Privacy Policy

Effective date: May 24, 2026

Last updated: May 24, 2026

Plain-language summary (non-binding). We collect the information you give us when you use Hermes, plus technical data needed to run, secure, and improve the Service. We don't sell your personal data. You can request access, correction, or deletion at any time. The full policy below is the binding version.

1. About This Policy

This Privacy Policy describes how Hermes ("Hermes", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit our marketing site (designwithhermes.com), sign up for an Account, use the Hermes website-builder platform (the "Service"), or otherwise interact with us. It also explains your rights and how to exercise them.

This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

2. Who We Are; Data Controller

Hermes operates the Service. For the purposes of GDPR, UK GDPR, and similar laws, Hermes is the controller of personal data we collect about visitors to our marketing site, prospective customers, Customers (as account holders), and our own employees and contractors.

Where you use the Service to operate websites or manage End Users (including your clients in white-label scenarios), you are the controller of personal data of those End Users, and we act as your processor. The processing of End User data on your behalf is governed by Section 13 (Customers as Controllers) and any Data Processing Addendum we make available.

You can contact us at hi@designwithhermes.com.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide

Account information — name, email, password (hashed), business or agency name, country, time zone, language preference.
Profile information — avatar, brand assets uploaded for white-label, contact details for invoicing.
Billing information — billing name and address, tax/VAT identifiers, and last four digits of your payment instrument. Full card numbers are processed by our payment processor (Stripe) and not stored by us.
Customer Content — anything you upload to or generate within the Service (text, images, files, custom code, settings, AI prompts and outputs).
Communications — messages you send us (email, support tickets, chat, surveys), and information you provide on calls or webinars we host.

3.2 Information Collected Automatically

Device and connection — IP address, browser type and version, operating system, device model, language, referrer URL.
Usage — pages viewed, features used, clicks, session duration, error logs, and similar telemetry.
Cookies and similar technologies — see our Cookie Policy.

3.3 Information from Third Parties

Payment processors (e.g., Stripe) confirm transactions, fraud-screening signals, and chargeback data.
Authentication providers (if you sign in via OAuth) provide your name and email per your authorization.
Marketing partners and resellers may pass us a referral identifier for attribution and commission tracking.
Public sources — for security and abuse prevention, we may consult public deny-lists or threat-intelligence feeds.

4. How We Use Personal Data

We use personal data for the following purposes:

Purpose	Examples	Legal basis (GDPR/UK GDPR)
Provide the Service	Create your Account, host your sites, deliver requested features, render AI Output	Performance of a contract
Billing and accounting	Process payments, issue invoices, calculate tax, prevent fraud	Performance of a contract; legal obligation; legitimate interest in fraud prevention
Service operations	Backups, monitoring, debugging, customer support	Performance of a contract; legitimate interest
Security	Detect and prevent attacks, abuse, account takeover	Legitimate interest; legal obligation
Product improvement	Usage analytics, feature performance, A/B testing on de-identified data	Legitimate interest
Communications	Service messages, security alerts, policy updates	Performance of a contract; legitimate interest
Marketing	Newsletters, product announcements, promotional offers	Consent; legitimate interest (existing customers, with opt-out)
Compliance	Tax reporting, responding to lawful requests, exercising legal claims	Legal obligation; legitimate interest

Where we rely on legitimate interests, you may object as described in Section 9. Where we rely on consent (e.g., marketing emails, optional cookies), you may withdraw consent at any time without affecting prior processing.

5. AI Features

The Service includes AI tools for content generation. Prompts you submit and outputs we return are processed in order to deliver the feature, log requests for security and abuse prevention, and improve quality. We do not use Customer Content to train third-party foundation models without your instruction. Some AI features depend on third-party model providers; we contractually require those providers not to use Customer Content to train their general models, where the provider supports such terms.

6. Cookies and Local Storage

We and our partners use cookies, pixels, SDKs, and similar technologies. See our Cookie Policy for details and how to manage them.

7. How We Share Personal Data

We do not sell personal data. We share it only as described in this Policy:

Service providers (sub-processors). Cloud hosting (Amazon Web Services), payment processing (Stripe), email delivery, customer support tooling, analytics, error tracking, and AI model providers — all bound by contractual confidentiality and data-protection terms.
Affiliates. With current and future affiliates of Hermes that adhere to this Policy.
Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality and continuing privacy protections.
Legal and safety. When required to comply with law, respond to a valid legal process, enforce our Terms, or protect rights, property, or safety.
With your direction. When you instruct us to share data (e.g., publishing a website, embedding a third-party widget, or connecting an integration).

A current list of significant sub-processors is available on request at hi@designwithhermes.com.

8. International Transfers

We are based in the United States, and our infrastructure and providers may be located in or accessed from countries other than yours. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (with the UK Addendum where applicable), supplementary measures where appropriate, or other lawful transfer mechanisms. You can request a copy of the transfer mechanism we rely on by contacting us.

9. Your Rights

Depending on where you live, you may have the following rights with respect to your personal data:

Access — obtain confirmation of, and a copy of, the personal data we hold about you.
Correction — ask us to correct inaccurate or incomplete data.
Deletion — ask us to delete your data, subject to legal retention.
Restriction — ask us to limit certain processing activities.
Objection — object to processing based on legitimate interests, including direct marketing.
Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Withdraw consent — withdraw any consent you previously gave (without affecting prior processing).
Lodge a complaint — with the data-protection authority of your country of residence or place of work.
Automated decisions — we do not make decisions producing legal or similarly significant effects on you based solely on automated processing without human review.

To exercise any of these rights, email hi@designwithhermes.com. We may need to verify your identity before responding. We will respond within the time required by applicable law (typically 30 days, extendable in complex cases).

10. California Residents (CCPA/CPRA)

If you are a California resident, you have the rights to know, delete, correct, and limit the use and disclosure of sensitive personal information, and to opt out of "sale" or "sharing" of personal information. We do not sell personal information and we do not share it for cross-context behavioral advertising. You may exercise rights by emailing hi@designwithhermes.com. We will not discriminate against you for exercising these rights.

Categories of personal information we have collected in the past 12 months align with Section 3 above. Categories of recipients are described in Section 7. We retain personal information for the periods described in Section 12.

11. Other U.S. State Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws may have rights similar to those described in Section 9. To exercise them, contact us at hi@designwithhermes.com. You may have a right to appeal a refusal of a request; the appeal contact is the same email.

12. Data Retention

We keep personal data for as long as needed for the purposes described in this Policy, or longer where required by law. Typical retention periods:

Account data — for the life of your Account, plus up to 12 months after closure for fraud prevention, dispute resolution, and tax/accounting (longer where required by law).
Customer Content — until you delete it or close your Account, then up to 30 days in soft-deleted state for recovery, plus residual back-ups that expire on a rolling basis (typically within 90 days).
Billing records — up to seven (7) years for tax and accounting compliance.
Support communications — up to three (3) years from the last interaction.
Marketing data — until you unsubscribe or object, then suppression-list only.
Server and security logs — typically up to 12 months, with longer retention for incident-related logs.

13. Customers as Controllers (DPA Terms)

When you use the Service to manage personal data of End Users (your visitors, contacts, or clients), you are the controller and we are the processor. We will:

process End User data only on your documented instructions;
ensure persons authorized to process the data are bound by confidentiality;
implement appropriate technical and organizational security measures;
engage sub-processors only under written contracts with materially equivalent data-protection obligations;
assist you, taking into account the nature of processing, with data-subject requests, security incidents, DPIAs, and consultations with supervisory authorities;
delete or return End User data after the end of the Service (subject to legal retention); and
make available information necessary to demonstrate compliance and submit to audits, on reasonable terms.

If you require a signed Data Processing Addendum (DPA), email hi@designwithhermes.com and we will provide one.

14. Security

We implement administrative, technical, and physical safeguards to protect personal data, including encryption in transit (TLS) and at rest, hardened cloud infrastructure on AWS, role-based access controls, audit logging, secret management, periodic vulnerability scanning, and incident-response procedures. No system is perfectly secure; we cannot guarantee absolute security and you provide data at your own risk.

If we become aware of a personal data breach, we will notify affected Customers without undue delay and, where required, the relevant supervisory authority within the timelines mandated by law.

15. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

16. Do-Not-Track and Global Privacy Control

We honor opt-out preference signals (such as Global Privacy Control / GPC) where required by law. Browser "Do Not Track" signals are not consistently defined; we treat GPC as a CCPA opt-out signal for the browser session in which it is detected.

17. Marketing Communications

If you opt in (or where allowed by law for existing customers), we may send you product updates and offers. You can unsubscribe at any time using the link in our emails or by emailing hi@designwithhermes.com. We will continue to send transactional and security messages.

18. Changes to This Policy

We may update this Policy from time to time. We will post the updated Policy with a new "Last updated" date and, for material changes, give reasonable notice (e.g., email or in-app notice) before they take effect.

19. Contact

If you have questions about this Policy, want to exercise rights, or wish to file a complaint, contact us at hi@designwithhermes.com.