Prohibited Data Policy
What Hermes accepts, what needs explicit handling, and what must not be sent to the agent.
Effective 10 July 2026 · Policy 2026-07-10.v1 · Draft pending counsel review
Allowed content
Ordinary notes and supported documents may be processed for the service. Identity documents, medical information, bank statements and IBAN are supported for user-directed personal tasks. Hermes does not automatically promote such content to long-term memory and requires an explicit instruction before durable save or external forwarding.
Prohibited content
- Full payment-card numbers, card images containing them, CVV/CVC/CID, PIN and card track data.
- Passwords, one-time or recovery codes and session cookies.
- API keys, OAuth or bearer tokens and webhook signing secrets.
- Private cryptographic keys and wallet seed or recovery phrases.
Automated checks
Hermes applies narrow automated checks to supported messages and attachments. High-confidence matches are blocked without repeating the value. Detection is best-effort and does not identify every secret or every type of personal information.
When content is blocked
The platform keeps only content-free event metadata such as category, action and detector version. The original may remain with Telegram or another messaging provider; delete it there and rotate an exposed credential.
Regulated use
The current service is not offered as a dedicated payment-card vault, password manager, regulated healthcare system, financial compliance system or professional identity-verification service.