RunHermesHK
繁體中文
Legal

Privacy Policy

Effective date: 2026-04-17 · Operator: RunHermes (operated by Joseph Cheung), Hong Kong SAR

This Privacy Policy explains how RunHermes (“RunHermes”, “we”, “our”) collects, uses, stores, and shares personal data when you use the RunHermes managed Hermes agent service available at https://runhermes.work. RunHermes is operated as a sole proprietorship by Joseph Cheung in Hong Kong SAR. Questions or requests can be sent to joseph@deptai.work.

1. Data we collect

1.1 Account identity

We use Clerk to handle authentication. When you sign up or sign in we receive your email address, your display name, and the OAuth identifiers for the social login provider you chose (e.g. Google). We never see your social-login password.

1.2 Billing data

We use Stripe to process payments. Stripe stores your full payment-card data on its own infrastructure under PCI DSS Level 1. We only receive your Stripe customer ID, subscription ID, plan code, the last four digits of your card, and the billing email you supplied at checkout.

1.3 Service data

To run the agent service we store your tenant configuration, channel pairing data (Telegram bot tokens or chat IDs you authorise, WhatsApp channel identifiers), and an audit log of significant lifecycle events (subscription created, runtime provisioned, channel connected).

1.4 Operational logs

Standard server logs (timestamps, IP addresses, user-agent strings, request paths) are retained for security, abuse prevention, and debugging.

2. Why we use this data

  • To create and operate your account.
  • To bill you and to support refunds and cancellations.
  • To provision and run your Hermes agent and connected channels.
  • To detect and respond to fraud, abuse, and security incidents.
  • To comply with applicable law and to enforce our Terms of Service.

3. Where data is stored

  • Application database: PostgreSQL hosted on a DigitalOcean droplet in Singapore (geographically close to Hong Kong).
  • Authentication: Clerk (United States).
  • Payments: Stripe (United States and European Union).
  • DNS and edge proxy: Cloudflare (global).
  • Model inference (when the agent calls a language model on your behalf): OpenRouter (United States), routed to the upstream provider you have configured.

4. Sub-processors

We rely on the following sub-processors. Each operates under its own published data-processing terms:

  • Clerk Inc. — authentication.
  • Stripe Inc. — payments and billing.
  • DigitalOcean LLC — application hosting.
  • Cloudflare Inc. — DNS and edge.
  • OpenRouter — model routing for agent responses.
  • Telegram FZ-LLC — messaging channel (if connected).
  • Meta Platforms Inc. — WhatsApp messaging channel (if connected).

5. Retention

  • Account and billing records: retained for the lifetime of your account plus a 90-day backup window after deletion.
  • Audit logs: retained for 12 months.
  • Operational server logs: retained for up to 30 days, then aggregated or discarded.

6. Your rights

Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), you may request access to your personal data, correction of inaccurate data, and deletion of your account. Email joseph@deptai.work and we will respond within 30 days. Account deletion removes your records from the application database within 7 days, and from backups within the 90-day backup window described above.

7. Cookies

We set only the cookies required for the service to function: a Clerk session cookie that keeps you signed in, and a short-lived Stripe checkout cookie used during payment. We do not set marketing or tracking cookies.

8. Changes

If we make material changes to this Privacy Policy we will notify active subscribers by email at least 30 days before the change takes effect, and we will update the effective date at the top of this page.

9. Contact

RunHermes (operated by Joseph Cheung), Hong Kong SAR — joseph@deptai.work.

Privacy Policy — RunHermes