Privacy Policy

1. Introduction

MyHermes ("we", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our service. It also describes your rights regarding your data.

MyHermes is a data processor for the content your agent processes. The specific data you process through Hermes (messages, files, prompts, outputs) is data you control — we treat it as your property.

2. Data we collect

Account data: When you sign up, Clerk collects your email address and authentication data. We receive your email to manage your account and send transactional messages (confirmations, billing receipts, important notices).

Payment data: Dodo Payments processes all subscription payments. Card numbers and payment instrument details are handled directly by Dodo Payments on their servers — MyHermes never sees or stores raw payment card data.

Instance and usage data: We collect metadata needed to operate your container and bill you accurately: instance configuration (subscription tier, region), usage metrics (message counts, tool executions, cron firings), and operational logs generated by the platform during normal operation.

Agent content: All content your Hermes agent processes — prompts, responses, files, and any data stored on your dedicated volume — is stored on your private container volume. We do not access, read, analyse, or log the contents of your agent's activity.

LLM API key: Your LLM API key is stored encrypted at rest on your container volume. It is used only by your Hermes agent to make inference requests to your chosen provider. We never log, transmit, or use your API key for any purpose other than operating your agent.

3. How we use your data

We use your data solely to:

• Create and maintain your account (via Clerk)
• Process subscription billing (via Dodo Payments)
• Provision, operate, and bill your container (Convex + compute provider)
• Send transactional emails — account notices, billing receipts, and material service announcements (via Resend)
• Detect and respond to security incidents and abuse

We use anonymised, aggregated usage metrics to understand how the service is used and to prioritise improvements. Aggregated data cannot be linked back to you.

4. Data retention

Your account data (email, billing records) is retained for the duration of your account plus any legally required retention period after deletion.

Your agent content on the container is retained until you cancel or we terminate the service. Upon cancellation, your container and all associated content are permanently destroyed within 7 days. Backups are deleted on the same schedule.

Operational logs are retained for up to 30 days for troubleshooting and security purposes.

5. Data sharing and sub-processors

We do not sell your personal data. We share your data only with the following sub-processors, solely to provide the service:

• Clerk — Authentication and identity management. Their privacy policy applies to the data they collect.
• Dodo Payments — Payment processing. They act as the data controller for payment data. Their privacy policy governs their handling of your payment information.
• Convex — Control plane database for account and instance metadata. Their privacy policy is available at convex.dev/privacy.
• Fly.io / Modal — Compute infrastructure (container hosting). Your container data resides on their servers while your subscription is active.
• Resend — Transactional email delivery. Their privacy policy is available at resend.com/privacy.
• Vercel — Web hosting for the MyHermes dashboard and landing pages.

We will update this list if we add or replace sub-processors. Material changes will be communicated via email to active subscribers at least 30 days before they take effect.

6. International transfers

MyHermes operates primarily on infrastructure hosted in India and the United States, with compute regions that may vary based on your geographic location. Your data may be transferred across borders as necessary to provide the service. Where data is transferred outside India, we rely on standard contractual clauses or equivalent legal mechanisms to ensure adequate protection.

7. Data security

We use encryption at rest (AES-256) for your LLM API key and sensitive instance data. All traffic between your client and MyHermes is transmitted over TLS. Access to our internal systems is restricted to authorised personnel on a least-privilege basis.

No security measure is completely impenetrable. If you become aware of a security vulnerability in our service, contact us immediately at security@myhermes.cloud.

8. Cookies and tracking

We use minimal cookies for authentication (Clerk) and for anonymously measuring how visitors use our landing and dashboard pages (PostHog). We do not use advertising trackers or cross-site tracking. You can opt out of PostHog analytics by contacting us.

9. Your rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and associated data
• Portability — request your data in a structured, machine-readable format
• Objection — object to certain processing activities

To exercise any of these rights, email hello@myhermes.cloud. We will respond within 30 days. For data that Clerk or Dodo Payments holds directly, we will redirect you to them.

10. Children's privacy

MyHermes is not intended for users under 18. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active subscribers at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the date of the most recent update.

12. Contact

For privacy-related questions or to exercise your rights, contact hello@myhermes.cloud.