Privacy policy.

The plain-English version

• We collect only what we need to operate your account, deliver the platform, and bill you. Nothing more.
• We do not sell your personal information. Not to advertisers, not to data brokers, not to AI training providers.
• Call recordings, transcripts, and contact data uploaded by operators belong to the operator. We store them encrypted, never share them with third parties without instruction, and delete them on request.
• Cookies are limited to login security and aggregated analytics. You can opt out of analytics in your account Settings.
• You can export or delete your data at any time via Settings → Data, or by emailing hello@buildwithhermes.com.
• EU residents have rights under the GDPR. California residents have rights under the CCPA/CPRA. Both are honored without requiring you to identify your jurisdiction first.

1. Who we are

This privacy policy is issued by Hermes (“Hermes,” “we,” “us”), the operating platform for AI voice agencies, accessible at buildwithhermes.com. For purposes of the EU General Data Protection Regulation (“GDPR”), Hermes acts as the data controller for personal information collected through our marketing website and as a data processor for personal information operators upload into the Hermes platform on behalf of their end-business clients.

2. Information we collect

2.1 Information you provide directly:

• Account details: name, work email address, business or agency name, password (stored as a one-way salted hash).
• Billing information: card-on-file is handled by our payment processor (Stripe) — Hermes never receives or stores full card numbers.
• Support correspondence: emails, Discord messages, and survey responses you choose to send us.

2.2 Information collected automatically:

• Platform usage telemetry: API calls, agent configurations, log timestamps, and request metadata.
• Device information: browser type, IP address, approximate location derived from IP, and operating system.
• Call metadata: duration, time, originating phone number routing — for accounts that operate voice agents.

2.3 Operator-uploaded content:

When operators deploy Hermes for their end-business clients, the platform processes call audio, transcripts, and contact data that operators upload or capture. This content is the operator’s data; Hermes processes it solely on the operator’s instructions per our Data Processing Addendum.

3. How we use your information

• Operate, maintain, and secure the Hermes platform and your account.
• Process payments and send invoices, renewal reminders, and billing-related notices.
• Communicate with you about service updates, scheduled maintenance, and security incidents.
• Provide customer support, respond to inquiries, and troubleshoot platform issues.
• Analyze aggregated, de-identified usage patterns to improve features, performance, and reliability.
• Detect, prevent, and respond to fraud, abuse, and violations of our Terms of Service.
• Comply with applicable laws, court orders, and regulatory requests.

We do not use your personal information to train third-party AI models. Voice and language models used by the platform are operated by our sub-processors under contractual confidentiality terms.

4. Legal bases for processing (GDPR)

For visitors and users in the European Economic Area, the United Kingdom, and Switzerland:

• Performance of a contract — to deliver the platform you signed up for.
• Legitimate interests — for security, fraud prevention, and product improvement, balanced against your rights.
• Consent — for optional analytics cookies and any marketing communications you opt into.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

5. Sub-processors

We engage trusted infrastructure providers to operate the platform:

• Vercel — hosting and edge delivery (United States, EU regions where applicable).
• Supabase — application database, encrypted at rest.
• Stripe — payment processing and card-on-file storage.
• Resend — transactional email delivery.
• Vapi and Retell — voice infrastructure for synthesizing and routing calls.
• Twilio — telephony and SMS.

Each sub-processor is contractually bound to comparable data-protection standards. A current list is available on request via hello@buildwithhermes.com. We notify customers in advance of material sub-processor changes.

6. Data retention

Account data is retained for the life of your account plus 30 days after closure to accommodate accidental cancellations and reactivation. Billing records are retained for 7 years to satisfy tax and accounting obligations. Call recordings, transcripts, and contact data uploaded by operators are retained per the operator’s configured retention policy (default: 12 months) and may be deleted at any time via the operator dashboard or by written request. Aggregated, de-identified analytics may be retained indefinitely.

7. International data transfers

Hermes operates infrastructure primarily in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the United States or other jurisdictions, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK Addendum, or comparable legal mechanisms to ensure an adequate level of protection. Copies of the relevant transfer instruments are available on request.

8. Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your information (subject to legal retention requirements).
• Receive a portable copy of your information in a structured, machine-readable format.
• Object to or restrict certain processing, including direct marketing.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data-protection authority.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, the right to opt out of “sales” and “sharing” (we do not engage in either), and the right to non-discrimination for exercising these rights.

To exercise any right, email hello@buildwithhermes.com with the subject line “privacy request.” We respond within 30 days (extendable to 60 days for complex requests, with notice). We do not require you to create an account to submit a request.

9. Cookies and similar technologies

We use the following categories of cookies:

• Strictly necessary — for login authentication, session management, and CSRF protection. Cannot be disabled.
• Analytics — privacy-respecting analytics that collect aggregated, de-identified usage data. Disable in Settings.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

10. Security

We use industry-standard technical and organizational measures to protect personal information, including encryption in transit (TLS 1.3) and at rest (AES-256), strict least-privilege access controls, audit logging, and regular security reviews. No system is perfectly secure; if a breach occurs that is likely to result in a high risk to your rights, we will notify affected individuals and the relevant supervisory authority within the timeframes required by applicable law.

11. Children

Hermes is intended for businesses and is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy as our practices evolve or as required by law. Material changes will be communicated by email to all account holders at least 30 days before the new policy takes effect. The current version is always available at /privacy with the effective date noted at the top.

13. Contact

For privacy questions, requests to exercise your rights, or to report a concern, contact us at hello@buildwithhermes.com. You may also reach the founding team via Discord.