xHermes
Legal

Privacy Policy

UpdatedVersion1.0

We collect almost nothing. The bits we do keep — a handle or wallet address to know it's you, transaction ids so credits land in the right account, and a session cookie so you stay signed in — exist because the service literally can't work without them. No analytics. No trackers. No ads.

01

The short list

What we keep about you, in full:

IDENTITYyour X handle and/or Solana wallet address — so we know it's you
BILLINGblockchain transaction ids of credit purchases — to attribute credit
SESSIONone HTTP-only cookie that keeps you signed in
AGENTcontainer id, status, model choice, credit usage
SOUL.mdthe personality file as you wrote it
SECRETSencrypted at rest, readable only by your agent
NEVERwallet keys, seed phrases, your tokens, your contacts
02

What we collect, and why

Identity

When you sign in with X we receive your X handle and the limited OAuth profile fields you authorize. When you connect a Solana wallet we record the public address you signed with. That's how we tell one account from another. We don't pull your followers, your DMs, or your tweet history.

Billing

Credit purchases are settled on-chain. We store the transaction id (and amount) so we can credit the right account. The on-chain data itself is public; we don't add anything to it.

Session

One HTTP-only, secure session cookie keeps you signed in. It contains a random session id, not your handle or address. It is not used for analytics, retargeting, or any third-party purpose.

Agent data

Your agent's configuration (model choice, credit usage, container id, status, SOUL.md) lives on the control plane so we can run the service. Conversation content, files, and memory live inside your agent's own container under your account.

Operational logs

Servers produce short-lived operational logs (errors, request timings, agent boot events). They aren't used to build a profile of you; they exist so we can debug outages and stop abuse. They're rotated and purged on a routine schedule.

03

What we don't do

  • No analytics or tracking pixels. No Google Analytics, Segment, Mixpanel, Plausible, PostHog, or similar.
  • No ad networks. No retargeting cookies, no third-party ad scripts, no audience pixels.
  • No fingerprinting.We don't hash device, canvas, or font signals to identify returning visitors.
  • No selling or renting data.We don't sell, rent, or trade personal data, full stop.
  • No training on your content. Your prompts, files, agent memory, and outputs are not used to train models or build derivative datasets.
  • No wallet custody. We never see, hold, or move your tokens or private keys.
04

Cookies

xHermes uses exactly one cookie category: a strictly necessary session cookie. It carries a random session id, is marked HTTP-only and Secure, and is removed when you sign out or it expires.

We do not set advertising, analytics, or preference cookies. There is therefore no consent banner — under the ePrivacy Directive and GDPR, strictly necessary cookies do not require consent.

05

Security & encryption

  • In transit: all traffic to and from xHermes is served over HTTPS / TLS.
  • At rest: sensitive fields (model keys, connected service credentials) are envelope-encrypted before being written to storage. The encryption key is held outside the agent container.
  • Per-user isolation:one container per user. Your agent cannot read another user's data; no shared process, no shared state.
  • Authenticated access: the container has no public port. Every request reaches it through our authenticated front door.

No system is perfectly secure. If you suspect a vulnerability or a leak, contact us first so we can fix it before it's public.

06

Who we share with

The minimum needed to run the service:

  • Model providers(OpenAI, Anthropic, xAI, etc.) — when your agent calls a model, your prompt and the relevant context go to the chosen provider so they can return a response. We don't add data beyond what's required to fulfill the call.
  • X — if you sign in with X, OAuth identifies you to us; if you connect xurl, actions you take go through X on your behalf.
  • Infrastructure providers— cloud hosts and CDN that literally run the boxes. They're bound by their own contracts and don't use your data for their purposes.

We may disclose data when required by a valid legal process, or to protect users from imminent harm. We'll push back on overbroad requests and tell you when we lawfully can.

07

Retention

  • Account data (identity, agent config) is kept while your account exists.
  • Billing records (tx ids, amounts) are kept as long as required for tax, accounting, and dispute resolution.
  • Operational logs are kept on a short rotation, typically no more than 30 days.
  • Deleted agents — when you delete your agent, the container, its memory, and stored secrets are removed. Backups, if any, are aged out on the normal cycle.
08

Your rights

Depending on where you live (GDPR, UK GDPR, CCPA / CPRA, similar regimes), you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing.

Most of these you can exercise directly from the dashboard: your account data is visible there, and deleting your agent removes the bulk of the data we hold. For anything else, contact us — proving control of the X handle or wallet address tied to the account is enough to satisfy our verification requirement.

You can also lodge a complaint with your local data-protection authority.

09

International transfers

xHermes is operated from, and processes data in, a single jurisdiction. Where data crosses borders — for example, calls to model providers — we rely on the provider's standard contractual clauses or equivalent safeguards.

10

Children

xHermes is not directed to children under 18. We don't knowingly collect data from anyone under that age. If you believe a minor is using the service, contact us and we'll remove the account.

11

Changes to this policy

When we change this policy, the updated date at the top of this page moves and the version number bumps. If a change materially expands what we collect or how we use it, we'll surface a notice on the dashboard before it takes effect.

12

Contact

Privacy questions, deletion requests, security reports: reach us via the official xHermes X account or the contact link on the landing page.

One lineWe collect what the service needs and nothing else. Identity, billing ids, a session cookie — that's the list.