Hermes Platform

Prohibited Data Policy

What Hermes accepts, what needs explicit handling, and what must not be sent to the agent.

Effective 10 July 2026 · Policy 2026-07-10.v1 · Draft pending counsel review

Allowed content

Ordinary notes and supported documents may be processed for the service. Identity documents, medical information, bank statements and IBAN are supported for user-directed personal tasks. Hermes does not automatically promote such content to long-term memory and requires an explicit instruction before durable save or external forwarding.

Prohibited content

  • Full payment-card numbers, card images containing them, CVV/CVC/CID, PIN and card track data.
  • Passwords, one-time or recovery codes and session cookies.
  • API keys, OAuth or bearer tokens and webhook signing secrets.
  • Private cryptographic keys and wallet seed or recovery phrases.

Automated checks

Hermes applies narrow automated checks to supported messages and attachments. High-confidence matches are blocked without repeating the value. Detection is best-effort and does not identify every secret or every type of personal information.

When content is blocked

The platform keeps only content-free event metadata such as category, action and detector version. The original may remain with Telegram or another messaging provider; delete it there and rotate an exposed credential.

Regulated use

The current service is not offered as a dedicated payment-card vault, password manager, regulated healthcare system, financial compliance system or professional identity-verification service.