Hermes — Privacy Policy

Effective: May 18, 2026 · Last Updated: May 18, 2026

1. Introduction

Hermes ("the App") is an open-source fitness activity tracking application licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). It is developed and maintained by an individual developer ("I," "me," or "my"). The source code is publicly available at github.com/CAEDVX/hermes.

This Privacy Policy explains how information is collected, used, stored, and protected when you use official distributed builds of Hermes. By using the App, you agree to the practices described in this policy. If you do not agree, please do not use the App.

2. Information Collected

2.1 Information You Provide

• Account information: email address and password, processed through Supabase Authentication when you register or sign in.
• Profile information: display name or profile photo, if you choose to provide one.

2.2 Information Collected Automatically

• Precise GPS location data: collected only while you actively record an activity session (foreground use). Used to track routes and generate personal heatmaps.
• Activity data: routes, distance, duration, pace, elevation, and timestamps associated with your recorded activities.
• Device information: device type, operating system version, and app version, collected automatically by the Expo/EAS update framework.

2.3 Information Not Collected

Hermes does not collect:

• Payment or financial information
• Contacts or address book data
• Photos or media beyond what you explicitly upload as a profile image
• Background location data when you are not actively recording an activity
• Advertising identifiers or cross-app tracking data

3. How Information Is Used

Collected information is used solely to:

• Provide core App functionality: activity recording, route display, heatmap generation, and activity history
• Authenticate your account and sync your data across devices
• Deliver over-the-air updates via Expo/EAS
• Respond to support requests
• Comply with applicable legal obligations

Your information is not used for advertising, profiling, or automated decision-making. It is not sold, rented, or shared with third parties for their own marketing purposes.

4. Data Storage and Architecture

Hermes uses a combination of on-device and server-side storage:

Supabase's infrastructure is hosted on Amazon Web Services (AWS). Data may be stored and processed in data centres located outside your country of residence, including in the United States. Where data is transferred outside the European Economic Area (EEA) or United Kingdom, it is protected by the service provider's data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) or equivalent safeguards recognised under GDPR.

5. Legal Basis for Processing (GDPR)

If you are located in the EEA or United Kingdom, the legal bases for processing your personal data are:

• Performance of a contract (Art. 6(1)(b)): processing necessary to provide the App's features you have requested, including account creation and activity tracking.
• Consent (Art. 6(1)(a)): for precise location data collection, granted through your device's operating system permission prompt. You may withdraw consent at any time by revoking location permissions in your device Settings.
• Legitimate interests (Art. 6(1)(f)): improving the App's performance and ensuring its security, where these interests are not overridden by your fundamental rights and freedoms.

6. Location Data

Location data is central to Hermes's functionality and receives heightened protection:

• Location access is requested through your device's standard OS permission system.
• Precise GPS data is collected only while you actively record an activity (foreground use). Hermes does not collect background location data.
• Location data is used exclusively to record routes and generate personal heatmaps.
• You may revoke location permissions at any time via your device Settings. This will disable activity recording but will not affect previously saved data.
• Recorded location data is transmitted to and stored in Supabase as described in Section 4.

7. Third-Party Services

Hermes integrates the following third-party services, each governed by its own privacy practices:

Hermes does not integrate advertising networks, behavioural analytics platforms, social media SDKs, or any service that shares your data with third parties for their own purposes.

8. Data Security

I implement reasonable technical and organisational measures to protect your information, including:

• Authentication tokens stored in the device's secure enclave via Expo SecureStore
• Encrypted connections (HTTPS/TLS) for all data transmitted to Supabase
• Supabase's built-in Row Level Security (RLS) to ensure users can only access their own data

No method of electronic transmission or storage is completely secure. While I take commercially reasonable steps to protect your data, absolute security cannot be guaranteed. In the event of a data breach that is likely to result in a risk to your rights and freedoms, I will notify affected users within 72 hours of becoming aware of it, in accordance with GDPR Article 33.

9. Data Retention

• Your activity and location data is retained for as long as you maintain an active account.
• You may request deletion of your data at any time (see Section 11).
• Upon account deletion or a verified deletion request, your personal data will be deleted or irreversibly anonymised within 30 days, except where retention is required by applicable law.
• If you uninstall the App without requesting account deletion, your data will remain stored in Supabase. To have it removed, contact me at caedvx@proton.me.

10. Children's Privacy

Hermes is not directed at children under the age of 13 (or under 16 in jurisdictions where GDPR sets a higher threshold). I do not knowingly collect personal information from children. If you believe a child has provided personal information through the App, please contact me immediately at caedvx@proton.me and I will promptly delete it.

11. Your Rights

All Users

• Access: request a copy of the personal data held about you.
• Deletion: request deletion of your personal data.
• Correction: request correction of inaccurate or incomplete data.
• Portability: request your data in a portable, machine-readable format (e.g., JSON or CSV).
• Withdraw consent: revoke location permissions at any time via your device Settings.

EEA / UK Residents (GDPR)

In addition to the rights above, you have the right to:

• Object to processing based on legitimate interests (Art. 21).
• Restrict processing of your data in certain circumstances (Art. 18).
• Lodge a complaint with your local data protection supervisory authority at any time.

California Residents (CCPA/CPRA)

• You have the right to know what personal information is collected, used, and shared.
• You have the right to request deletion of your personal information.
• You have the right to opt out of the sale or sharing of personal information — Hermes does not sell or share personal information.
• You have the right to non-discrimination for exercising your privacy rights.
• If you are under 16, your personal information will not be sold without affirmative authorisation.

To exercise any of these rights, contact me at caedvx@proton.me. I will respond to verified requests within 30 days. If additional time is needed (up to 60 additional days), I will notify you of the extension and the reason.

12. International Data Transfers

If you access Hermes from outside the United States, your data may be transferred to and processed in the United States or other countries where Supabase and its infrastructure providers operate. These transfers are safeguarded by Standard Contractual Clauses or equivalent mechanisms recognised under applicable data protection law.

13. Do Not Track

Hermes is a mobile application and does not respond to browser Do Not Track (DNT) signals, as DNT is a browser-based mechanism not applicable to native mobile apps. Hermes does not engage in cross-site or cross-app tracking regardless.

14. Open Source and AGPL-3.0 Disclosure

Hermes is free and open-source software, released under the GNU Affero General Public License v3.0. The complete source code is available at github.com/CAEDVX/hermes.

This Privacy Policy applies exclusively to official builds distributed by the project maintainer. If you fork, modify, or self-host Hermes — as the AGPL-3.0 license permits — your deployment constitutes a separate service. You become the data controller for any data processed by your instance and are solely responsible for your own privacy practices and compliance with applicable law. The AGPL-3.0 license requires that modified versions of Hermes that are made available over a network also make their source code available.

15. Changes to This Privacy Policy

This policy may be updated from time to time. Material changes will be communicated by:

• Updating the "Effective" and "Last Updated" dates at the top of this page.
• Posting a notice within the App for changes that materially affect how your data is processed.
• Where required by law, obtaining your renewed consent before applying changes to the processing of your data.

Continued use of the App after the updated policy takes effect constitutes acceptance of the changes. If you do not agree with any update, you may stop using the App and request deletion of your data.

16. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

• Email: caedvx@proton.me
• GitHub: github.com/CAEDVX/hermes

Hermes is an independent open-source project licensed under AGPL-3.0. This Privacy Policy was last updated on May 18, 2026.