Privacy Policy

1. Introduction

Welcome to Hermo.ai ("Hermo", "we", "our", "us"). We are committed to protecting your personal data and respecting your privacy. This privacy policy explains how we collect, use, store, and protect your information when you use the Hermo application and related services (the "Service").

Hermo is an AI-powered personal assistant for your inbox. We are a company registered in the United Kingdom. For the purposes of UK data protection law, we are the data controller of your personal data.

Your data is yours. Your data is never used to train third-party AI models. Hermo will never send an email, delete an email, or take any irreversible action without your explicit confirmation. You are always in control.

This privacy policy applies to all users of the Hermo application at app.hermo.ai and the Hermo website at hermo.ai.

2. Information We Collect

We collect and process the following categories of data:

2.1 Account Information

When you create a Hermo account, we collect your name, email address, and authentication credentials. If you sign in using Google Sign-In, we receive your name, email address, and profile picture from your Google account.

2.2 Google User Data

When you connect your Gmail account to Hermo, we access the following Google user data with your explicit consent:

Email message content — the subject, body, sender, recipients, and timestamps of your emails
Email metadata — labels, read/unread status, and threading information
Email attachments — only when required to provide the features you have enabled

We only access the Google user data that is strictly necessary to provide you with the Hermo features you have enabled. You can revoke access to your Google data at any time through your Google Account permissions or within the Hermo application settings.

2.3 Usage Data

We collect information about how you interact with the Service, including features accessed, actions taken, and frequency of use.

2.4 Technical Data

We automatically collect technical data including your IP address, browser type and version, device information, operating system, and access times.

3. Google User Data

This section specifically addresses how Hermo handles data obtained through Google APIs, including Gmail.

3.1 What Google User Data We Collect

Hermo accesses your Gmail data — including email content, metadata, headers, and attachments — solely to provide the features of our Service that you have chosen to enable. This includes analysing, categorising, summarising, and extracting actionable information from your emails.

3.2 How We Use Google User Data

We use your Google user data exclusively to provide and improve the Hermo Service. Specifically:

Analysing, categorising, and summarising your emails to help you stay organised
Extracting key information such as dates, deadlines, and action items from your emails
Creating calendar reminders and alerts based on information found in your emails
Generating suggested responses and drafts on your behalf
Enabling intelligent search across your email history

To provide these features, your email content is processed by third-party AI services (see Section 3.3). Your email content is stored in a secure vector database to enable search and intelligent features across your email history. This data is retained for the duration of your account (see Section 7 for details on retention and deletion).

3.3 How We Share Google User Data

We do not sell, rent, lease, or trade your Google user data to any third party.

To provide the Hermo Service, your email content is processed by third-party service providers acting as data processors on our behalf, under strict contractual obligations. These include AI processing providers and cloud database providers that are necessary to deliver the features of the Service. These providers process your data solely to provide user-facing features of the Hermo Service and are contractually prohibited from using your data for any other purpose.

We may also share your Google user data if required by law, regulation, legal process, or governmental request.

3.4 How We Protect Google User Data

We implement robust technical and organisational measures to protect your Google user data, including:

Encryption of data in transit using TLS/SSL and encryption of data at rest
Access controls that restrict employee and contractor access to user data on a strict need-to-know basis
Regular security reviews and monitoring of our systems
Secure cloud infrastructure with industry-standard protections
Contractual data processing agreements with all third-party service providers that process your data

Human access to your data: We do not allow humans to read your Google user data unless (a) you have given your affirmative agreement for specific messages or data, (b) it is necessary for security purposes such as investigating a bug or abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymised and is used for internal operations in accordance with applicable privacy law.

Important: We do not use your Google user data for any purpose other than providing and improving the Hermo Service for you. Specifically, we do not use your Google user data for:

Serving, targeting, or personalising advertisements
Selling or providing data to third-party advertising platforms or data brokers
Training general-purpose or third-party artificial intelligence or machine learning models
Building user profiles for purposes unrelated to the Hermo Service
Determining creditworthiness or for lending purposes
Any purpose other than providing or improving user-facing features of the Hermo Service

4. Google API Services Limited Use Disclosure

Hermo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with Google's Limited Use requirements:

We only use data obtained via Google APIs to provide or improve user-facing features that are prominent in the Hermo application's user interface.
We do not transfer Google user data to others unless it is necessary to provide or improve user-facing features, to comply with applicable laws, or as part of a merger, acquisition, or sale of assets with the user's prior consent.
We do not use or transfer Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
We do not allow humans to read your Google user data unless we have obtained your affirmative agreement for specific messages, it is necessary for security purposes such as investigating abuse, it is necessary to comply with applicable law, or the data has been aggregated and anonymised and is used for internal operations.

5. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

Contract: Processing necessary to perform our contract with you and to provide the Hermo Service.
Consent: Where you have given explicit consent for specific processing activities, such as connecting your Gmail account to Hermo.
Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our Service, provided those interests are not overridden by your rights.
Legal Obligation: Where we need to comply with a legal requirement.

6. Data Sharing and Transfers

We do not sell your personal data. Beyond the Google-specific disclosures in Section 3, we may share your data with:

Service providers: Cloud hosting, infrastructure, and AI processing providers who assist in operating the Hermo Service, acting as data processors under contractual obligations.
Professional advisers: Lawyers, accountants, and auditors where necessary for professional advice or compliance.
Law enforcement or regulatory authorities: When required by law, regulation, or legal process.

Where we transfer data outside the UK, we ensure appropriate safeguards are in place in accordance with UK data protection law, including Standard Contractual Clauses or transfers to countries with adequate data protection frameworks.

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to provide the Hermo Service to you.

Google user data (email content): Email content and metadata are stored in a secure, encrypted vector database for the duration of your active account. This storage is necessary to provide search and intelligent features across your email history. When you delete your account, all stored email content is permanently deleted within 30 days. You may also request deletion of your stored email data at any time without deleting your account by contacting us at privacy@hermo.ai.
Account information: Retained for the duration of your active Hermo account.
Usage and technical data: Retained for up to 12 months for analytics and service improvement purposes, then deleted or anonymised.

Account Deletion

When you delete your Hermo account, we will delete or anonymise all of your personal data within 30 days, except where retention is required by law. To delete your account and associated data, you can use the account deletion option in your Hermo settings or contact us at privacy@hermo.ai.

You may also request deletion of your data at any time by contacting us at the details provided in the Contact Us section below.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/SSL) and at rest (AES-256 or equivalent)
Secure cloud infrastructure hosted by reputable providers
Strict access controls and role-based permissions for personnel
Regular security monitoring, logging, and incident response procedures
Periodic security reviews of our systems and practices

Your data is never used to train third-party AI models. The AI providers we use to deliver the Hermo Service are contractually prohibited from using your data for model training or any purpose beyond providing the Service.

9. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data ("right to be forgotten").
Restriction: Request restriction of processing in certain circumstances.
Portability: Request transfer of your data to another service in a machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@hermo.ai. We will respond to your request within one month.

You also have the right to revoke Hermo's access to your Google account at any time by visiting your Google Account permissions page.

10. Cookies

We use essential cookies to ensure our Service functions correctly, such as keeping you signed in. We may also use analytics cookies to understand how you use our Service and to improve it. You can control cookies through your browser settings. Our use of cookies does not involve the collection or processing of your Google user data.

11. Children's Privacy

The Hermo Service is intended for use by adults aged 18 and over. We do not knowingly allow children under 18 to create accounts or use the Service directly.

The Service may process emails that contain information relating to children, such as school communications, activity schedules, or medical appointments. This information is processed solely to provide the Service to the parent or guardian who holds the Hermo account and is subject to the same protections described throughout this policy, including encryption, access controls, and the Limited Use restrictions in Section 4.

If we become aware that a child under 18 has created an account, we will take steps to delete that account and associated data promptly.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, notifying you by email. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this privacy policy, our data practices, or wish to exercise any of your rights, please contact us at:

Hermo AI
BB International Ltd (UK Companies House number: 16030853)
Contact person: Fabian Blaicher
Email: privacy@hermo.ai

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues: https://ico.org.uk/make-a-complaint/

Sub-processors

Last updated: 19 February 2026

Hermo uses the following third-party sub-processors to provide the Service:

Sub-processor	Purpose	Data processed	Location
Anthropic	AI processing — email analysis, categorisation, and action extraction	Email content and metadata	United States
OpenAI	Text embeddings for semantic search	Email content	United States
Weaviate Cloud	Vector database for email search	Email content and embeddings	EU
Google Cloud Platform	Authentication, Gmail API, Calendar API	Account info, email access tokens	EU/US

We will update this page when sub-processors change. If you have questions, contact privacy@hermo.ai.