Hermes is operated by Odra Labs (“we,” “us,” or “our”). This Privacy Policy explains how we collect, use, share, and protect your information when you use the Hermes platform at hermes.odralabs.com (the “Service”).

By using Hermes, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account Information

When you create an account, we collect your name and email address through our authentication provider, Clerk. We store your name, email, and a unique account identifier in our database.

Payment Information

Payments are processed entirely by Stripe. We never receive, store, or have access to your credit card number, CVV, or full payment details. We store only Stripe-issued identifiers (customer ID, subscription ID, and price ID) to manage your subscription.

Site and Issue Data

When you connect a WordPress site and submit issues, we collect:

• Your site URL, name, WordPress version, PHP version, and active plugin list
• Issue descriptions, affected page URLs, issue type, and priority
• Files from your WordPress site that are relevant to diagnosing and fixing the reported issue

AI-Generated Data

Our AI pipeline generates fix summaries, code diffs, fix artifacts, and before/after screenshots. These are stored temporarily in Amazon S3 with a 90-day lifecycle policy, after which they are automatically deleted.

Cookies and Tracking

We use only essential session cookies provided by Clerk for authentication. We do not use any analytics, advertising, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any similar tracking tools.

2. How We Use Your Information

We use your information to:

• Provide the Service — authenticate your account, manage subscriptions, diagnose and fix issues on your WordPress site
• Process AI analysis — send issue descriptions and relevant site files to our AI provider for automated diagnosis and fix generation
• Communicate with you — send transactional emails about fix status, applied changes, and rollback windows
• Apply and manage fixes — securely connect to your WordPress site to apply fixes, create backups, and enable rollbacks
• Maintain and improve the Service — monitor system performance, debug errors, and ensure reliability

We do not use your data for advertising, profiling, or any purpose unrelated to delivering the Service.

3. AI Processing and Disclosure

Hermes uses artificial intelligence to diagnose and fix technical issues on your WordPress site. This is a core part of the Service — you are interacting with an AI system, not a human technician.

What data is sent to AI

When you submit an issue, the following data is sent to our AI provider for processing:

• Your issue description and affected page URL
• Relevant files from your WordPress site (theme files, plugin files, configuration)
• Your site's WordPress version, PHP version, and active plugin list

AI provider

We use Google Gemini (via Google's AI API) as our AI sub-processor. Data sent to Google is processed according to Google Cloud's Data Processing Addendum.

No training on your data

Your data is not used to train, fine-tune, or improve any AI models. It is processed solely to generate a fix for your specific issue and is not retained by the AI provider beyond their standard API log retention for abuse prevention.

4. Who We Share Your Data With

We share your data only with the service providers necessary to operate Hermes:

We do not sell, rent, or trade your personal information to any third party. We do not share data with advertisers or data brokers.

5. How We Protect Your Data

• All data is encrypted in transit (TLS) and at rest (AES-256 via AWS)
• Communication with your WordPress site is authenticated using HMAC-signed requests with a shared secret unique to your site
• Access to your data is restricted by owner-based authorization — you can only access your own records
• AI pipeline processing runs on isolated, ephemeral compute instances that are terminated after each job
• S3 storage buckets block all public access and enforce SSL

6. Data Retention

• Account data (name, email): retained while your account is active
• Site and issue data: retained while your account is active
• Fix artifacts, diffs, and screenshots: automatically deleted after 90 days
• Pipeline execution logs: retained per AWS CloudWatch default retention
• Transactional emails: we do not retain copies of sent emails beyond AWS SES delivery logs

When you delete your account, we delete your personal data from our active systems. Some data may persist in encrypted backups for a limited period before automatic expiration.

7. Your Rights

All users

You may request to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and associated personal data
• Export your data in a portable format

European Economic Area (GDPR)

If you are in the EEA, our legal basis for processing your data is:

• Contract performance — processing necessary to provide the Service you subscribed to
• Legitimate interest — system monitoring, security, and service improvement

You also have the right to lodge a complaint with your local data protection authority.

California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale or sharing of personal information — we do not sell or share your personal information
• Non-discrimination for exercising your privacy rights

8. Children's Privacy

Hermes is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The “Last updated” date at the top reflects the most recent revision.

10. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

privacy@odralabs.com

Odra Labs