Hermes Agent — Privacy Policy
Effective date: 29 May 2026 | Controller: Czerca, Spolkova 13, Brno, Czech Republic | Contact: [email protected]
1. Introduction
This Privacy Policy describes how Czerca (“we”, “us”, “our”) collects, processes, and protects personal data when you engage our Hermes Agent consultancy services. We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Czech law.
Our services are provided exclusively to business clients (“Clients”). Where our agents access end-user data on behalf of a Client, the Client acts as data controller and we act as data processor pursuant to a separate Data Processing Agreement (“DPA”).
Our services are provided exclusively to business clients (“Clients”). Where our agents access end-user data on behalf of a Client, the Client acts as data controller and we act as data processor pursuant to a separate Data Processing Agreement (“DPA”).
2. Data We Access
When a Client authorises a Hermes Agent to connect to a Google account, the agent may access the following data in read-only mode:
All access is strictly read-only. We do not create, modify, or delete any data in connected Google accounts.
2.1 Gmail
Email message content, headers, metadata, and attachments; folder and label structure; sender and recipient information.2.2 Google Drive
File names, metadata, and content of documents, spreadsheets, and other files; folder hierarchy and sharing permissions (metadata only).2.3 Google Calendar
Event titles, descriptions, dates, times, attendees, and locations; calendar list and settings.2.4 Google Contacts
Contact names, email addresses, phone numbers, and associated metadata.All access is strictly read-only. We do not create, modify, or delete any data in connected Google accounts.
3. Legal Basis for Processing
We process personal data under the following GDPR legal bases:
Where special category data is incidentally encountered in accessed content, we do not intentionally process it and apply immediate minimisation measures.
Article 6(1)(b) —
Processing necessary for performance of a contract with the Client.Article 6(1)(c) —
Compliance with legal obligations.Article 6(1)(f) —
Legitimate interests in operating, securing, and improving our services, where not overridden by data subject rights.Where special category data is incidentally encountered in accessed content, we do not intentionally process it and apply immediate minimisation measures.
4. How We Use the Data
Data accessed through connected Google accounts is used exclusively to:
We do not use accessed data to train AI models, conduct marketing, or share with third parties beyond those listed in Section 5.
Provide the specific AI agent service contracted by the Client.
Generate outputs, summaries, or analyses as specified in the service agreement.
Diagnose technical issues and ensure service reliability.
We do not use accessed data to train AI models, conduct marketing, or share with third parties beyond those listed in Section 5.
5. Data Sharing and Sub-processors
We may share data with the following categories of sub-processors, each subject to GDPR-compliant data processing agreements:
We do not transfer personal data outside the EU/EEA unless appropriate safeguards are in place (e.g. Standard Contractual Clauses).
Cloud infrastructure providers —
(e.g. Hetzner Cloud) — for hosting agent workloads within the EU/EEA.AI model providers —
(e.g. Anthropic) — solely for inference; subject to their data processing terms.Monitoring and logging services —
— for security and operational purposes, with data minimisation applied.We do not transfer personal data outside the EU/EEA unless appropriate safeguards are in place (e.g. Standard Contractual Clauses).
6. Data Retention
We retain data accessed through Google integrations only for as long as necessary to deliver the contracted service:
Clients may request deletion of any retained data at any time by contacting us at the address in Section 1.
Transient processing data —
(in-memory) — deleted immediately after task completion.Logs containing incidental personal data —
— retained for a maximum of 30 days.OAuth tokens —
— retained until the Client revokes access or the engagement ends.Clients may request deletion of any retained data at any time by contacting us at the address in Section 1.
7. Security
We implement appropriate technical and organisational measures to protect personal data, including:
Encryption of OAuth tokens at rest using AES-256.
TLS 1.2+ for all data in transit.
Access controls and least-privilege principles for agent permissions.
Regular security assessments of infrastructure.
8. Data Subject Rights
Where personal data of identifiable individuals is processed, those individuals have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. Requests should be directed to the Client (as data controller) in the first instance, or to us at the contact address in Section 1.
9. Google API Services
Our use of Google API Services and any data obtained therefrom is subject to Google’s API Services User Data Policy. We access Google data solely as authorised by the Client and only to the minimum extent necessary to provide the contracted service. We do not sell Google user data and do not use it for advertising purposes.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Clients will be notified of material changes with at least 30 days’ notice before changes take effect.
11. Contact and Complaints
For privacy-related enquiries, contact: [email protected]
You also have the right to lodge a complaint with the Czech supervisory authority:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
[email protected] — www.uoou.cz
You also have the right to lodge a complaint with the Czech supervisory authority:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
[email protected] — www.uoou.cz