Privacy Policy

Effective date: May 21, 2026 · Last updated: May 21, 2026

This Privacy Policy describes how D.Soft LLC ("Hermesita", "we", "us") collects, uses, and shares personal data when you visit hermesita.com, use the dashboard at my.hermesita.com, or otherwise interact with our service (the "Service").

1. Data we collect

Information you provide

• Account data — name, email address, password (stored hashed with bcrypt), and phone number if you provide one.
• Billing data — your payment method is handled by Paddle.com Market Ltd, our merchant of record. We do not see or store card numbers; we receive only your billing email, country, and the metadata needed to manage your subscription (e.g. Paddle customer ID, transaction IDs, invoice numbers).
• Server configuration — names and slugs you assign to your servers, the regions and tiers you select, and the credentials we generate for your behalf (stored encrypted with AES-256-GCM).
• Support correspondence — anything you send us via email or other support channels.

Information we collect automatically

• Service logs — IP address, user-agent, timestamps, and request paths when you use the dashboard or API. Used for security, debugging, and abuse prevention.
• Provisioning metadata — DigitalOcean droplet IDs, DNS record IDs, subdomain assignments, and timing of each provisioning step.

We do not collect or read the contents of your servers — files on the disk, application data, or traffic to/from your Hermes agent. Those live entirely on DigitalOcean infrastructure and never pass through Hermesita systems.

2. How we use data

• To provide and operate the Service.
• To authenticate you and protect your account.
• To provision and manage your servers, DNS records, and TLS certificates.
• To bill you and issue invoices through Paddle.
• To send transactional emails (password resets, important account notices).
• To prevent abuse, fraud, and security incidents.
• To comply with legal obligations.

We do not use your data for advertising or sell it to third parties.

3. Legal bases (EEA / UK)

If you're in the EEA or UK, we process personal data under the following legal bases:

• Contractual necessity — to deliver the Service you signed up for.
• Legitimate interest — to secure the Service, prevent fraud, and improve the product.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
• Consent — where we ask for it explicitly (e.g. for non-essential cookies, if we add them later).

4. Sharing with third parties

We share personal data with the following categories of processors, strictly to operate the Service:

• DigitalOcean — to provision droplets and DNS records on your behalf.
• Paddle.com Market Ltd — to process payments and issue invoices. Paddle is the merchant of record and acts as a controller for billing data.
• Let's Encrypt (ISRG) — to issue TLS certificates for your subdomains.
• Amazon Web Services (SES) — to deliver transactional email.
• Cloud infrastructure providers — to host the Hermesita dashboard and API.

We will disclose personal data if required by law (court order, subpoena, or similar) or where necessary to prevent serious harm. We notify you where legally permitted to do so.

5. International transfers

Personal data may be transferred to and processed in countries outside your country of residence, including the United States. We rely on standard contractual clauses or equivalent safeguards where required by applicable law.

6. Retention

• Account data — kept while your account is active. Deleted (or anonymized) within 30 days after account closure, except where retention is required for tax/accounting (typically 7 years).
• Server credentials — destroyed at the time a server is deleted.
• Service logs — retained for up to 90 days for security and operational purposes, then deleted or anonymized.
• Billing records — retained as required by tax and accounting law in our jurisdiction (typically 7 years).

7. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data ("right to be forgotten").
• Object to certain processing, or request restriction of processing.
• Receive a copy of your data in a portable format.
• Lodge a complaint with your local data protection authority.

To exercise these rights, contact us through your account dashboard or by post at the address below. We respond within 30 days.

8. Security

We use industry-standard measures to protect personal data: TLS in transit, AES-256-GCM at rest for sensitive fields (server credentials), bcrypt for password hashing, restricted access to production systems, and routine patching of base images. No system is perfectly secure; in the unlikely event of a breach affecting your data, we will notify you and the relevant authority as required by law.

9. Children

The Service is not directed to anyone under 18. We don't knowingly collect personal data from children. If you believe we have, contact us through your account dashboard and we'll delete it.

10. Cookies & analytics

We use a small number of strictly-necessary cookies to keep you signed in. We do not use third-party advertising cookies. If we add analytics or other non-essential cookies later, we'll update this section and ask for consent as required.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email and via a banner in the dashboard at least 14 days before they take effect.

12. Contact

Data protection inquiries can be submitted through your account dashboard or by post at:
D.Soft LLC, Armenia, Yerevan, Komitas avenue 17 32