sums insured, premiums, broker contact details, loss histories, and any PDFs attached. This may include personal data of third parties (e.g. broker contacts, named insureds). You are responsible for the lawful basis on which you provide that third-party data to us; we process it under your instruction.
Bound book
Bound risks, policy references, inception/expiry dates, and renewal triggers. Same processing model as submissions.
Agent traces
Every LLM call we make on your behalf is logged with the model used, input/output token counts, duration, and a structured output snapshot. We redact obvious personal data (emails, last 3 chars of postcodes/ZIPs, masked insured names) before persisting traces, but residual personal data may remain in free-text outputs.
Decision audit trail
Bind / decline / refer decisions you take, the rationale you record, the agent outputs that informed the decision, and the user who took it. Retained for the regulatory audit periods set out in §8.
Payment data
When you top up credits, we record the Stripe checkout session ID, amount, and status. Card details are processed directly by Stripe and never touch our servers.
Operational telemetry
IP address, user-agent string, and request timestamps for rate-limiting and fraud prevention; reflex-dismissal state; chat history within a session; cron and webhook delivery logs.
Marketing inquiries
If you submit our contact form or request access, we keep your message and contact details to respond to you.

We do not collect special-category personal data (health, biometric, political, religious) unless a submission you upload happens to contain it. We treat such data with the same redaction and retention rules as the rest of the submission record.

3. How we use your data

  • To provide the Vortic platform — running specialist underwriting agents, generating decision memos, maintaining your bound book and renewal pipeline.
  • To authenticate you and keep your account secure (sessions, MFA where enabled, fraud detection, abuse prevention).
  • To bill you accurately when you top up credits and to honour the credits ledger.
  • To send transactional email — welcome, sign-in receipts, top-up confirmations, low-credit warnings, renewal reminders, and security alerts.
  • To audit decisions for regulatory traceability — every claim in a memo links back to which agent emitted it and which dataset it cited.
  • To improve the platform — debug errors with redacted Sentry traces, measure feature adoption with PostHog, and benchmark agent quality on golden fixtures.
  • To respond to legal obligations — e.g. tax records, FCA / regulatory inquiries, court orders.

We do not use your submission data, bound book, or agent traces to train third-party LLMs. Free OpenRouter models we route through are configured to opt out of provider-side training where the upstream provider supports it; if that provider does not support an opt-out, we switch to a paid endpoint or a different provider rather than sending the traffic.

5. Sub-processors and integrations

We use the following sub-processors. Each handles a defined slice of your data under a written processing agreement; click through for their own privacy notices.

ProcessorRoleRegionNotice
Supabase (Snaplet Cloud Inc)Database, auth, storageEU (Frankfurt)Privacy notice ↗
OpenRouter IncLLM gatewayUS, model-dependentPrivacy notice ↗
Stripe IncPaymentsUS (UK affiliate)Privacy notice ↗
Resend IncTransactional emailUS (EU sub-processor)Privacy notice ↗
Upstash IncRate limiting (Redis)EU / US (your choice at provisioning)Privacy notice ↗
Cloudflare IncCaptcha (Turnstile), CDNGlobal edgePrivacy notice ↗
Functional Software Inc (Sentry)Error monitoringUSPrivacy notice ↗
PostHog IncProduct analyticsEU (Frankfurt)Privacy notice ↗
Vercel IncHosting, edge runtimeGlobal edgePrivacy notice ↗
Google LLC (Google Ads)Conversion tracking, remarketing pixel on marketing pagesGlobalPrivacy notice ↗
GitHub, Inc.Source control (engineering only)USPrivacy notice ↗

We update this list as we add or remove sub-processors. Material changes that increase the categories of data sent to a sub-processor are announced at least 14 days before they take effect; underwriting partners on a Data Processing Addendum receive direct notice.

6. Public data sources we query

When you process a submission, we enrich it by querying free public data sources. We send only the geographic identifier (postcode, ZIP) or the insured name — never the full submission.

  • Environment Agency (UK) — flood-zone lookup by postcode.
  • FEMA NFHL / Map Service Center (US) — flood-zone classification by ZIP.
  • US National Weather Service — active severe-weather alerts at the geocoded point.
  • OpenSanctions — sanctions, PEP, and watchlist screening on the insured name.
  • SEC EDGAR — public-company registration check on the insured name.
  • Wikidata / Wikipedia — adverse-media and public-profile context.
  • postcodes.io, Zippopotam — postcode and ZIP geocoding.

These services may log the identifier we send and the originating IP address (Vercel’s edge in most cases — not yours). They do not receive any direct identifiers about you or the third parties named in your submission.

7. Cookies and similar technologies

The platform uses three categories of cookies and local-storage entries:

Strictly necessary
Supabase auth cookies (your session), CSRF tokens, and a small in-memory store for the chat panel during a session. Cannot be disabled without breaking sign-in.
Analytics
PostHog event capture for signup, pipeline runs, and decisions. Only fires for authenticated users and respects your browser's Do Not Track signal where set.
Captcha
Cloudflare Turnstile may set a short-lived token cookie during the access-request and signup flows.
Advertising / conversion tracking
Google Ads (gtag.js) loads on marketing pages in production to measure conversion events from paid search and remarket to past visitors. Only fires in production; not loaded in dev or preview environments. We do not sell your data to ad networks; the only sharing is the standard Google Ads conversion + remarketing audience signal.

You can opt out of Google Ads remarketing on Google’s Ads Settings page, or block third-party cookies in your browser to disable conversion tracking entirely.

8. Data retention

  • Account data — kept while your account is active and for 6 years thereafter, matching standard insurance regulatory retention.
  • Submissions and bound book — for the life of your account plus 7 years, the standard FCA / NAIC audit horizon for underwriting decisions.
  • Decision audit trail and agent_traces — 7 years.
  • Payment records — 7 years for tax purposes.
  • Operational logs (rate-limit, request logs, Sentry events) — 90 days, longer for security investigations.
  • Marketing inquiries — up to 24 months unless we’re actively engaged with you.
  • Reflex dismissals — until you delete your account.

When a retention period ends we either delete the data or anonymise it so it can no longer be linked to you.

9. Security

We protect personal data with measures appropriate to the risk: database row-level security so you only ever see your own rows; TLS everywhere; encryption at rest in Supabase; least-privilege service roles; secret rotation; security headers (HSTS, CSP, X-Frame-Options DENY); rate-limiting and captcha on abuse-prone endpoints; PII redaction on agent traces; and Sentry monitoring with PII stripped in beforeSend.

Report a security concern to security@getvortic.com — we acknowledge within 24 hours.

10. International transfers

Some of our sub-processors are based outside the UK and EEA. Where we transfer your data internationally we rely on:

  • The UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where required.
  • EU Standard Contractual Clauses (2021 modules) for EU-to-non-EEA transfers.
  • Adequacy decisions where they apply (e.g. UK→EEA, EU→UK).

11. Your rights

Under UK GDPR and GDPR you have the right to:

  • Ask what personal data we hold about you (right of access).
  • Have inaccurate data corrected.
  • Have your data deleted, subject to retention obligations described in §8.
  • Restrict or object to processing based on legitimate interest.
  • Receive a portable copy of your account and submission data in a structured, commonly-used format.
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or the data-protection authority in your country of residence.

Email privacy@getvortic.com and we’ll respond within 30 days. We may need to verify your identity before acting on a request.

12. Children

Vortic is a professional underwriting platform sold business-to-business. It is not directed at children under 18, and we do not knowingly collect data from anyone under 18. If you believe we have, contact privacy@getvortic.com and we will delete it.

13. Changes to this policy

We may update this policy as the platform changes. We’ll change the “Last updated” date at the top, and for material changes (new sub-processors handling new categories of data, new retention terms, or anything that meaningfully expands what we do with your data) we’ll notify account-holders by email at least 14 days before the change takes effect.

Historical versions are available on request from privacy@getvortic.com.

14. Contact us

Vortic Intelligence Ltd
Privacy queries: privacy@getvortic.com
Security disclosures: security@getvortic.com
General contact: www.getvortic.com/contact

If you are an EU resident and we don’t have an EU representative listed here, please write to the privacy address above and we will connect you with our designated representative under Article 27 of the EU GDPR.