Privacy

What we collect.

Last updated: 2026-04-07

The short version

  • We don't see the sites you access. Your CLI and HTTP API calls go directly from your machine to the target site. We never execute requests on your behalf.
  • Telemetry is opt-in. Default is off. When enabled, we receive the schema ID, success/failure, latency, and intent category — not the payload, not the response, not your request URL.
  • We don't sell personal data. Aggregated intent data (what kinds of things agents are trying to do) may be shared with site operators as a B2B product. It is never tied to you.

What we collect

Account data

If you sign in with GitHub, we store your GitHub username, email, and user ID. That's it. We don't request repo access or any OAuth scopes beyond basic profile.

API key usage

Each API call is logged with your key ID, timestamp, endpoint, status code, and IP address (for rate limiting and abuse prevention). Request bodies and response payloads are not logged.

Telemetry (opt-in only)

If you opt in via hermai telemetry enable, your CLI batches these fields per fetch:

  • Schema ID and version hash
  • Success / failure flag
  • Latency in milliseconds
  • Coarse geo (country-level)
  • Intent category (from the schema)

Disable at any time with hermai telemetry disable.

What we don't collect

  • The specific URLs, parameters, or response bodies of your fetches
  • Credentials or session cookies for any site
  • Tracking identifiers across sessions or devices
  • Browser fingerprints

How aggregated intent data is used

Telemetry is aggregated at the schema and category level. A site operator might see “47% of agents hitting booking.com are in the travel.accommodation.search intent category, and 12% of them subsequently call trips.com.” That data is never tied to individual users or API keys.

This is our core B2B product. We're transparent about it because the data only has value if it's aggregated — there is no version of this product that requires identifying individual users.

Your rights

You can delete your account at any time, which removes your profile, API keys, and all associated usage logs. Aggregated telemetry (which contains no identifier) is retained. Email privacy@hermai.ai for access or deletion requests.

Changes to this policy

Material changes will be announced on the changelog and via email to account holders at least 30 days before taking effect.