Privacy Policy

Last updated: May 2026

What we collect

In our managed Postgres database (Supabase): your email address, display name, plan and subscription status, billing identifiers, usage metrics (token counts, model usage), and your BYOK API key if you provide one. All of these are protected by row-level security policies so only your account can read them.

On your dedicated Fly.io machine:your conversations, your agent’s memory files (MEMORY.md, PEOPLE.md, PREFERENCES.md, PROJECTS.md, HABITS.md), the agent’s skills and scheduled jobs, and any files you ask it to keep. These live on a Fly volume attached only to your machine. They never travel through our Supabase project. We do take periodic encrypted volume snapshots so you can recover your data after an outage; snapshots inherit Fly’s disk-level encryption.

How we use your data

  • To provide and maintain the Service
  • To manage your subscription and billing
  • To send transactional emails (receipts, alerts)
  • To improve the Service based on aggregate usage patterns

Your data, your control

Memory is stored as plain text on your Fly volume — you can export it anytime via the dashboard. Self-serve account deletion is temporarily paused while we stabilise the platform; until it’s back, email hello@hermesdeploy.app and we’ll process the deletion within one business day. The same underlying flow runs server-side: your Fly machine and volume are destroyed and your Supabase rows are removed in one operation, with an automated retry job sweeping any transient infra failures (typically within an hour, never more than 24). Backup snapshots of deleted accounts are purged within 30 days.

Third-party services

  • Supabase — Authentication and database
  • Fly.io — Container hosting for your agent
  • OpenRouter — LLM inference (your conversations pass through)
  • Dodo Payments — Payment processing
  • Resend — Transactional email delivery

API keys

If you provide a BYOK (bring your own key) API key, it is stored in our managed Postgres database (Supabase) and protected by row-level access controls so only the owning account can read it. Storage encryption is provided by Supabase's underlying disk-level encryption. We never log raw API keys, and keys are only read when making requests on your behalf.

Product analytics (first-party)

To understand which parts of the product help and which get in the way, we record a small set of events to our own database (Supabase). Nothing about this is sent to a third-party analytics SDK, advertising network, or marketing tool.

What we record: the path of the page you visited, the event name (e.g. signup_submitted, onboarding_step_completed), your account ID if you’re signed in, and a small set of non-identifying request hints: a 30-day random visitor ID (httpOnly, signed cookie), a one-way hash of your IP using a salt that rotates every 24 hours and is never persisted, your browser family and major version (e.g. “Chrome 124”) with no fingerprint surface, the host portion of your referrer, your timezone offset, and a coarse country code derived from our CDN’s edge region. Raw IPs, full user-agent strings, full URLs, query strings, and form contents are never written to analytics.

Retention:raw analytics events are kept for six months and then hard-deleted. Aggregated counts (e.g. “visitors per day per country”) may be retained longer in dashboards.

Do Not Track / GPC: if you visit the site without signing in and your browser sends the DNT or Sec-GPCheader, we drop the analytics write entirely. If you do sign up, we treat that as your opt-in for product analytics on the authenticated parts of the app — we use it both to improve the product and to send you operational and lifecycle email about your account (e.g. “your trial expires tomorrow”, “we shipped a feature you asked about”). You can opt out of non-transactional email at any time via the unsubscribe link in any of those messages.

Transmission: all analytics writes happen over HTTPS (TLS 1.2 or higher) inside our infrastructure. There is no cross-origin telemetry beacon and no third-party JavaScript loading on these pages.

Cookies

We use essential cookies for authentication session management and a single first-party analytics cookie (_hd_visitor) — an httpOnly, HMAC-signed random ID with a 30-day rolling expiry, scoped to our own domain. We do not use advertising cookies and we do not load third-party tracking scripts.

Contact

Privacy questions? Email privacy@hermesdeploy.app.