Hermes Platform

Privacy Notice

How Hermes Platform processes account data and accepted agent content during beta.

Effective 10 July 2026 · Policy 2026-07-10.v1 · Draft pending counsel review

Controller

The proposed controller is Links Academy EOOD / Линкс Академи ЕООД, UIC 208651214, registered at България, област Добрич, община Генерал Тошево, с. Чернооково 9532, ул. Шеста № 8, Bulgaria. Privacy requests: privacy@links.academy.

Who may use the service

The service is for users aged 18 or older. Signup records the Terms version, Privacy Notice version, age confirmation and acceptance timestamp.

Data and purposes

We process account identity, legal acceptance evidence, configuration, encrypted credentials, masked connection metadata, accepted conversations, memory, workspace files, beta-access state and content-free audit/security events to provide, secure, support and comply with obligations for the managed agent service.

Tenant content

Accepted content is used only to provide, secure and support the service. It is not sold, used for advertising or used to train platform-owned models. Human access is denied by default and requires an authorized, time-limited and audited support or incident procedure.

Automated checks

Supported messages and attachments may be checked for narrow prohibited categories, malware, active content, resource limits and prompt injection. This is automated processing, not routine human reading or general profiling, and no detector guarantees perfect identification.

Recipients and transfers

Hetzner hosts the service in Nuremberg, Germany. Accepted content may be sent to the messaging, model and integration providers selected by the user. Those providers may process data outside the EEA; each supported configuration requires an applicable transfer safeguard and provider review.

Retention

Ended sessions and runtime/cron output target 30 days, active sessions rotate after 90 days, quarantine normally deletes immediately and no later than 24 hours, security events target 180 days, and backups no more than 30 days. Targets are binding only where the corresponding implementation is verified.

Your rights

Depending on applicable law, you may request access, correction, deletion, restriction, objection or portability and complain to the Bulgarian Commission for Personal Data Protection or another competent authority. Send requests to privacy@links.academy.

Security and changes

We use tenant isolation, encrypted platform secrets, bounded quarantine, mandatory guard health checks and incident procedures. Material Notice changes receive a new version and notice where required. DPO, lawful-basis and transfer decisions remain pending counsel approval.