Back to Hermify

Legal

Privacy Policy

Effective date: April 11, 2026

Hermify (“we”, “us”, or “our”) operates hermify.io and provides a managed hosting platform for Hermes AI agents. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using our service, you agree to the practices described here.

1. Information We Collect

Account information

When you create an account, we collect your email address and a hashed password, or your name and email via Google OAuth if you sign in with Google. We never store your Google password.

API keys and tokens

To provision your AI agent, we ask for your LLM API key (e.g. OpenAI, Anthropic, OpenRouter) and your Telegram bot token. These are encrypted at rest using AES-256 before being stored in our database. We use them solely to run your agent on your behalf and never share them with third parties beyond the infrastructure required to operate your instance.

Payment information

Payments are processed by Stripe. We do not store your card number, CVV, or full payment details on our servers. We receive and store a Stripe customer ID and subscription ID to manage your billing.

Usage and technical data

We collect standard server logs including IP addresses, browser type, pages visited, and error events. This data is used for security, debugging, and improving the service. We do not sell this data.

2. How We Use Your Information

  • To create and manage your account
  • To provision, operate, and monitor your Hermes AI agent instance
  • To process subscription payments and send billing-related communications
  • To send transactional emails (e.g. account confirmation, password reset)
  • To respond to support requests
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

We do not use your data for advertising, and we do not sell or rent your personal information to any third party.

3. Third-Party Service Providers

We share data with the following processors strictly to operate the service:

ProviderPurpose
SupabaseAuthentication and database
StripePayment processing
RailwayAgent instance hosting
VercelWeb application hosting and CDN
GoogleOptional OAuth sign-in

Each provider operates under their own privacy policy and data processing agreements. We do not grant them permission to use your data for their own purposes beyond providing us the service.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance (e.g. Stripe transaction records, which are retained for 7 years per financial regulations). Encrypted API keys and tokens are deleted immediately upon account deletion.

5. Data Security

We implement industry-standard security practices including TLS encryption in transit, AES-256 encryption for sensitive credentials at rest, row-level security on our database, and access controls limiting who can access production systems. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Correction: Ask us to correct inaccurate data.
  • Deletion: Request deletion of your personal data (“right to be forgotten”).
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to certain types of processing.
  • Withdrawal of consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at legal@hermify.io. We will respond within 30 days. If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

7. Cookies

We use only essential cookies required for authentication (session tokens). We do not use advertising, tracking, or analytics cookies. You can disable cookies in your browser settings, but doing so will prevent you from staying logged in.

8. Children’s Privacy

Our service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

9. International Data Transfers

Hermify is operated from the United States. If you access our service from outside the US, your data may be transferred to and processed in the US and other countries where our service providers operate. By using the service, you consent to this transfer. We take appropriate steps to ensure your data is protected in accordance with this policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by emailing the address on your account or by displaying a prominent notice on our website at least 14 days before the change takes effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

Questions about this Privacy Policy? Contact us at legal@hermify.io.

© 2026 Hermify Inc.  ·  Terms of Use