Trust posture
Publisher, not actor.
Hermai publishes factual metadata about publicly observable website endpoints. We do not execute requests, run scraping infrastructure, or hold users' credentials. This page explains exactly where our legal responsibility begins and ends — and where yours does.
The publisher / actor split
Hermai hosts a catalog of schemas— structured descriptions of what public websites return. A schema might say “Booking.com has a hotel search endpoint that takes destination, check-in, check-out, and guests, and returns name, price, and review score.” That is a factual description, not an instruction.
When you run hermai fetch or call our HTTP API with your key, the full technical package is delivered to your machine. Your machine— not ours — then sends the request to the site. You choose when, how often, with what identity, and whether the request is consistent with the site's terms. You are the actor.
We deliberately avoid hosted execution in Phase 1 so that there is no ambiguity about who is making the request.
What we publish
The public catalog shows taxonomy-level facts. Every entry includes:
- Schema name and one-line purpose
- Intent category (e.g.
travel.accommodation.search) - Parameter names (e.g.
city,check_in,guests) - Response field names (e.g.
price,rating) - Health metrics and last-verified time
- Site protection level (factual observation of what we detect)
- Contributor attribution
What stays private
The technical recipe lives only in pulled packages, on contributor and user machines. It never touches our public catalog:
- Endpoint URL, path, method
- Request headers and payloads
- Parameter types, validation, nested shapes
- Response type definitions
- Authentication flow
- Selectors and parsing instructions
Execution methods — TLS fingerprinting, browser automation, cookie handling — live in the open-source CLI, not in schemas. Schemas describe site facts; the CLI provides general-purpose HTTP tooling.
Legal anchors
Our posture is grounded in these cases. They are not legal advice; they are the decisions that shape how we think about publishing interoperability information.
- Sega Enterprises v. Accolade (1992, 977 F.2d 1510, 9th Cir.)
- Reverse engineering for interoperability is fair use when no other way exists to access functional elements of a program.
- Lexmark v. Static Control (2004, 387 F.3d 522, 6th Cir.)
- Publishing technical interoperability information about another company's product is protected; lock-out codes are not copyrightable.
- hiQ Labs v. LinkedIn (2022, 31 F.4th 1180, 9th Cir.)
- Accessing publicly available data is not “unauthorized access” under the CFAA. Does not override platform-level terms.
Related pages
- Hostile platform exclusion list — sites we reject from the catalog proactively.
- Takedown process — how site operators can request removal.
- Privacy policy — what we collect, what we don't.
Contact
Takedown requests, partnership questions, security disclosures, or anything else a lawyer might call “compliance” — email trust@hermai.ai. Every message is read by a person, usually replied to within 72 hours.