Privacy Policy
Last Updated: June 15, 2026
1. Introduction
Welcome to Hivra. We are committed to protecting your personal information and your right to privacy. Because Hivra provides you with autonomous agents that interact with external services, we take data security very seriously. Hivra is the controller of the personal data described in this policy; you can reach us using the details in the Contact section below.
2. Information We Collect
We collect information necessary to provide our services:
- Account Data: Email address and authentication data when you create an account, managed securely via Clerk.
- API Keys: Keys submitted to access third-party AI models (e.g., OpenRouter, OpenAI, Anthropic). These are encrypted at rest and injected directly into your agent instances at runtime.
- Usage Metrics: Aggregated system logs, compute usage metrics, and error reports necessary to maintain service stability and infrastructure scaling.
- Diagnostic Telemetry: Runtime exception reports, incident metadata, and operator-visible troubleshooting events generated when the product fails or behaves unexpectedly.
- Fraud & Abuse Prevention: IP address, browser/device signals, FingerprintJS request identifiers, and Stripe verification metadata when a card-on-file check is required. Stripe handles card numbers directly; we only receive limited metadata such as card fingerprint and funding type for abuse prevention.
- Session Replay & Product Analytics: We use product analytics and session replay tooling to understand navigation, UI friction, and bugs. Input fields are masked by the analytics provider by default, but non-input page content may be visible in replay unless specifically masked or blocked.
- Agent Data: Data generated by your autonomous agents runs in an isolated, per-user environment. We do not read the contents of your agents' conversations for analytics or model training; automated metering reads only aggregated usage counters such as token and session counts (see Diagnostics and Internal Access).
3. How We Use Information
We use your information exclusively to operate, maintain, secure, troubleshoot, and improve Hivra infrastructure. This includes preventing fraud and free-tier abuse, investigating failures, reviewing diagnostic logs and session replays, and fixing bugs that impact user experience. We do not sell your personal data. We do not use your agent's interactions or your proprietary data to train generalized AI models.
4. Service Providers and Sub-processors
We rely on a small set of vetted providers to run Hivra. Each processes only the data needed for its function:
- Clerk: authentication and account management.
- Supabase: our application database, storing account records and the operational metadata described above (United States).
- Hetzner: hosting for the virtual machines that run your agents (European Union).
- Vercel: hosting and delivery of this dashboard (United States and global edge).
- Cloudflare: DNS, network routing, and secure tunneling.
- PostHog: product analytics and session replay (United States).
- Stripe: payment processing; Stripe handles card numbers directly and we receive only limited metadata.
- FingerprintJS: device signals used only for fraud and abuse prevention.
- Managed inference and wallet partners: if you opt into managed AI inference or token and wallet features, Venice (inference) and Bankr (wallet and on-chain payments) process the data needed for those features.
- Third-party AI model providers: when you supply your own keys (for example OpenRouter, OpenAI, or Anthropic), your agents send prompts directly to those providers under their respective privacy terms.
We do not sell your data to, or share it for advertising with, any third party.
5. Diagnostics and Internal Access
Automated systems and authorized operators may connect to the infrastructure that hosts your agent to read aggregated usage counters for billing and capacity planning, run health and recovery checks, and create backups. These systems are designed to collect operational metadata such as token and session counts, not the contents of your agents' conversations. Authorized operators may also review incident dashboards, error reports, and session-replay tooling solely to diagnose problems and improve reliability; we minimize the sensitive information exposed to these tools, but replay and debugging systems can still capture contextual application data needed for support.
6. International Data Transfers
Our providers are located in the United States and the European Union. Where personal data of UK or EU residents is transferred outside the UK or EEA (for example to United States providers such as PostHog, Vercel, or Stripe), we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with the providers' own compliance frameworks.
7. Data Retention
We keep personal data only as long as needed for the purposes above:
- Account and profile data: for the life of your account, then deleted or anonymized within 90 days of account closure, except where we must retain it to meet legal obligations.
- Agent data and instance contents: removed when you delete the instance; residual copies in encrypted operational backups are purged within approximately 35 days, and abandoned or errored instances are purged on a rolling schedule.
- Third-party API keys: deleted immediately when you remove them or tear down the instance.
- Usage and compute metrics: retained in aggregated form for up to 24 months, then deleted or kept only in further-aggregated form.
- Diagnostic logs and error telemetry: up to 90 days.
- Session replays: up to 30 days. Product-analytics events: up to 12 months.
- Fraud and abuse signals: up to 24 months.
- Billing and payment records: retained as required by financial and tax law, typically up to 7 years.
8. Your Privacy Rights
Depending on where you live (including the UK and EU), you have the right to access, correct, delete, or export your personal data, and to restrict or object to certain processing or withdraw consent. To exercise any of these rights, contact us using the details below; we will respond within the timeframe required by applicable law. You also have the right to complain to your local data-protection authority, such as the Information Commissioner's Office (ICO) in the UK.
9. Cookies, Analytics, and Session Replay
We use cookies and similar technologies for essential functionality and, with your consent where the law requires it, for product analytics and session replay. Session replay masks input fields by default and is disabled on sensitive pages, including sign-in, billing, wallet, settings, and your agent chat. You can change your choice at any time: . Strictly necessary cookies cannot be turned off. You can also control non-essential cookies through your browser settings.
10. Data Security
All sensitive data, including your Third-Party LLM API keys, is encrypted in transit and at rest. Your agent environments are isolated. While we employ rigorous security hardening to protect your data, no method of transmission over the Internet is 100% secure.
11. Changes to This Policy
We may update this policy as the product and our providers evolve. Material changes will be reflected by the 'Last Updated' date above, and where required we will provide additional notice.
12. Contact Us
If you have questions about this policy or wish to exercise your privacy rights, contact us at info@hermesos.cloud or through our Discord community. For formal data-protection requests, please include enough detail for us to verify your identity and locate your records.