Hermes
HomeFor AgenciesFor BusinessesFor CreatorsPricing
Apply for Beta · 100 spots

/ privacy policy

Privacy policy.

Effective date · May 1, 2026 · Last updated · June 7, 2026

The plain-English version

  • We collect only what we need to operate your account, deliver the platform, and bill you. Nothing more.
  • We do not sell your personal information. Not to advertisers, not to data brokers, not to AI training providers.
  • Call recordings, transcripts, and contact data uploaded by operators belong to the operator. We store them encrypted, never share them with third parties without instruction, and delete them on request.
  • Cookies are limited to login security and aggregated analytics. You can opt out of analytics in your account Settings.
  • You can export or delete your data at any time via Settings → Data, or by emailing hello@buildwithhermes.com.
  • EU residents have rights under the GDPR. California residents have rights under the CCPA/CPRA. Both are honored without requiring you to identify your jurisdiction first.

1. Who we are

This privacy policy is issued by Hermes (“Hermes,” “we,” “us”), the operating platform for AI voice agencies, accessible at buildwithhermes.com. For purposes of the EU General Data Protection Regulation (“GDPR”), Hermes acts as the data controller for personal information collected through our marketing website and as a data processor for personal information operators upload into the Hermes platform on behalf of their end-business clients.

2. Information we collect

2.1 Information you provide directly:

  • Account details: name, work email address, business or agency name, password (stored as a one-way salted hash).
  • Billing information: card-on-file is handled by our payment processor (Stripe) — Hermes never receives or stores full card numbers.
  • Support correspondence: emails, Discord messages, and survey responses you choose to send us.

2.2 Information collected automatically:

  • Platform usage telemetry: API calls, agent configurations, log timestamps, and request metadata.
  • Device information: browser type, IP address, approximate location derived from IP, and operating system.
  • Call metadata: duration, time, originating phone number routing — for accounts that operate voice agents.

2.3 Operator-uploaded content:

When operators deploy Hermes for their end-business clients, the platform processes call audio, transcripts, and contact data that operators upload or capture. This content is the operator’s data; Hermes processes it solely on the operator’s instructions per our Data Processing Addendum.

3. How we use your information

  • Operate, maintain, and secure the Hermes platform and your account.
  • Process payments and send invoices, renewal reminders, and billing-related notices.
  • Communicate with you about service updates, scheduled maintenance, and security incidents.
  • Provide customer support, respond to inquiries, and troubleshoot platform issues.
  • Analyze aggregated, de-identified usage patterns to improve features, performance, and reliability.
  • Detect, prevent, and respond to fraud, abuse, and violations of our Terms of Service.
  • Comply with applicable laws, court orders, and regulatory requests.

We do not use your personal information to train third-party AI models. Voice and language models used by the platform are operated by our sub-processors under contractual confidentiality terms.

4. Legal bases for processing (GDPR)

For visitors and users in the European Economic Area, the United Kingdom, and Switzerland:

  • Performance of a contract — to deliver the platform you signed up for.
  • Legitimate interests — for security, fraud prevention, and product improvement, balanced against your rights.
  • Consent — for optional analytics cookies and any marketing communications you opt into.
  • Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

5. Sub-processors

We engage trusted infrastructure providers to operate the platform:

  • Vercel — hosting and edge delivery (United States, EU regions where applicable).
  • Supabase — application database, encrypted at rest.
  • Stripe — payment processing and card-on-file storage.
  • Resend — transactional email delivery.
  • Vapi and Retell — voice infrastructure for synthesizing and routing calls.
  • Twilio — telephony and SMS.

Each sub-processor is contractually bound to comparable data-protection standards. A current list is available on request via hello@buildwithhermes.com. We notify customers in advance of material sub-processor changes.

6. Data retention

Account data is retained for the life of your account plus 30 days after closure to accommodate accidental cancellations and reactivation. Billing records are retained for 7 years to satisfy tax and accounting obligations. Call recordings, transcripts, and contact data uploaded by operators are retained per the operator’s configured retention policy (default: 12 months) and may be deleted at any time via the operator dashboard or by written request. Aggregated, de-identified analytics may be retained indefinitely.

7. International data transfers

Hermes operates infrastructure primarily in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the United States or other jurisdictions, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK Addendum, or comparable legal mechanisms to ensure an adequate level of protection. Copies of the relevant transfer instruments are available on request.

8. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Request deletion of your information (subject to legal retention requirements).
  • Receive a portable copy of your information in a structured, machine-readable format.
  • Object to or restrict certain processing, including direct marketing.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, the right to opt out of “sales” and “sharing” (we do not engage in either), and the right to non-discrimination for exercising these rights.

To exercise any right, email hello@buildwithhermes.com with the subject line “privacy request.” We respond within 30 days (extendable to 60 days for complex requests, with notice). We do not require you to create an account to submit a request.

9. Cookies and similar technologies

We use the following categories of cookies:

  • Strictly necessary — for login authentication, session management, and CSRF protection. Cannot be disabled.
  • Analytics — privacy-respecting analytics that collect aggregated, de-identified usage data. Disable in Settings.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

10. Security

We use industry-standard technical and organizational measures to protect personal information, including encryption in transit (TLS 1.3) and at rest (AES-256), strict least-privilege access controls, audit logging, and regular security reviews. No system is perfectly secure; if a breach occurs that is likely to result in a high risk to your rights, we will notify affected individuals and the relevant supervisory authority within the timeframes required by applicable law.

11. Children

Hermes is intended for businesses and is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

12. Google API Services User Data

If you connect a Google account to Hermes (via Workspace Settings → Integrations), we access a limited set of Google data to enable the features you opted into. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

12.1 Scopes we request and why

  • Google Calendar (auth/calendar, auth/calendar.events) — read your availability to detect scheduling conflicts in real time when an AI voice agent is handling a booking, and write the confirmed event when the caller agrees to a time. We never delete or modify events Hermes did not create.
  • Account email and basic profile (auth/userinfo.email, auth/userinfo.profile) — display the connected Google account in the Hermes UI so you can confirm which account is linked and disconnect it. We do not use the email for sending you Hermes communications; transactional email is sent from no-reply@buildwithhermes.com via our own infrastructure.

12.2 How we use Google data

Calendar data is used exclusively to enable AI voice agents to check availability and create booked appointments on your behalf. We do not use Google data for advertising, behavioral analytics, model training (no LLM or ML system is trained on calendar content), or any purpose unrelated to the integration you explicitly enabled.

12.3 How we store Google data

OAuth refresh tokens are stored in our MongoDB database (MongoDB Atlas, US region) with encryption-at-rest provided by the underlying cloud storage infrastructure, in addition to the access controls described in Section 10. Access tokens are short-lived (one hour) and obtained on demand using the refresh token; we do not persist access tokens. We do not maintain a local cache of your calendar events — every read and write is a live API call to Google.

12.4 How we share Google data

We do not share Google account data with any third party. Refresh tokens never leave our backend infrastructure. We do not sell, rent, license, or transfer Google data under any circumstance.

12.5 How to revoke access

You can disconnect the Google account at any time from Workspace Settings → Integrations → Google → Disconnect. Disconnecting deletes the stored refresh token from our database immediately and prevents any further calls to Google APIs from Hermes. You can additionally revoke Hermes’s access from your Google Account permissions page.

12.6 Limited Use compliance

Hermes’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Hermes does not transfer Google user data to any third party except as necessary to provide or improve user-facing features that are prominent in the application’s user interface; does not use Google user data for serving advertisements; does not allow humans to read Google user data unless we have the user’s affirmative consent for specific messages, the data is required for security purposes, or the use is to comply with applicable law.

13. Changes to this policy

We may update this policy as our practices evolve or as required by law. Material changes will be communicated by email to all account holders at least 30 days before the new policy takes effect. The current version is always available at /privacy with the effective date noted at the top.

14. Contact

For privacy questions, requests to exercise your rights, or to report a concern, contact us at hello@buildwithhermes.com. You may also reach the founding team via Discord.

Hermes

The operating platform for AI voice agencies. By builders, for builders.

Public launch · June 6, 2026

no-reply@buildwithhermes.com

Product

  • Founders' Beta
  • For Agencies
  • For Businesses
  • For Creators
  • Pricing
  • Integrations
  • Demo

Resources

  • Playbook
  • Stack guide
  • Pricing playbook
  • Blog
  • Manifesto

Compare

  • vs Synthflow
  • vs Vapi + GHL
  • vs Voicerr
  • vs DIY build

Company

  • About
  • Careers
  • Contact

Community

  • Discord
  • X (Twitter)
  • Instagram

Legal

  • Privacy
  • Terms
  • Acceptable Use
  • DPA
  • TCPA Compliance

© 2026 Hermes · All rights reserved

By builders, for builders · Last reviewed May 2026