The short list
What we keep about you, in full:
What we collect, and why
Identity
When you sign in with X we receive your X handle and the limited OAuth profile fields you authorize. When you connect a Solana wallet we record the public address you signed with. That's how we tell one account from another. We don't pull your followers, your DMs, or your tweet history.
Billing
Credit purchases are settled on-chain. We store the transaction id (and amount) so we can credit the right account. The on-chain data itself is public; we don't add anything to it.
Session
One HTTP-only, secure session cookie keeps you signed in. It contains a random session id, not your handle or address. It is not used for analytics, retargeting, or any third-party purpose.
Agent data
Your agent's configuration (model choice, credit usage, container id, status, SOUL.md) lives on the control plane so we can run the service. Conversation content, files, and memory live inside your agent's own container under your account.
Operational logs
Servers produce short-lived operational logs (errors, request timings, agent boot events). They aren't used to build a profile of you; they exist so we can debug outages and stop abuse. They're rotated and purged on a routine schedule.
What we don't do
- No analytics or tracking pixels. No Google Analytics, Segment, Mixpanel, Plausible, PostHog, or similar.
- No ad networks. No retargeting cookies, no third-party ad scripts, no audience pixels.
- No fingerprinting.We don't hash device, canvas, or font signals to identify returning visitors.
- No selling or renting data.We don't sell, rent, or trade personal data, full stop.
- No training on your content. Your prompts, files, agent memory, and outputs are not used to train models or build derivative datasets.
- No wallet custody. We never see, hold, or move your tokens or private keys.
Security & encryption
- In transit: all traffic to and from xHermes is served over HTTPS / TLS.
- At rest: sensitive fields (model keys, connected service credentials) are envelope-encrypted before being written to storage. The encryption key is held outside the agent container.
- Per-user isolation:one container per user. Your agent cannot read another user's data; no shared process, no shared state.
- Authenticated access: the container has no public port. Every request reaches it through our authenticated front door.
No system is perfectly secure. If you suspect a vulnerability or a leak, contact us first so we can fix it before it's public.
Retention
- Account data (identity, agent config) is kept while your account exists.
- Billing records (tx ids, amounts) are kept as long as required for tax, accounting, and dispute resolution.
- Operational logs are kept on a short rotation, typically no more than 30 days.
- Deleted agents — when you delete your agent, the container, its memory, and stored secrets are removed. Backups, if any, are aged out on the normal cycle.
Your rights
Depending on where you live (GDPR, UK GDPR, CCPA / CPRA, similar regimes), you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing.
Most of these you can exercise directly from the dashboard: your account data is visible there, and deleting your agent removes the bulk of the data we hold. For anything else, contact us — proving control of the X handle or wallet address tied to the account is enough to satisfy our verification requirement.
You can also lodge a complaint with your local data-protection authority.
International transfers
xHermes is operated from, and processes data in, a single jurisdiction. Where data crosses borders — for example, calls to model providers — we rely on the provider's standard contractual clauses or equivalent safeguards.
Children
xHermes is not directed to children under 18. We don't knowingly collect data from anyone under that age. If you believe a minor is using the service, contact us and we'll remove the account.
Changes to this policy
When we change this policy, the updated date at the top of this page moves and the version number bumps. If a change materially expands what we collect or how we use it, we'll surface a notice on the dashboard before it takes effect.
Contact
Privacy questions, deletion requests, security reports: reach us via the official xHermes X account or the contact link on the landing page.