Privacy Policy

1. Introduction

Welcome to Hermo.ai ("Hermo", "we", "our", "us"). We are committed to protecting your personal data and respecting your privacy. This privacy policy explains how we collect, use, store, and protect your information when you use the Hermo application and related services (the "Service").

Hermo is an AI-powered personal assistant for your inbox. We are a company registered in the United Kingdom. For the purposes of UK data protection law, we are the data controller of your personal data.

Your data is yours. Your data is never used to train third-party AI models. Hermo will never send an email, delete an email, or take any irreversible action without your explicit confirmation. You are always in control.

This privacy policy applies to all users of the Hermo application at app.hermo.ai and the Hermo website at hermo.ai.

2. Information We Collect

We collect and process the following categories of data:

2.1 Account Information

When you create a Hermo account, we collect your name, email address, and authentication credentials. If you sign in using Google Sign-In, we receive your name, email address, and profile picture from your Google account.

2.2 Google User Data

When you connect your Gmail account to Hermo, we access the following Google user data with your explicit consent:

• Email message content - the subject, body, sender, recipients, and timestamps of your emails
• Email metadata - labels, read/unread status, and threading information
• Email attachments - only when required to provide the features you have enabled

We only access the Google user data that is strictly necessary to provide you with the Hermo features you have enabled. You can revoke access to your Google data at any time through your Google Account permissions or within the Hermo application settings.

2.3 Usage Data

We collect information about how you interact with the Service, including features accessed, actions taken, and frequency of use.

2.4 Technical Data

We automatically collect technical data including your IP address, browser type and version, device information, operating system, and access times.

WhatsApp and messaging

If you enable optional features that send or receive messages via WhatsApp, we process the phone number(s) you provide or confirm (for example your mobile number and the numbers of recipients you designate) to configure delivery, send notifications or assistant-generated messages you have approved, and to manage consent, rate limits, and delivery status.

Message content that you send through this channel is transmitted to our messaging infrastructure provider (WasenderAPI) and, where required for delivery, to WhatsApp’s operator (Meta). That processing generates delivery metadata (such as delivery status and timestamps). Phone numbers, message content, and delivery metadata are used only to provide the messaging features you use, in line with this policy and our sub-processors list.

You can stop using WhatsApp-linked features through in-product settings where available, or contact privacy@hermo.ai. Retention follows the same principles as your account data (see Data Retention and Deletion).

Knowledge base and profiling

To power features such as household coordination, reminders, and context-aware assistance, Hermo may extract and store structured personal facts inferred from analysis of your connected email (and, where you enable related features, from other content we process for the Service). Examples include names of family members or dependents, health or care contacts (such as doctors or clinics), insurance or policy references, financial or banking details mentioned in correspondence, pets, and similar information that appears in your messages. These examples are illustrative; the actual categories depend on what appears in your email.

This information is stored as part of your account’s knowledge base in encrypted cloud object storage, linked to your account, and used only to provide and improve the Service for you (for example contextual recognition, drafting, and answering). It is not sold and is not used to train third-party AI models, consistent with the rest of this policy.

Under applicable data protection law (including the UK GDPR and, where it applies, the EU GDPR), evaluating aspects of your personal situation based on automated analysis of your data in this way may constitute profiling. Hermo does not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you without your involvement. Suggestions and drafts require your confirmation before we send, delete, or otherwise take irreversible action on your email or connected accounts (see the Introduction above).

Knowledge-base data is deleted or anonymised when you delete your account or when you ask us to delete it, in line with Data Retention and Deletion. You may contact privacy@hermo.ai to request deletion or correction of stored facts without closing your account, where the product supports it.

3. Google User Data

This section specifically addresses how Hermo handles data obtained through Google APIs, including Gmail.

3.1 What Google User Data We Collect

Hermo accesses your Gmail data - including email content, metadata, headers, and attachments - solely to provide the features of our Service that you have chosen to enable. This includes analysing, categorising, summarising, and extracting actionable information from your emails.

3.2 How We Use Google User Data

We use your Google user data exclusively to provide and improve the Hermo Service. Specifically:

• Analysing, categorising, and summarising your emails to help you stay organised
• Extracting key information such as dates, deadlines, and action items from your emails
• Creating calendar reminders and alerts based on information found in your emails
• Generating suggested responses and drafts on your behalf
• Enabling intelligent search across your email history

To provide these features, your email content is processed by third-party AI services (see Section 3.3). Your email content is stored in a secure vector database to enable search and intelligent features across your email history. This data is retained for the duration of your account (see Section 7 for details on retention and deletion).

3.3 How We Share Google User Data

We do not sell, rent, lease, or trade your Google user data to any third party.

To provide the Hermo Service, your email content is processed by third-party service providers acting as data processors on our behalf, under strict contractual obligations. These include AI processing providers and cloud database providers that are necessary to deliver the features of the Service. These providers process your data solely to provide user-facing features of the Hermo Service and are contractually prohibited from using your data for any other purpose.

We may also share your Google user data if required by law, regulation, legal process, or governmental request.

3.4 How We Protect Google User Data

We implement robust technical and organisational measures to protect your Google user data, including:

• Encryption of data in transit using TLS/SSL and encryption of data at rest
• Access controls that restrict employee and contractor access to user data on a strict need-to-know basis
• Regular security reviews and monitoring of our systems
• Secure cloud infrastructure with industry-standard protections
• Contractual data processing agreements with all third-party service providers that process your data

Human access to your data: We do not allow humans to read your Google user data unless (a) you have given your affirmative agreement for specific messages or data, (b) it is necessary for security purposes such as investigating a bug or abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymised and is used for internal operations in accordance with applicable privacy law.

Important: We do not use your Google user data for any purpose other than providing and improving the Hermo Service for you. Specifically, we do not use your Google user data for:

• Serving, targeting, or personalising advertisements
• Selling or providing data to third-party advertising platforms or data brokers
• Training general-purpose or third-party artificial intelligence or machine learning models
• Building user profiles for purposes unrelated to the Hermo Service
• Determining creditworthiness or for lending purposes
• Any purpose other than providing or improving user-facing features of the Hermo Service

4. Google API Services Limited Use Disclosure

Hermo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with Google's Limited Use requirements:

• We only use data obtained via Google APIs to provide or improve user-facing features that are prominent in the Hermo application's user interface.
• We do not transfer Google user data to others unless it is necessary to provide or improve user-facing features, to comply with applicable laws, or as part of a merger, acquisition, or sale of assets with the user's prior consent.
• We do not use or transfer Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read your Google user data unless we have obtained your affirmative agreement for specific messages, it is necessary for security purposes such as investigating abuse, it is necessary to comply with applicable law, or the data has been aggregated and anonymised and is used for internal operations.

5. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

• Contract: Processing necessary to perform our contract with you and to provide the Hermo Service.
• Consent: Where you have given explicit consent for specific processing activities, such as connecting your Gmail account to Hermo.
• Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our Service, provided those interests are not overridden by your rights.
• Legal Obligation: Where we need to comply with a legal requirement.

6. Data Sharing and Transfers

We do not sell your personal data. Beyond the Google-specific disclosures in Section 3, we may share your data with:

• Service providers: Cloud hosting, infrastructure, and AI processing providers who assist in operating the Hermo Service, acting as data processors under contractual obligations.
• Professional advisers: Lawyers, accountants, and auditors where necessary for professional advice or compliance.
• Law enforcement or regulatory authorities: When required by law, regulation, or legal process.

Some service providers process personal data in countries outside the United Kingdom and, where the EU GDPR applies to you, outside the European Economic Area (EEA). Where we transfer personal data to such recipients, we implement appropriate safeguards as required by applicable data protection law (including the UK GDPR and, where applicable, the EU GDPR). Depending on the transfer, these safeguards may include adequacy regulations or decisions, Standard Contractual Clauses (including the UK International Data Transfer Addendum or Agreement where relevant), or another transfer tool recognised under applicable law. You may request further information about the mechanisms we rely on by contacting privacy@hermo.ai.

In practice, this means international transfers may rely on one or more of the following mechanisms: adequacy decisions, EU Standard Contractual Clauses (SCCs), and (for UK-restricted transfers) the UK International Data Transfer Addendum or the UK International Data Transfer Agreement (IDTA). We assess the destination country and recipient safeguards before transferring data.

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to provide the Hermo Service to you.

• Google user data (email content): Email content and metadata are stored in a secure, encrypted vector database for the duration of your active account. This storage is necessary to provide search and intelligent features across your email history. When you delete your account, all stored email content is permanently deleted within 30 days. You may also request deletion of your stored email data at any time without deleting your account by contacting us at privacy@hermo.ai.
• Knowledge base (extracted facts): Facts inferred from your email and stored for contextual features are kept in encrypted cloud object storage for the duration of your active account. They are deleted or anonymised on the same schedule as your other personal data when you delete your account, or sooner where you request deletion and we can fulfil the request.
• Account information: Retained for the duration of your active Hermo account.
• Usage and technical data: Retained for up to 12 months for analytics and service improvement purposes, then deleted or anonymised.

Account Deletion

When you delete your Hermo account, we will delete or anonymise all of your personal data within 30 days, except where retention is required by law. To delete your account and associated data, you can use the account deletion option in your Hermo settings or contact us at privacy@hermo.ai.

You may also request deletion of your data at any time by contacting us at the details provided in the Contact Us section below.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256 or equivalent)
• Secure cloud infrastructure hosted by reputable providers
• Strict access controls and role-based permissions for personnel
• Regular security monitoring, logging, and incident response procedures
• Periodic security reviews of our systems and practices

Your data is never used to train third-party AI models. The AI providers we use to deliver the Hermo Service are contractually prohibited from using your data for model training or any purpose beyond providing the Service.

9. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request transfer of your data to another service in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Where processing involves profiling (see Knowledge base and profiling), you may also have the right to object to such processing or to obtain human intervention, depending on applicable law and the nature of the processing. Contact us at privacy@hermo.ai if you wish to discuss this.

Hermo does not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects without your involvement. If you believe such processing has occurred, you can request human review, express your point of view, and challenge the outcome by contacting privacy@hermo.ai.

To exercise any of these rights, please contact us at privacy@hermo.ai. We will respond to your request within one month.

You also have the right to revoke Hermo's access to your Google account at any time by visiting your Google Account permissions page.

10. Cookies

We use essential cookies to ensure our Service functions correctly, such as keeping you signed in. We may also use analytics cookies to understand how you use our Service and to improve it. You can control cookies through your browser settings. Our use of cookies does not involve the collection or processing of your Google user data.

11. Children's Privacy

The Hermo Service is intended for use by adults aged 18 and over. We do not knowingly allow children under 18 to create accounts or use the Service directly.

The Service may process emails that contain information relating to children, such as school communications, activity schedules, or medical appointments. This information is processed solely to provide the Service to the parent or guardian who holds the Hermo account and is subject to the same protections described throughout this policy, including encryption, access controls, and the Limited Use restrictions in Section 4.

If we become aware that a child under 18 has created an account, we will take steps to delete that account and associated data promptly.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, notifying you by email. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this privacy policy, our data practices, or wish to exercise any of your rights, please contact us at:

Hermo AI
BB International Ltd (UK Companies House number: 16030853)
Contact person: Fabian Blaicher
Email: privacy@hermo.ai

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues: https://ico.org.uk/make-a-complaint/

Sub-processors

Last updated: 28 April 2026

Hermo uses the following third-party sub-processors to provide the Service:

In line with GDPR Article 13(1)(e), the recipients of personal data we use to deliver the Service include the providers listed below. Where required to provide AI features you enable, full email content (including subject lines, bodies, sender/recipient details, and timestamps) may be sent to Anthropic and OpenAI for processing on our behalf. Where you use optional WhatsApp messaging features, phone numbers, message content you send through that channel, and related delivery metadata are processed as described in WhatsApp and messaging.

Where we use service providers as data processors, we engage them under each provider’s standard data processing terms (or equivalent), which require the processor to meet obligations consistent with UK GDPR Article 28 (and, where applicable, the EU GDPR). Official information from each provider:

• Anthropic — Data Processing Addendum
• OpenAI — Data processing addendum
• Weaviate — Trust and compliance (incl. policies for Weaviate Cloud)
• Langfuse — Security and privacy
• PostHog — Data processing (DPA)
• Stripe — Data Processing Agreement
• WasenderAPI — Privacy (see also Terms)
• Google Cloud — Data Processing and Security Terms

We will update this page when sub-processors change. If you have questions, contact privacy@hermo.ai.