Policies

Transparency and trust are at the core of Herm.io. Below you'll find all our legal and compliance policies. Last updated: March 24, 2026.

🔒 Privacy Policy 📄 Terms of Service 🍪 Cookie Policy 🇪🇺 GDPR Compliance ✅ Acceptable Use Policy 🇺🇸 CCPA Compliance

🔒

Privacy Policy

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. Introduction

This Privacy Policy explains how Hermio LTD ("Herm," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use our mobile app, web application, Chrome browser extension, email connection features, and the herm.io website.

We believe in transparency. This policy is written in plain language so you can understand exactly what data we collect, why we collect it, and what control you have over it.

By using any of our services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis, we will ask for it explicitly — and you can withdraw it at any time.

This policy applies to all Herm product surfaces: the iOS and Android mobile apps, the web application, the Chrome browser extension, the Gmail connection and MBOX upload features, and the public website at herm.io.

This Privacy Policy is part of a broader set of policies that govern your use of Herm. Please also review our Terms of Service, Cookie Policy, Acceptable Use Policy, GDPR Compliance Policy, CCPA Compliance Notice, and KVKK Compliance Notice.

2. Who We Are

Hermio LTD is a company incorporated in England and Wales, United Kingdom.

Companies House registration: 16805736
Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Website: https://www.herm.io
Data Protection Officer (DPO): Mert Can Elkaya — mert@herm.io

Hermio LTD is the data controller for all personal data processed through our services.

3. What Herm Does

Herm is a personalized shopping offers platform. We use AI matching to connect you with relevant deals from brands based on your profile, interests, location, and shopping preferences.

Here is how it works:

You sign up with an email and password (or via Google or Apple Sign-In) and verify your email address.
You see a curated dashboard of AI-matched offers from brands.
You can optionally complete your profile (name, birthday, location, interests, social media links) to improve how well offers match your preferences.
You redeem offers by clicking through to the brand's own website — no transaction happens within Herm.
You can follow brands to prioritize their offers, and refer friends via our referral system.

Important: Herm does not process any payments. There are no subscriptions, in-app purchases, or payment processing of any kind. All offers are free to claim. When you redeem an offer, you are redirected to the brand's external website, where any transaction happens entirely between you and that brand.

4. Eligibility

You must be at least 18 years old to use Herm. The app enforces a minimum age check during registration: you must be at least 18 years of age at the time you create your account. Users who do not meet this requirement cannot register.

Herm is available globally, with initial target markets in the United Kingdom, the Netherlands, Turkey, and the United States. The platform is available in English, Turkish, and Dutch.

5. Data We Collect

5.1 Data You Provide Directly

When you create an account and use Herm, you may provide the following:

Data	Required?	Purpose
Email address	Yes (at signup)	Account creation, authentication, transactional emails, and marketing emails (with your consent)
Password	Yes (at signup)	Authentication — stored as a cryptographic hash, never in plaintext
First name	Optional	Personalization and display within the app
Last name	Optional	Personalization
Date of birth	Optional	Age verification (18+) and age-appropriate offer matching. Once set, this cannot be changed.
Country	Optional	Location-based offer matching
City	Optional	Location-based offer matching
Interest categories	Optional	Offer personalization and AI matching
Social media profile links	Optional	Instagram, Twitter/X, TikTok, LinkedIn, YouTube, Facebook, Threads, Twitch, Discord, GitHub, and personal website — used for exclusive creator and influencer offers
Referral invitations	Optional	Email addresses of friends you invite, used solely to send the invitation

5.2 Data Collected by the Chrome Extension

If you install the Herm Chrome Extension and grant permission, the extension captures structured order data from supported e-commerce sites. For full details on how consent and data capture work, see Section 8.

The following data fields are captured from each approved order page:

Data	Purpose
Order numbers	Purchase history tracking and deduplication
Order dates	Purchase timeline and offer relevance
Order total amounts	Spending pattern analysis for offer matching
Currency codes	Regional offer matching
Order status text	Distinguishing completed from cancelled orders
Item names	Product interest profiling for offer matching
Item quantities	Purchase behavior analysis
Item prices (when available)	Spending pattern analysis
Product thumbnail URLs (when available)	Display in your purchase history
Retailer / site identifier	Source attribution
Source page URL	Identifies which order page was captured
Page type	Distinguishes order history from order confirmation captures
Processing confidence score	Data quality assessment (0.0–1.0)
Source hash	Deterministic deduplication key to prevent duplicate storage
Capture timestamp	Audit trail

5.3 Data Extracted from Email Connections

If you choose to connect your Gmail account or upload an MBOX file, Herm extracts only structured transaction data from purchase-related emails. For full details, see Section 9.

Data	Purpose
Retailer / store name	Source attribution for purchases
Items purchased	Product interest profiling
Purchase amounts	Spending pattern analysis
Coupon / discount codes used	Deal usage patterns
Order numbers	Deduplication with extension captures
Order / purchase dates	Purchase timeline

Only the structured transaction data listed above is retained. Raw email content — including subject lines, body text, sender addresses, HTML, and attachments — is never stored. Emails are deleted immediately after transaction data extraction. MBOX files are deleted after processing.

5.4 Data Collected Automatically

When you use our services, we automatically collect certain technical and usage data:

Data	Method	Purpose
Device information	Expo Device API	App diagnostics and crash reporting
App version and build number	Expo Application API	Debugging and version tracking
Language / locale	Expo Localization API	Content localization
IP address	Server logs	Security, fraud prevention, and approximate geolocation
App usage events	PostHog	Product analytics — screens viewed, buttons pressed, offers viewed and redeemed, onboarding progress
Crash reports and errors	Sentry	Bug fixing and app stability
Browser cookies (web app and website only)	Google Analytics, Facebook Pixel, PostHog, Ahrefs	Web analytics, marketing attribution, and SEO analysis

5.5 Data We Do Not Collect

We want to be clear about what Herm does not collect:

Precise GPS or device location — we do not request location permissions
Contacts or address book
Photos, camera, or microphone access
Financial or payment information — no credit cards, bank accounts, or payment methods
E-commerce login credentials — the Chrome Extension reads order pages you are already logged into; it never accesses, stores, or transmits your passwords
Health data
Biometric data
Search queries on the herm.io website — our site search (Pagefind) runs entirely in your browser; no search queries are sent to any server
General browsing history — the Chrome Extension only activates on specific supported e-commerce order pages
Email content — subject lines, body text, sender addresses, and attachments are deleted immediately after transaction data extraction and are never stored
Screenshots of order pages — the extension does not take or store screenshots

6. How We Use Your Data

We use your personal data for the following purposes:

Providing the service: Creating and maintaining your account, authenticating you, and delivering the core Herm experience.
Personalizing offers: Using your profile information, interests, location, and purchase history to match you with relevant brand offers through our AI matching system.
Improving the product: Analyzing usage patterns (in aggregate and pseudonymized form) to improve app performance, fix bugs, and develop new features.
Communicating with you: Sending transactional emails (account verification, password resets) and, with your consent, marketing emails about new offers and features.
Security and fraud prevention: Monitoring for suspicious activity, enforcing rate limits, and maintaining the integrity of our platform.
Legal compliance: Verifying your age, responding to legal requests, and complying with applicable laws and regulations.

7. Legal Bases for Processing (UK GDPR / EU GDPR)

Under the UK GDPR and EU GDPR, we rely on the following legal bases for processing your personal data:

Processing Activity	Legal Basis	Notes
Account creation and authentication	Performance of contract (Art. 6(1)(b))	Necessary to provide the service
Offer personalization and AI matching	Legitimate interest (Art. 6(1)(f))	Core product functionality; you can control this by editing your profile
Transactional emails (verification, password reset)	Performance of contract (Art. 6(1)(b))	Necessary for account security
Marketing emails (new offers, newsletters)	Consent (Art. 6(1)(a))	Opt-in required; you can unsubscribe at any time
Push notifications	Consent (Art. 6(1)(a))	Device-level permission required
Chrome Extension — purchase data capture	Consent (Art. 6(1)(a))	Explicit per-page permission banner or opt-in auto-capture setting
Chrome Extension — scraper configuration delivery	Performance of contract (Art. 6(1)(b))	Necessary for extension functionality
Gmail OAuth email access and transaction extraction	Consent (Art. 6(1)(a))	You initiate the connection via Google's OAuth consent screen; you can disconnect at any time
MBOX file processing and transaction extraction	Consent (Art. 6(1)(a))	You voluntarily upload the file; only transaction data is extracted; the file is deleted after processing
Purchase history — offer matching enrichment	Legitimate interest (Art. 6(1)(f))	Data collected via extension or email improves offer relevance; you control your data sources
Analytics (PostHog, Google Analytics)	Legitimate interest (Art. 6(1)(f))	Product improvement; data is anonymized or pseudonymized
Crash reporting (Sentry)	Legitimate interest (Art. 6(1)(f))	App stability and bug fixing
Advertising cookies (Facebook Pixel)	Consent (Art. 6(1)(a))	Web app only; cookie consent required
Age verification	Legal obligation (Art. 6(1)(c))	Compliance with platform policies and local laws
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))	IP logging, rate limiting, JWT validation
Referral system	Consent (Art. 6(1)(a))	You voluntarily provide a friend's email address

Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting privacy@herm.io.

For additional detail on our GDPR compliance framework, including data breach notification procedures and Data Protection Impact Assessments, see our GDPR Compliance Policy.

8. Chrome Extension — Data Collection & Consent

The Herm Chrome Extension helps you track your e-commerce purchase history by capturing order data from supported Turkish retail sites (including Trendyol, Hepsiburada, Amazon TR, N11, and others). This data enriches your profile and improves how well offers match your preferences.

How the Extension Works

You install the extension from the Chrome Web Store and log in with your existing Herm account.
When you visit a supported e-commerce site's order history page or complete a purchase (order confirmation page), the extension detects it using URL pattern matching against a server-provided configuration.
Before any data is captured, the extension displays a permission banner asking you to approve data capture for that page. You must click "Allow" to proceed. No data is captured without your approval.
You can optionally enable "auto-capture" in the extension settings, which grants standing permission for all future captures on supported sites. This is opt-in, disabled by default, and you can revoke it at any time.
Once approved, the extension reads the order page's structure (DOM) to extract structured order data: order numbers, dates, totals, item names, quantities, and product thumbnail URLs.
The captured data is sent to Herm's backend over HTTPS, validated, and queued for processing.
The extension fetches its scraper configuration from Herm's backend, which allows new sites to be supported without requiring an extension update.

What the Extension Does Not Do

It does not run in the background or monitor your general browsing activity — it only activates on specific e-commerce order pages that match supported URL patterns.
It does not capture login credentials, payment information, or credit card numbers.
It does not access your browser history, bookmarks, or data from non-supported sites.
It does not capture any data without your explicit permission (per-page approval or opt-in auto-capture).
It does not take or store screenshots of order pages.

How to Withdraw Consent

You can withdraw your consent for Chrome Extension data capture at any time by:

Disabling auto-capture in the extension settings (if you previously enabled it).
Declining individual capture requests by dismissing the permission banner.
Uninstalling the extension entirely.

Withdrawing consent does not affect the lawfulness of data captured before you withdrew consent.

9. Email Features — Gmail Connection & MBOX Upload

Herm offers two optional email-based features that allow us to extract purchase-related transaction data to improve your offer matching.

Gmail Connection

You initiate the Gmail connection through the Herm app via Google OAuth 2.0.
You are redirected to Google's consent screen, where you explicitly grant Herm read-only access to your Gmail.
Herm's backend receives an OAuth token (encrypted at rest using AWS KMS with automatic key rotation) and uses it to fetch only purchase-related emails — order confirmations, shipping notifications, and receipts.
From each matching email, Herm extracts only structured transaction data: retailer name, items purchased, amounts, coupon codes used, order numbers, and dates.
The email itself is immediately deleted after extraction. Herm never stores email content, subject lines, sender addresses, or any part of the raw email. Only the structured transaction data is retained.
You can disconnect your Gmail at any time in the app settings, which immediately revokes the OAuth token and stops all email access.

MBOX File Upload

You export your email archive as an MBOX file from your email provider.
You upload the MBOX file through the Herm app.
The file is uploaded to secure cloud storage (AWS S3, encrypted) and processed to extract purchase-related transaction data.
After processing, the raw MBOX file is permanently deleted. Only the extracted transaction data is retained — no email content, subject lines, or sender information is stored.

Privacy Safeguards for Email Features

Herm only processes emails that match purchase-related patterns (order confirmations, shipping notifications, receipts). Personal emails, conversations, and non-purchase content are never read or stored.
From matching emails, only structured transaction data is extracted. The email itself — including subject line, body text, sender address, and any other content — is deleted immediately after extraction.
Gmail OAuth tokens are encrypted at rest using AWS KMS (Key Management Service) with automatic key rotation.
You can disconnect email access at any time, which revokes the OAuth token immediately.

How to Withdraw Consent

Gmail: Disconnect your Gmail in the Herm app settings. The OAuth token is revoked immediately and all email access stops.
MBOX: Since MBOX is a one-time upload, the raw file is deleted automatically after processing. To delete the extracted transaction data, you can delete your account or contact privacy@herm.io.

10. The Herm.io Website

Herm operates a public website at herm.io featuring a brand directory (browsable by category, letter, and search), a blog, and shopping tips content.

The website is a static site built with Astro and served via AWS S3 and Cloudflare CDN. It supports three languages: English, Turkish, and Dutch.

The website does not require you to log in and does not collect any user-submitted data. It uses only analytics cookies, which are covered in our Cookie Policy.

Client-side search on the website is powered by Pagefind, which runs entirely in your browser. No search queries are sent to any server.

11. Offer Redemption & Brands

When you redeem an offer on Herm, you are redirected to the brand's own external website. The transaction (if any) happens entirely between you and that brand, governed by the brand's own terms and privacy policy.

Herm does not share any of your data with brands. This includes:

No personal information (name, email, profile details)
No anonymized or pseudonymized user identifiers
No purchase history data (whether collected via the Chrome Extension, Gmail, or MBOX upload)
No browsing or usage data

Brands have zero visibility into who claims their offers through Herm. Your purchase history data is used solely to improve your offer matching within Herm. It is never shared with, sold to, or made visible to any brand, advertiser, or third party.

12. Data Sharing & Third-Party Services

We do not sell your personal data. We do not share your personal data with brands or advertisers. We work with a limited number of third-party service providers ("sub-processors") that process data on our behalf, strictly for the purposes described below:

Service	Provider	Purpose	Data Processed	Server Location
AWS (EC2, RDS, SES)	Amazon Web Services	Backend hosting, database, transactional email delivery	All user data	EU-Central-1 (Frankfurt, Germany)
AWS SQS	Amazon Web Services	Message queuing for asynchronous processing (extension captures, email sync, MBOX processing)	Purchase data payloads (encrypted in transit)	EU-Central-1 (Frankfurt, Germany)
AWS KMS	Amazon Web Services	Encryption key management for OAuth token storage	Encryption keys (not user data directly)	EU-Central-1 (Frankfurt, Germany)
AWS S3	Amazon Web Services	Temporary storage for MBOX uploads; static website hosting	MBOX files (deleted after processing), static website assets	EU-Central-1 (Frankfurt, Germany)
PostHog	PostHog Inc.	Product analytics and event tracking	Usage events, device info, user ID	EU (Frankfurt, Germany)
Sentry	Functional Software Inc.	Crash reporting and error tracking	Error logs, device info, user ID	EU (Frankfurt, Germany)
Google Analytics / GA4	Google LLC	Web app and website analytics	Browsing behavior, IP (anonymized), cookies	US (with EU data processing)
Facebook / Meta Pixel	Meta Platforms Inc.	Web app marketing attribution	Page views, conversion events, cookies	US (with EU data processing)
Ahrefs	Ahrefs Pte. Ltd.	SEO tracking	Web browsing behavior	Singapore / EU
Google OAuth (Gmail API)	Google LLC	Gmail read-only access for purchase email extraction	OAuth tokens, purchase email content (deleted after extraction)	US (with EU data processing)
Postmark (planned)	Wildbit LLC / ActiveCampaign	Marketing email delivery	Email addresses, email content	US
Apple Sign-In	Apple Inc.	Social authentication	Email (may be relay), name	US
Google Sign-In	Google LLC	Social authentication	Email, name, profile photo	US
Expo / EAS	Expo Inc.	App builds and over-the-air updates	App binary and source maps	US
Cloudflare	Cloudflare Inc.	CDN, caching, and DDoS protection for herm.io	IP addresses, request metadata	Global (edge network)
Pagefind	Embedded (client-side)	In-browser search for herm.io	None — runs entirely in your browser	N/A (client-side only)

All sub-processors are bound by data processing agreements that require them to protect your data in accordance with applicable privacy laws.

13. International Data Transfers

Hermio LTD is based in the United Kingdom. Our primary data storage is in AWS EU-Central-1 (Frankfurt, Germany).

Some of our sub-processors are based outside the UK and EEA, which means your data may be transferred internationally. We ensure all such transfers are protected by appropriate safeguards:

Service	Transfer Destination	Safeguard
Google Analytics, Facebook Pixel	United States	EU-US Data Privacy Framework / UK Extension
Google OAuth (Gmail API)	United States	OAuth tokens stored encrypted in EU; API calls to Google in US
Postmark (planned)	United States	Standard Contractual Clauses / Data Privacy Framework
Apple Sign-In, Google Sign-In	United States	Minimal data (authentication tokens only)
Expo / EAS	United States	Build infrastructure only; no user data
Cloudflare	Global edge network	IP addresses pass through nearest edge; no user data stored persistently
Ahrefs	Singapore	Standard Contractual Clauses

All international transfers rely on appropriate safeguards: UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), or adequacy decisions, as applicable.

14. Data Retention

We retain your data only for as long as necessary to provide our services and fulfill the purposes described in this policy.

Data Type	Retention Period	Deletion Trigger
User account and profile data	Until account deletion	User-initiated or policy violation
Purchase history (extension captures)	Until account deletion	User-initiated deletion
Purchase history (email-extracted transaction data)	Until account deletion	User-initiated deletion
Raw emails (Gmail sync)	Deleted immediately after transaction data extraction	Automatic — never stored
Raw MBOX files	Deleted after processing completes	Automatic — never retained
Gmail OAuth tokens	Until you disconnect or delete your account	User-initiated; token revoked immediately
Analytics data (PostHog, Sentry)	Per provider retention policies (12–24 months)	Automatic
Server logs (IP addresses)	90 days	Automatic rotation
Referral invitation emails	30 days after sent	Automatic

When you delete your account, all your personal data — including profile data, purchase history (from both the extension and email features), Gmail OAuth tokens, and analytics identifiers — is permanently erased within 72 hours.

You can delete your account at any time through the app or by emailing privacy@herm.io. You can also use our dedicated data deletion request pages:

15. Data Security

We take the security of your data seriously and implement the following measures:

Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
All API communication is encrypted in transit using HTTPS / TLS 1.2 or higher.
Authentication tokens are stored in device-secure storage (iOS Keychain and Android Keystore). Access tokens are kept in memory only; refresh tokens are stored in encrypted secure storage with rotation.
Rate limiting is enforced on authentication endpoints to prevent brute-force attacks.
JWT validation ensures the user ID in the token payload matches the token's subject claim.
CORS protection is applied to all API endpoints.
Data at rest is encrypted using AWS RDS encryption.
Gmail OAuth tokens are encrypted at rest via AWS KMS with automatic key rotation.
MBOX files are stored in encrypted S3 buckets and deleted after processing.
Chrome Extension communicates exclusively over HTTPS. Scraper configurations require authentication and cannot be tampered with. The extension never accesses, stores, or transmits e-commerce login credentials.
SQS messages are encrypted in transit.

No system is perfectly secure. If you discover a security vulnerability, please contact us at legal@herm.io.

16. Cookies & Tracking Technologies

Web App and Website

Our web application and the herm.io website use the following cookies and tracking technologies:

Cookie / Tracker	Type	Purpose	Duration	Requires Consent?
Session / auth token	Strictly necessary	Keeping you logged in	Session / 30 days	No
CSRF token	Strictly necessary	Security	Session	No
Cloudflare (__cf_bm, cf_clearance)	Strictly necessary	Bot management and DDoS protection	30 minutes / session	No
PostHog analytics	Performance / Analytics	Product analytics	1 year	Yes
Google Analytics (_ga, _gid)	Performance / Analytics	Web traffic analysis	2 years / 24 hours	Yes
Facebook Pixel (_fbp, _fbc)	Marketing / Advertising	Ad conversion tracking	90 days	Yes
Ahrefs	Analytics	SEO analysis	Varies	Yes

Non-essential cookies (analytics, marketing) are only set with your consent. You can manage your cookie preferences at any time through our cookie consent banner.

Mobile App

The mobile app does not use browser cookies. Analytics and crash reporting in the app are handled through PostHog and Sentry SDKs, as described in Section 5.4.

Chrome Extension

The Chrome Extension does not use cookies. It authenticates via a JWT stored in Chrome extension storage.

Pagefind (Website Search)

Pagefind, the search feature on herm.io, runs entirely in your browser and sets no cookies.

For full details on our cookie practices, see our Cookie Policy.

17. Your Rights

Depending on your location, you have the following rights regarding your personal data:

Right	How to Exercise It	Response Time
Access your data	View your profile in the app, or email privacy@herm.io	30 days
Rectify (correct) your data	Edit your profile in the app	Immediate
Delete your account and data	Delete your account in the app, use our data deletion request page, or email privacy@herm.io	Account deleted immediately; all data permanently erased within 72 hours
Data portability	Email privacy@herm.io	30 days
Withdraw consent (marketing emails)	Unsubscribe link in emails or in-app settings	Immediate
Withdraw consent (Chrome Extension)	Disable auto-capture in extension settings, or uninstall the extension	Immediate
Withdraw consent (Gmail connection)	Disconnect Gmail in app settings	Immediate — OAuth token revoked
Object to processing	Email privacy@herm.io	30 days
Restrict processing	Email privacy@herm.io	30 days
Lodge a complaint	Contact your local supervisory authority (see below)	N/A

Supervisory Authorities

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
Turkey: Personal Data Protection Authority (KVKK) — kvkk.gov.tr

The ICO is our lead supervisory authority.

18. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights.

Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purposes for which it is used, and the categories of third parties with whom it is shared.

Right to delete. You have the right to request that we delete your personal information, subject to certain exceptions.

Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you our services, charge you different prices, or provide a different level of service because you exercised a privacy right.

No sale of personal information. Herm does not sell your personal information. We have never sold personal information and have no plans to do so.

No sharing for cross-context behavioral advertising. Herm does not share your personal information for cross-context behavioral advertising purposes.

To exercise your CCPA rights, contact us at privacy@herm.io. We will verify your identity before fulfilling your request.

For complete details, including CCPA data categories, authorized agent procedures, and verification processes, see our CCPA Compliance Notice.

19. Turkey Residents (KVKK)

If you reside in Turkey, your personal data is also protected under the Turkish Personal Data Protection Law No. 6698 (KVKK).

Under KVKK, you have the right to: learn whether your personal data is processed; request information about the purposes of processing and whether data is used in accordance with those purposes; know the third parties to whom your data is transferred; request rectification if your data is incomplete or inaccurate; request deletion or destruction of your data under the conditions set out in the law; object to automated processing that produces results against you; and claim compensation for damage caused by unlawful processing.

To exercise your KVKK rights, contact our Data Protection Officer at mert@herm.io or email privacy@herm.io. You may also file a complaint with the Personal Data Protection Authority (KVKK) at kvkk.gov.tr.

Our data deletion request page is also available in Turkish at herm.io/tr/veri-silme-talebi/.

For complete details, including Turkish-language data categories, transfer mechanisms under KVKK Article 9, and the full Article 11 rights table, see our KVKK Compliance Notice.

20. Children's Privacy

Herm is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. Our registration process enforces a minimum age check — you must be at least 18 years of age at the time of registration to create an account.

If we discover that we have collected personal data from a person under 18, we will delete that data promptly. If you believe a child under 18 has created a Herm account, please contact us at privacy@herm.io.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices. When we make material changes, we will notify you by email or through an in-app notification and update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of Herm after any changes constitutes your acknowledgment of the updated policy.

Previous versions of this policy are available upon request by emailing legal@herm.io.

22. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, you can reach us at:

General inquiries: contact@herm.io Legal inquiries: legal@herm.io Privacy inquiries: privacy@herm.io

Data Protection Officer: Mert Can Elkaya — mert@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

This policy and all other Herm policies are available at herm.io/policies/.

This Privacy Policy is also available in Turkish and Dutch.

📄

Terms of Service

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. Introduction

These Terms of Service ("Terms") govern your access to and use of the services provided by Hermio LTD ("Herm," "we," "us," or "our"), including the Herm mobile app (iOS and Android), the Herm web application, the Herm Chrome Extension, the email connection and MBOX upload features, and the herm.io website (collectively, the "Service").

By creating an account, installing the Chrome Extension, or using any part of the Service, you agree to be bound by these Terms. If you do not agree to these Terms, do not use the Service.

These Terms should be read alongside our Privacy Policy, Cookie Policy, and Acceptable Use Policy, which are incorporated into these Terms by reference.

2. Eligibility

To use Herm, you must be at least 18 years of age at the time you create your account. Our registration process enforces a minimum age check. If you do not meet this requirement, you may not create an account or use the Service.

By creating an account, you represent and warrant that you are at least 18 years old and that you have the legal capacity to enter into these Terms.

Herm is available globally, with initial target markets in the United Kingdom, the Netherlands, Turkey, and the United States. The platform is available in English, Turkish, and Dutch. Availability of specific features may vary by region.

3. Account Registration

To access most features of the Service, you must create an account. When you register, you agree to the following:

Accurate information. You must provide accurate and complete information during registration and keep your account information up to date. You may not use a false identity or provide misleading information.

One account per person. You may only create and maintain one Herm account. Creating multiple accounts (including for the purpose of exploiting the referral system) is prohibited.

Account security. You are responsible for maintaining the confidentiality of your login credentials and for all activity that occurs under your account. You must notify us immediately at legal@herm.io if you suspect unauthorized access to your account.

Authentication methods. You may sign up using an email address and password, or through Google Sign-In or Apple Sign-In. If you use a third-party authentication provider, you authorize us to access the limited account information made available by that provider (such as your name and email address), as described in our Privacy Policy.

Account deletion. You may delete your account at any time through the app or by contacting privacy@herm.io. Upon deletion, your account is deactivated immediately and all personal data is permanently erased within 72 hours, as described in our Privacy Policy.

4. The Herm Platform

Herm is a personalized shopping offers platform. We use AI matching to connect you with relevant deals from brands based on your profile, interests, location, and shopping preferences.

How the platform works:

After registration and email verification, you see a curated dashboard of AI-matched offers from brands.
You can optionally complete your profile — including your name, birthday, location, interests, and social media links — to improve the quality of your offer matches.
You can follow brands to prioritize their offers in your dashboard.
You redeem offers by clicking through to the brand's own external website.

What Herm is not:

Herm is not a retailer, marketplace, or e-commerce platform. We do not sell products or services.
Herm does not process payments of any kind. There are no subscriptions, in-app purchases, or payment processing. All offers are free to claim.
Herm is not a party to any transaction between you and a brand. When you redeem an offer and interact with a brand's website, that interaction is governed entirely by the brand's own terms and policies.

5. Offers & Brand Interactions

Nature of offers. Offers displayed on Herm are provided by third-party brands. Herm acts solely as a discovery and matching platform — we present offers that we believe are relevant to you, but we do not guarantee the accuracy, availability, quality, or terms of any offer.

Redeeming offers. When you redeem an offer, you are redirected to the brand's own external website. Any transaction that occurs after that redirect happens entirely between you and the brand. Herm has no involvement in, and accepts no responsibility for, the transaction.

Brand liability. Herm is not responsible for:

The quality, safety, legality, or availability of any product or service offered by a brand
The accuracy or completeness of any offer description, pricing, or terms
Any dispute, claim, or complaint arising from your interaction with a brand
Any changes to or withdrawal of offers by brands, with or without notice

No endorsement. The presence of a brand or offer on Herm does not constitute an endorsement, recommendation, or guarantee by Herm.

Your data is not shared with brands. Herm does not share any of your personal data with brands — not your name, email, profile details, purchase history, or even anonymized identifiers. Brands have zero visibility into who claims their offers through Herm.

6. Chrome Extension

The Herm Chrome Extension is an optional feature that captures purchase history data from supported e-commerce sites to improve your offer matching. By installing and using the extension, you agree to the following terms in addition to these general Terms.

6.1 Installation & Account Requirement

The extension is available through the Chrome Web Store and requires you to log in with your existing Herm account. The extension requires the Chrome browser permissions declared in its Chrome Web Store listing.

6.2 How Data Capture Works

The extension detects when you visit a supported e-commerce site's order history page or order confirmation page using URL pattern matching against a server-provided configuration. It reads the page structure (DOM) to extract structured order data: order numbers, dates, totals, item names, quantities, and product thumbnail URLs. Captured data is sent to Herm's backend over HTTPS.

6.3 Consent & Permission

Before any data is captured, the extension displays a permission banner asking you to approve data capture for that specific page. You must click "Allow" to proceed. No data is captured without your explicit approval.

You may optionally enable "auto-capture" in the extension settings, which grants standing permission for all future captures on supported sites. Auto-capture is opt-in, disabled by default, and you can revoke it at any time by disabling the setting.

6.4 Your Own Accounts Only

You must only use the extension with e-commerce accounts that belong to you. Capturing purchase data from someone else's account is strictly prohibited and may result in immediate account termination.

6.5 Remote Configuration Updates

Herm may update the extension's scraper configuration remotely to add support for new e-commerce sites or to fix broken data extraction patterns. The extension will automatically use updated configurations. These configuration updates do not change the extension's permissions or the data fields it captures — they only adjust which sites are supported and how data is extracted from those sites.

6.6 Limitations

Herm is not responsible for changes to third-party e-commerce sites that may cause data capture to fail, produce incomplete results, or extract inaccurate data. We make reasonable efforts to keep scraper configurations current, but we cannot guarantee uninterrupted or error-free data capture from any third-party site.

6.7 What the Extension Does Not Do

The extension does not monitor general browsing activity, capture login credentials or payment information, access browser history or bookmarks, capture data from non-supported sites, or take screenshots. For full details, see our Privacy Policy.

7. Email Features — Gmail Connection & MBOX Upload

Herm offers two optional email-based features that extract purchase-related transaction data to improve your offer matching. By using either feature, you agree to the following terms.

7.1 Gmail Connection

When you connect your Gmail account, you are redirected to Google's OAuth 2.0 consent screen, where you explicitly grant Herm read-only access to your Gmail. Herm uses this access to fetch purchase-related emails only (order confirmations, shipping notifications, receipts).

From each matching email, Herm extracts only structured transaction data: retailer name, items purchased, amounts, coupon codes used, order numbers, and dates. The raw email content is immediately deleted after extraction. Herm never stores email content, subject lines, sender addresses, or any part of the original email.

You may disconnect your Gmail at any time through the Herm app settings or through your Google account settings. Disconnecting immediately revokes the OAuth token and stops all email access.

7.2 MBOX Upload

You may upload an email archive file in MBOX format for processing. The file is uploaded to secure cloud storage, processed to extract purchase-related transaction data, and permanently deleted after processing. Only the extracted transaction data is retained.

MBOX files are user-provided and processed at your request. You are responsible for ensuring that you have the right to upload the file and that it contains data from your own email account. You must not upload files containing email data from accounts that do not belong to you.

Herm is not responsible for the contents of uploaded MBOX files or for any data quality issues resulting from the file's contents.

7.3 Your Own Email Only

You must only connect Gmail accounts or upload MBOX files that belong to you. Using email features with someone else's email data is strictly prohibited.

8. Herm.io Website

Herm operates a public website at herm.io featuring a brand directory, blog, and shopping tips. The website does not require registration or login and does not collect user-submitted data beyond analytics cookies, as described in our Cookie Policy.

The website content is provided for informational purposes. While we make reasonable efforts to keep the brand directory and content accurate, we do not guarantee completeness or timeliness. Client-side search on the website is powered by Pagefind, which runs entirely in your browser — no search queries are sent to any server.

9. Referral System

Herm offers a referral system that allows you to invite friends to join the platform. When using the referral system, you agree to the following:

Genuine invitations only. You may only send referral invitations to people you personally know who you reasonably believe would be interested in Herm. Mass messaging, spamming, or sending unsolicited invitations to people you do not know is prohibited.

No manipulation. You may not create multiple accounts, use fake email addresses, or otherwise manipulate the referral system. Self-referrals are prohibited.

Offer sharing. Brands may provide enhanced offers or benefits to users who share their offers with others. The availability, terms, and value of any such brand-provided benefits are determined solely by the brand and may change or be withdrawn at any time. Herm does not guarantee that any particular benefit will be available through the referral or offer-sharing mechanism.

Enforcement. Herm reserves the right to void referrals, revoke any associated benefits, and suspend or terminate accounts that abuse the referral system.

10. Acceptable Use

Your use of the Service is subject to our Acceptable Use Policy, which is incorporated into these Terms by reference. The Acceptable Use Policy sets out the specific rules and prohibited activities for using the Herm platform, Chrome Extension, and email features.

In general, you agree not to:

Create fake accounts or impersonate others
Use automated tools, bots, or scripts to access or interact with the Service (distinct from the extension's authorized data capture on your behalf)
Attempt to access other users' data or accounts
Use the Service for any illegal purpose
Reverse engineer, decompile, or disassemble the Herm app, backend services, or Chrome Extension (except where permitted by applicable law)
Circumvent or attempt to bypass age verification, consent mechanisms, or security measures
Harass other users or brands

For the complete list of rules, including Chrome Extension and email feature-specific prohibitions, please review the full Acceptable Use Policy.

11. Intellectual Property

Herm's intellectual property. The Service — including the Herm app, web application, Chrome Extension, website, brand directory, AI matching algorithms, user interface, design, logos, trademarks, and all underlying software and content — is owned by Hermio LTD or its licensors. All rights are reserved. These Terms do not grant you any ownership interest in the Service.

Your license to use Herm. Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service for your personal, non-commercial purposes.

Your content. You retain ownership of any content you provide to the Service, such as your profile information and social media links. By providing this content, you grant Herm a non-exclusive, worldwide, royalty-free license to use, store, and process it solely for the purpose of providing and improving the Service. This license ends when you delete your account or remove the content.

Brand content. Brand names, logos, and offer descriptions displayed on Herm are the property of their respective owners. Their presence on the platform does not grant you any rights to use them beyond viewing and interacting with them through the Service.

Feedback. If you provide feedback, suggestions, or ideas about the Service, we may use them without obligation to you.

12. Privacy & Data

Your privacy is important to us. Our collection, use, and protection of your personal data is governed by our Privacy Policy, which is incorporated into these Terms by reference.

Key points:

Herm does not share your data with brands.
Herm does not sell your personal data.
Herm does not process payments or collect financial information.
You can delete your account and all associated data at any time.

For region-specific data protection information, please also review our GDPR Compliance Policy, CCPA Compliance Notice, and KVKK Compliance Notice.

13. Service Modifications & Availability

Modifications. Herm is an evolving product. We may modify, update, or discontinue any part of the Service — including specific features, the Chrome Extension, email connection features, or the herm.io website — at any time. For material changes that significantly affect your use of the Service (such as removing a major feature or changing how data is collected), we will provide you with at least 30 days' prior notice via email or in-app notification before the change takes effect.

Minor updates. Routine updates, bug fixes, performance improvements, and updates to the Chrome Extension's scraper configuration (adding new supported sites or fixing data extraction patterns) do not constitute material changes and may be made without prior notice.

Availability. We make reasonable efforts to keep the Service available and reliable, but we do not guarantee uninterrupted access. The Service may be temporarily unavailable due to maintenance, updates, technical issues, or circumstances beyond our control.

Third-party dependencies. Parts of the Service depend on third-party platforms and services (including the Chrome Web Store, Google OAuth, Apple Sign-In, and supported e-commerce sites). Changes to these third-party services may affect the availability or functionality of Herm features, and Herm is not responsible for such changes.

14. Disclaimer of Warranties

The Service is provided "as is" and "as available," without warranties of any kind, whether express, implied, or statutory.

To the maximum extent permitted by applicable law, Herm disclaims all warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade.

Without limiting the above, Herm does not warrant that:

The Service will be uninterrupted, error-free, or secure
Any offers, data, or content available through the Service will be accurate, complete, or current
The Chrome Extension will successfully capture data from all supported sites at all times
The email features will successfully extract transaction data from all purchase-related emails
Any particular offer will be available, honored by the brand, or suitable for your needs

Nothing in these Terms excludes or limits any warranties that cannot be excluded or limited under applicable law, including consumer protection rights under UK, EU, or other applicable law.

15. Limitation of Liability

To the maximum extent permitted by applicable law:

Herm's total aggregate liability to you for all claims arising out of or relating to these Terms or the Service shall not exceed the greater of (a) the amount you have paid to Herm in the 12 months preceding the claim, or (b) £100 GBP. Since Herm is currently a free service with no payment processing, this effectively limits our liability to £100 GBP.

Herm shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, goodwill, or business opportunity, regardless of the cause of action or the theory of liability, even if Herm has been advised of the possibility of such damages.

Herm is not liable for any loss or damage arising from:

Your interactions with or purchases from brands whose offers are displayed on Herm
Changes to third-party e-commerce sites that affect the Chrome Extension's data capture
The accuracy or completeness of data captured by the Chrome Extension or extracted from email features
Your failure to maintain the security of your account credentials
Any action taken by us in accordance with these Terms, including account suspension or termination

Nothing in these Terms excludes or limits liability for (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, (c) any liability that cannot be excluded or limited under applicable law, including under the Consumer Rights Act 2015 (UK) or equivalent legislation.

16. Indemnification

You agree to indemnify, defend, and hold harmless Hermio LTD, its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or in connection with:

Your violation of these Terms or the Acceptable Use Policy
Your use of the Chrome Extension with e-commerce accounts that do not belong to you
Your upload of MBOX files or connection of Gmail accounts that do not belong to you
Your misuse of the referral system
Your interactions with brands, including any disputes arising from transactions with brands

This indemnification obligation does not apply to the extent that a claim arises from Herm's own negligence or willful misconduct, or where it would be unenforceable under applicable consumer protection law.

17. Account Suspension & Termination

By Herm

Herm may suspend or terminate your account if:

You violate these Terms or the Acceptable Use Policy
We reasonably believe your account is being used for fraudulent or illegal activity
We are required to do so by law or by a court order
Your account has been inactive for an extended period (we will notify you before taking action in this case)

For most violations, we will issue a warning before taking action. However, Herm reserves the right to take immediate action — including suspension or termination without prior warning — in cases of severe abuse, fraud, or activity that threatens the security or integrity of the platform or other users.

If your account is terminated, you will lose access to the Service and all associated data. Data deletion follows the timeline described in our Privacy Policy (within 72 hours).

By You

You may delete your account at any time through the app, via our data deletion request page, or by emailing privacy@herm.io. Account deletion takes effect immediately, and all your personal data is permanently erased within 72 hours.

Survival

The following sections survive termination of your account: Section 11 (Intellectual Property), Section 14 (Disclaimer of Warranties), Section 15 (Limitation of Liability), Section 16 (Indemnification), Section 18 (Dispute Resolution), and Section 19 (Governing Law & Jurisdiction).

18. Dispute Resolution

We want to resolve disputes fairly and efficiently. If a dispute arises between you and Herm in connection with these Terms or the Service, the following process applies.

18.1 Informal Resolution

Before initiating any formal proceedings, both parties agree to attempt to resolve the dispute informally. Either party may start this process by sending a written notice describing the dispute to the other party (you to legal@herm.io; Herm to the email address on your account).

Both parties will engage in good-faith negotiations for a period of 30 days from the date of the notice. During this period, neither party shall commence formal arbitration or court proceedings (except for applications for urgent injunctive relief).

18.2 Arbitration

If the dispute is not resolved through informal negotiation within the 30-day period, either party may refer the dispute to binding arbitration administered under the rules of the London Court of International Arbitration (LCIA).

Seat of arbitration: London, England
Language: English
Number of arbitrators: One, appointed in accordance with LCIA rules
Governing law of the arbitration agreement: The laws of England and Wales

The arbitrator's decision shall be final and binding on both parties. Judgment on the award may be entered in any court of competent jurisdiction.

18.3 Exceptions

The following are not subject to the arbitration requirement:

Claims for injunctive or other equitable relief to prevent or stop unauthorized use of the Service or infringement of intellectual property rights
Small claims that fall within the jurisdiction of a small claims court or equivalent tribunal
Any dispute where mandatory consumer protection laws in your jurisdiction require access to a court or prohibit mandatory arbitration

18.4 Class Action Waiver

To the extent permitted by applicable law, you agree that any dispute resolution proceedings will be conducted on an individual basis only, and not as part of a class, consolidated, or representative action. If this waiver is found to be unenforceable in your jurisdiction, it shall not apply to you.

19. Governing Law & Jurisdiction

These Terms and any dispute arising out of or in connection with them shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of law principles.

Subject to the dispute resolution process in Section 18, the courts of England and Wales shall have exclusive jurisdiction over any proceedings arising out of or in connection with these Terms.

Consumer rights. If you are a consumer, nothing in these Terms affects your statutory rights under the consumer protection laws of your country of residence. If there is a conflict between these Terms and mandatory consumer protection laws that apply to you, the consumer protection laws shall prevail.

20. General Provisions

Entire agreement. These Terms, together with the Privacy Policy, Cookie Policy, and Acceptable Use Policy, constitute the entire agreement between you and Herm regarding the Service and supersede all prior agreements and understandings.

Severability. If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.

Waiver. The failure of Herm to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision. A waiver of any term shall only be effective if in writing and signed by Herm.

Assignment. You may not assign or transfer these Terms or your rights under them without our prior written consent. Herm may assign these Terms in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets, provided the assignee agrees to honor these Terms.

Force majeure. Herm shall not be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond its reasonable control, including natural disasters, pandemic, war, terrorism, government actions, power failures, internet disruptions, or failures of third-party services.

No third-party beneficiaries. These Terms do not create any third-party beneficiary rights. Brands whose offers are displayed on Herm are not parties to these Terms and have no rights under them.

Notices. Notices to you will be sent to the email address on your account or displayed within the app. Notices to Herm should be sent to legal@herm.io or by post to our registered address.

21. Changes to These Terms

We may update these Terms from time to time to reflect changes in our services, legal requirements, or business practices. When we make material changes, we will notify you at least 30 days before the changes take effect, by email or through an in-app notification.

If you continue to use the Service after the updated Terms take effect, you agree to the revised Terms. If you do not agree to the changes, you may delete your account before the changes take effect.

We will update the "Last updated" date at the top of this page whenever we revise these Terms. Previous versions are available upon request by emailing legal@herm.io.

22. Contact Us

If you have any questions about these Terms, you can reach us at:

General inquiries: contact@herm.io Legal inquiries: legal@herm.io Privacy inquiries: privacy@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

All Herm policies are available at herm.io/policies/.

🍪

Cookie Policy

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. What Are Cookies?

Cookies are small text files that websites place on your device (computer, phone, or tablet) when you visit them. They serve a variety of purposes: some are essential for the website to function, while others help us understand how people use our sites or allow us to show you relevant advertising.

Cookies can be "first-party" (set by the website you are visiting) or "third-party" (set by a service that the website uses, such as an analytics or advertising provider). They can also be "session" cookies (deleted when you close your browser) or "persistent" cookies (stored on your device until they expire or you delete them).

2. Scope of This Policy

This Cookie Policy covers the following web properties operated by Hermio LTD:

Web Application — app.herm.io The logged-in user experience where you view and redeem personalized offers.

Marketing Website & Brand Directory — herm.io A public website featuring a brand directory, blog, and shopping tips. Available in English, Turkish, and Dutch. No login required.

Not covered by this policy:

Herm Chrome Extension — The extension does not use cookies. It authenticates using a JWT token stored in Chrome's extension storage.
Herm Mobile Apps (iOS & Android) — The mobile apps do not use browser cookies. Analytics and crash reporting are handled through SDKs (PostHog and Sentry), as described in our Privacy Policy.

3. Cookies We Use

3.1 Strictly Necessary Cookies

These cookies are essential for our web properties to function. They cannot be disabled. Without them, services you have asked for — like staying logged in or being protected from cross-site attacks — cannot be provided.

Cookie	Purpose	Duration	Web Property
Session / auth token	Keeps you logged in to your account	Session or up to 30 days	Web app
CSRF token	Protects against cross-site request forgery attacks	Session	Web app
Cloudflare __cf_bm	Bot management — distinguishes genuine visitors from automated traffic	30 minutes	Website
Cloudflare cf_clearance	DDoS protection — records that you successfully passed a security challenge	Session	Website

3.2 Performance & Analytics Cookies

These cookies help us understand how visitors use our web properties — which pages are visited most, how users navigate the site, and whether they encounter errors. This information helps us improve the user experience. All data collected by these cookies is aggregated or pseudonymized.

These cookies are only set with your consent.

Cookie	Provider	Purpose	Duration	Web Property
PostHog analytics	PostHog Inc.	Product analytics — tracks feature usage, page views, and user journeys to help us improve the product	1 year	Web app + website
_ga	Google LLC (Google Analytics)	Distinguishes unique visitors for web traffic analysis	2 years	Web app + website
_gid	Google LLC (Google Analytics)	Distinguishes unique visitors over a 24-hour period	24 hours	Web app + website
Ahrefs analytics	Ahrefs Pte. Ltd.	SEO analysis — helps us understand how our website ranks in search engines	Varies	Website only

3.3 Marketing & Advertising Cookies

These cookies are used to measure the effectiveness of our own advertising campaigns. They help us understand whether our ads on other platforms are driving traffic to Herm.

These cookies are only set with your consent.

Cookie	Provider	Purpose	Duration	Web Property
_fbp	Meta Platforms Inc. (Facebook Pixel)	Identifies browsers for ad conversion tracking — helps us measure whether our Facebook and Instagram ads are effective	90 days	Web app + website
_fbc	Meta Platforms Inc. (Facebook Pixel)	Stores the last Facebook ad click identifier for conversion attribution	90 days	Web app + website

Note: The Facebook Pixel on our web properties is used for Herm's own marketing attribution — measuring whether our ads bring users to Herm. We do not use it to sell data to Meta or to enable Meta to use Herm user data for Meta's own advertising purposes.

4. Cookie Consent

When you first visit our web application or website, a cookie consent banner is displayed. This banner allows you to accept or reject non-essential cookies (Performance/Analytics and Marketing/Advertising) before they are set.

Strictly necessary cookies are set regardless of your consent choice because they are required for the web properties to function properly. They do not collect personal information for marketing or analytics purposes.

Non-essential cookies (analytics and marketing) are only activated after you explicitly consent. If you decline, these cookies will not be set and the associated tracking will not occur.

You can change your cookie preferences at any time by clearing your cookies and revisiting the site, which will trigger the consent banner again.

5. Managing Your Cookie Preferences

You have several options for managing cookies:

Via the Cookie Consent Banner

Use the consent banner displayed on your first visit to accept or reject non-essential cookie categories. To reset your preferences, clear your cookies for herm.io or app.herm.io and the banner will reappear.

Via Your Browser Settings

Most browsers allow you to view, manage, and delete cookies through their settings. Here is how to access cookie settings in common browsers:

Google Chrome: Settings → Privacy and Security → Cookies and other site data — or visit chrome://settings/cookies
Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data — or visit about:preferences#privacy
Apple Safari: Preferences → Privacy → Manage Website Data (macOS); Settings → Safari → Advanced → Website Data (iOS)
Microsoft Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data — or visit edge://settings/content/cookies

Please note that if you block or delete strictly necessary cookies, the Herm web application may not function correctly — for example, you may not be able to stay logged in.

Do Not Track

Some browsers offer a "Do Not Track" setting. We respect Do Not Track signals by not loading non-essential cookies when a Do Not Track header is detected, unless you have separately consented via the cookie banner.

6. Third-Party Cookies

Some of the cookies on our web properties are set by third-party services that we use for analytics and marketing. These third-party providers have their own cookie and privacy policies that govern how they use the data they collect:

Google Analytics: Google Privacy Policy and Google Analytics Cookie Usage
Facebook / Meta Pixel: Meta Privacy Policy and Meta Cookie Policy
PostHog: PostHog Privacy Policy
Ahrefs: Ahrefs Privacy Policy
Cloudflare: Cloudflare Privacy Policy and Cloudflare Cookie Policy

We encourage you to review these policies if you would like to understand how these providers handle data.

7. Services That Do Not Use Cookies

For clarity, the following Herm services do not use browser cookies:

Herm Chrome Extension. The extension authenticates using a JWT token stored in Chrome's extension storage. It does not set or read any cookies.

Herm Mobile Apps (iOS & Android). The mobile apps do not use browser cookies. Analytics (PostHog) and crash reporting (Sentry) are handled through native SDKs, not cookie-based tracking.

Pagefind (Website Search). The search feature on herm.io is powered by Pagefind, which runs entirely in your browser. It does not set any cookies, does not send search queries to any server, and does not communicate with any external service.

8. Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, changes in technology, or changes in applicable law. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will re-display the cookie consent banner so you can review and update your preferences.

9. Contact Us

If you have questions about our use of cookies, contact us at:

Privacy inquiries: privacy@herm.io General inquiries: contact@herm.io Data Protection Officer: Mert Can Elkaya — mert@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

For full details on how we process personal data, see our Privacy Policy.

🇪🇺

GDPR Compliance

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. Introduction

Hermio LTD ("Herm," "we," "us," or "our") is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (UK), and the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679).

This GDPR Compliance Policy describes how we fulfill our obligations as a data controller under these regulations. It covers all personal data processed across our services: the Herm mobile app (iOS and Android), the Herm web application, the Herm Chrome Extension, the email connection and MBOX upload features, and the herm.io website.

This policy should be read alongside our Privacy Policy, which provides full details on the data we collect, how we use it, and your choices. This GDPR Compliance Policy focuses specifically on our legal framework, compliance mechanisms, and your rights under GDPR.

2. Data Controller

Controller: Hermio LTD Companies House registration: 16805736 Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Data Protection Officer (DPO): Mert Can Elkaya DPO email: mert@herm.io

Our DPO is responsible for overseeing our data protection strategy and ensuring compliance with GDPR. You may contact the DPO directly with any questions or concerns about how we handle personal data.

3. Scope

This policy applies to the processing of personal data of individuals located in the United Kingdom and the European Economic Area (EEA), in connection with Herm's services:

Mobile App & Web App — personalized shopping offers matched via AI. Users redeem offers by clicking through to brand websites. No payments are processed within Herm.
Chrome Extension — captures purchase history from supported Turkish e-commerce sites (Trendyol, Hepsiburada, Amazon TR, N11) with explicit user consent. Enriches the user's profile for better offer matching.
Email Connection & MBOX Upload — optional Gmail OAuth (read-only) or MBOX file upload to extract purchase transaction data. Raw email content is deleted immediately after extraction and never stored. MBOX files are deleted after processing.
herm.io Website — public brand directory, blog, and shopping tips. Static site, no login required.

Key principles: Herm does not share any user data with brands. Herm does not process payments. Purchase history collected via the extension or email features is used solely within Herm for offer matching.

4. Data Protection Principles

We process personal data in accordance with the core principles of UK GDPR and EU GDPR (Article 5):

Lawfulness, fairness, and transparency. We process personal data only where we have a valid legal basis, and we are open about what data we collect and why. Our Privacy Policy explains this in plain language.

Purpose limitation. We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes. Purchase history is used for offer matching — not shared with brands or sold to third parties.

Data minimisation. We collect only the data we need. Most profile fields are optional. From email features, we extract only structured transaction data and immediately delete the raw email content. The Chrome Extension captures only order-related data from supported pages.

Accuracy. We provide in-app tools so you can review and update your profile information at any time. You can also request corrections by contacting us.

Storage limitation. We retain data only for as long as necessary. When you delete your account, all personal data is permanently erased within 72 hours. Raw emails and MBOX files are never retained beyond processing.

Integrity and confidentiality. We implement appropriate technical and organisational measures to protect personal data, including encryption at rest and in transit, secure authentication, and access controls. See Section 11.

Accountability. We maintain records of our processing activities, conduct Data Protection Impact Assessments where required, and appoint a Data Protection Officer to oversee compliance.

5. Legal Bases for Processing

Under UK GDPR and EU GDPR Article 6, we process personal data only where we have a valid legal basis. The table below maps each processing activity to its legal basis.

Processing Activity	Legal Basis	Notes
Account creation and authentication	Performance of contract (Art. 6(1)(b))	Necessary to provide the service
Offer personalization and AI matching	Legitimate interest (Art. 6(1)(f))	Core product functionality; users can control this by editing their profile
Transactional emails (verification, password reset)	Performance of contract (Art. 6(1)(b))	Necessary for account security
Marketing emails (new offers, newsletters)	Consent (Art. 6(1)(a))	Opt-in required; users can unsubscribe at any time
Push notifications	Consent (Art. 6(1)(a))	Device-level permission required
Chrome Extension — purchase data capture	Consent (Art. 6(1)(a))	Per-page permission banner or opt-in auto-capture; voluntary installation
Chrome Extension — scraper configuration delivery	Performance of contract (Art. 6(1)(b))	Necessary for extension functionality
Gmail OAuth — email access and transaction extraction	Consent (Art. 6(1)(a))	User initiates via Google OAuth consent screen; can disconnect at any time
MBOX file processing and transaction extraction	Consent (Art. 6(1)(a))	User voluntarily uploads; transaction data extracted; file deleted after processing
Purchase history — offer matching enrichment	Legitimate interest (Art. 6(1)(f))	Improves offer relevance; users control which data sources are connected
Analytics (PostHog, Google Analytics)	Legitimate interest (Art. 6(1)(f))	Product improvement; data is anonymized or pseudonymized
Crash reporting (Sentry)	Legitimate interest (Art. 6(1)(f))	App stability and bug fixing
Advertising cookies (Facebook Pixel)	Consent (Art. 6(1)(a))	Web properties only; cookie consent banner required
Age verification	Legal obligation (Art. 6(1)(c))	Compliance with local laws and platform policies
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))	IP logging, rate limiting, JWT validation
Referral system	Consent (Art. 6(1)(a))	User voluntarily provides a friend's email address

Legitimate Interest Assessments

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted balancing assessments to ensure that our interests do not override the rights and freedoms of data subjects. Key considerations include:

Offer personalization: This is the core value proposition of the Service. Users retain full control — all enrichment data (profile, extension captures, email-extracted data) is optional and can be removed at any time.
Analytics: We use anonymized and pseudonymized data for product improvement. Users can opt out of analytics cookies via the cookie consent banner.
Security: IP logging, rate limiting, and fraud prevention are essential to protect both Herm and our users from abuse.

You have the right to object to processing based on legitimate interest at any time. See Section 9.

6. Categories of Personal Data

Data provided directly by the user

Email address, password (stored as a cryptographic hash), first name, last name, date of birth, country, city, interest categories, social media profile links, referral invitations, Gmail OAuth connection (optional), and MBOX file upload (optional).

Data collected by the Chrome Extension (with consent)

Order numbers, order dates, order totals, currency codes, order status, item names, item quantities, item prices, product thumbnail URLs, retailer identifier, source page URL, page type, processing confidence score, source hash, and capture timestamp.

Data extracted from email features (with consent)

Retailer name, items purchased, purchase amounts, coupon/discount codes used, order numbers, and order dates. Raw email content is deleted immediately after extraction and never stored. Only the structured transaction data listed above is retained.

Data collected automatically

Device information, app version and build number, language/locale, IP address, app usage events (PostHog), crash reports and errors (Sentry), and browser cookies on web properties only (Google Analytics, Facebook Pixel, Ahrefs).

For the complete data inventory, including data we do not collect, see our Privacy Policy.

7. Sub-Processors

We use the following third-party sub-processors to deliver our services. All sub-processors are bound by data processing agreements that require them to process personal data only on our instructions and in compliance with applicable data protection law.

Service	Provider	Data Processed	Server Location
AWS (EC2, RDS, SES, SQS, KMS, S3)	Amazon Web Services	All user data, message queuing, encryption keys, MBOX files (temporary)	EU-Central-1 (Frankfurt, Germany)
PostHog	PostHog Inc.	Usage events, device info	EU (Frankfurt, Germany)
Sentry	Functional Software Inc.	Error logs, device info	EU (Frankfurt, Germany)
Google Analytics / GA4	Google LLC	Browsing behavior, cookies	US (with EU data processing)
Facebook / Meta Pixel	Meta Platforms Inc.	Page views, conversion events, cookies	US (with EU data processing)
Ahrefs	Ahrefs Pte. Ltd.	Web browsing behavior	Singapore / EU
Google OAuth (Gmail API)	Google LLC	OAuth tokens, purchase emails (deleted after extraction)	US (with EU data processing)
Postmark (planned)	Wildbit LLC / ActiveCampaign	Email addresses, email content	US
Apple Sign-In	Apple Inc.	Email (may be relay), name	US
Google Sign-In	Google LLC	Email, name, profile photo	US
Expo / EAS	Expo Inc.	App binary, source maps	US
Cloudflare	Cloudflare Inc.	IP addresses, request metadata	Global (edge network)

We maintain an up-to-date register of sub-processors. If we add new sub-processors that handle personal data, we will update this policy and, where the change is material, notify users in advance.

8. International Data Transfers

Our primary data storage is in AWS EU-Central-1 (Frankfurt, Germany), within the EEA.

Some sub-processors are based outside the UK and EEA, requiring international data transfers. We ensure all such transfers are protected by appropriate safeguards as required by UK GDPR Chapter V and EU GDPR Chapter V:

Service	Transfer Destination	Safeguard
Google (Analytics, OAuth, Sign-In), Meta (Pixel)	United States	EU-US Data Privacy Framework / UK Extension
Postmark (planned)	United States	Standard Contractual Clauses (SCCs) / Data Privacy Framework
Apple Sign-In	United States	Minimal data (authentication tokens only); SCCs
Expo / EAS	United States	Build infrastructure only; no user data processed
Cloudflare	Global edge network	IP addresses pass through nearest edge; no persistent user data storage
Ahrefs	Singapore	Standard Contractual Clauses (SCCs)

Transfer mechanisms we use:

UK International Data Transfer Agreement (IDTA) — for transfers from the UK to countries without an adequacy decision.
EU Standard Contractual Clauses (SCCs) — for transfers from the EEA to countries without an adequacy decision.
Adequacy decisions — where the European Commission or UK government has determined that a country provides an adequate level of data protection.
EU-US Data Privacy Framework (DPF) / UK Extension — for transfers to US entities certified under the DPF.

We regularly review our international transfer mechanisms to ensure they remain valid and appropriate.

9. Data Subject Rights

If you are located in the UK or EEA, you have the following rights under UK GDPR / EU GDPR. We are committed to facilitating these rights in a timely and transparent manner.

Right	How to Exercise	Response Time
Right of access (Art. 15)	View your data in the app or email privacy@herm.io	30 days
Right to rectification (Art. 16)	Edit your profile in the app, or email privacy@herm.io	Immediate (in-app) or 30 days (email)
Right to erasure (Art. 17)	Delete your account in the app, use a data deletion request page, or email privacy@herm.io	Account deactivated immediately; all data permanently erased within 72 hours
Right to data portability (Art. 20)	Email privacy@herm.io	30 days
Right to withdraw consent — marketing	Unsubscribe link in emails or in-app settings	Immediate
Right to withdraw consent — Chrome Extension	Disable auto-capture in extension settings, or uninstall the extension	Immediate
Right to withdraw consent — Gmail	Disconnect Gmail in app settings	Immediate — OAuth token revoked
Right to object (Art. 21)	Email privacy@herm.io	30 days
Right to restrict processing (Art. 18)	Email privacy@herm.io	30 days
Right to lodge a complaint	Contact your local supervisory authority (see Section 15)	N/A

Self-Service Data Deletion

We provide dedicated data deletion request pages for self-service account and data deletion:

How We Handle Requests

When you submit a data subject request, we will verify your identity by matching the request to the email address on your account. For requests submitted via email, we may ask for additional verification for sensitive requests (such as access to data or data portability).

We respond to all valid requests within 30 days. If a request is particularly complex, we may extend this by up to two additional months, and we will inform you of the reason for the delay within the initial 30-day period.

We will not charge a fee for handling your request, unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, providing you with an explanation.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Data Type	Retention Period	Notes
Account and profile data	Until account deletion	Permanently erased within 72 hours of deletion request
Purchase history (Chrome Extension)	Until account deletion	Permanently erased within 72 hours
Purchase history (email-extracted)	Until account deletion	Permanently erased within 72 hours
Raw emails (Gmail sync)	Deleted immediately after transaction data extraction	Never stored — only structured transaction data is retained
Raw MBOX files	Deleted after processing completes	Never retained
Gmail OAuth tokens	Until user disconnects or deletes account	Token revoked immediately upon disconnect
Analytics data (PostHog, Sentry)	Per provider retention policies (12–24 months)	Automatic
Server logs (IP addresses)	90 days	Automatic rotation

When you delete your account, we permanently erase all personal data within 72 hours, including profile data, purchase history from all sources, Gmail OAuth tokens, and analytics identifiers. This process is irreversible.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, as required by UK GDPR Article 32:

Technical measures:

All passwords are hashed using industry-standard algorithms and never stored in plaintext.
All API communication is encrypted in transit using HTTPS / TLS 1.2 or higher.
Data is encrypted at rest using AWS RDS encryption.
Gmail OAuth tokens are encrypted at rest via AWS KMS with automatic key rotation.
MBOX files are stored in encrypted S3 buckets and permanently deleted after processing.
Authentication tokens are stored in device-secure storage (iOS Keychain, Android Keystore). Access tokens are kept in memory only; refresh tokens are stored in encrypted secure storage with rotation.
JWT-based authentication with user_id validation ensures payload integrity.
CORS protection is enforced on all API endpoints.
SQS messages are encrypted in transit.
The Chrome Extension communicates exclusively over HTTPS. Scraper configurations require authentication and cannot be tampered with. The extension never accesses, stores, or transmits e-commerce login credentials.

Organisational measures:

Access to personal data is limited to personnel who require it for their role.
All team members are required to follow data protection policies and procedures.
We conduct regular security reviews and update our measures as threats evolve.
Third-party sub-processors are bound by data processing agreements with security obligations.

12. Data Protection Impact Assessments

Under UK GDPR Article 35, a Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to the rights and freedoms of individuals.

Herm commits to conducting DPIAs for processing activities that present elevated privacy risk. In particular, we have identified the following features as warranting assessment:

Chrome Extension purchase data capture — The extension collects detailed purchase history from e-commerce sites, which constitutes a systematic and extensive evaluation of personal shopping behavior.
Email features (Gmail OAuth and MBOX upload) — These features access email inboxes (even if read-only and limited to purchase-related emails) and process email content to extract transaction data.

Our DPIAs evaluate the necessity and proportionality of the processing, assess the risks to data subjects, and identify measures to mitigate those risks. Key mitigations already in place include explicit consent mechanisms (per-page permission for the extension, Google OAuth consent screen for Gmail), immediate deletion of raw email content, minimal data extraction (only structured transaction data is retained), and the ability for users to disconnect or uninstall at any time.

We will conduct additional DPIAs whenever we introduce new processing activities that are likely to result in a high risk to individuals, and we will review existing DPIAs periodically as our services evolve.

13. Data Breach Notification

In the event of a personal data breach, we will act in accordance with UK GDPR Articles 33 and 34 and EU GDPR Articles 33 and 34:

Notification to the supervisory authority. If a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify our lead supervisory authority — the UK Information Commissioner's Office (ICO) — within 72 hours of becoming aware of the breach. Where notification is not made within 72 hours, we will provide reasons for the delay.

Notification to affected individuals. If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected data subjects without undue delay. The notification will describe the nature of the breach, the likely consequences, the measures we have taken or propose to take, and the contact details of our Data Protection Officer.

Internal procedures. We maintain internal breach detection, investigation, and reporting procedures. All suspected breaches are escalated to the Data Protection Officer immediately. We document all personal data breaches, including the facts, effects, and remedial action taken, regardless of whether notification to the supervisory authority is required.

14. ICO Registration

Hermio LTD is currently in the process of registering with the UK Information Commissioner's Office (ICO) as a data controller, as required under the Data Protection Act 2018. We will update this section with our ICO registration number once registration is complete.

15. Supervisory Authorities

Our lead supervisory authority is the UK Information Commissioner's Office (ICO).

Depending on your location, you may also contact the following authorities:

Authority	Jurisdiction	Website
Information Commissioner's Office (ICO)	United Kingdom	ico.org.uk
Autoriteit Persoonsgegevens (AP)	Netherlands	autoriteitpersoonsgegevens.nl
Kişisel Verileri Koruma Kurumu (KVKK)	Turkey	kvkk.gov.tr

If you are located in the Netherlands, the Autoriteit Persoonsgegevens (AP) is your local supervisory authority under EU GDPR and you may direct complaints or inquiries to them.

For Turkey-specific data protection rights and compliance information, see our KVKK Compliance Notice.

16. Changes to This Policy

We may update this GDPR Compliance Policy from time to time to reflect changes in our processing activities, changes in the law, or guidance from supervisory authorities. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via email or in-app notification.

Previous versions are available upon request by emailing legal@herm.io.

17. Contact Us

If you have any questions about this GDPR Compliance Policy, your rights, or how we handle your personal data, you can reach us at:

Data Protection Officer: Mert Can Elkaya — mert@herm.io Privacy inquiries: privacy@herm.io Legal inquiries: legal@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

For the full details of our data practices, see our Privacy Policy. All Herm policies are available at herm.io/policies/.

✅

Acceptable Use Policy

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. Introduction

This Acceptable Use Policy ("AUP") sets out the rules for using the Herm platform, including the mobile app, web application, Chrome Extension, email features, and the herm.io website (collectively, the "Service").

This AUP is part of our Terms of Service. By using the Service, you agree to comply with this policy. If you violate it, we may take action up to and including permanent account termination.

We want Herm to be a safe, fair, and useful platform for everyone. These rules exist to protect you, other users, and the integrity of the Service.

2. General Platform Rules

When using any part of the Herm platform, you agree not to:

Account integrity - Create fake accounts, use false identities, or provide misleading information during registration. - Create or maintain more than one Herm account. - Impersonate any person or entity, or falsely represent your affiliation with any person or entity. - Attempt to circumvent or bypass the age verification requirement. You must be at least 18 years old to use Herm.

Unauthorized access - Attempt to access another user's account, data, or personal information. - Attempt to gain unauthorized access to Herm's systems, servers, networks, or databases. - Probe, scan, or test the vulnerability of the Service or any related system without authorization.

Automated abuse - Use bots, scripts, crawlers, scrapers, or other automated tools to access or interact with the Service — unless you are using the Herm Chrome Extension in its intended manner, which performs authorized data capture on your behalf. - Scrape, harvest, or collect data from the Herm platform, including the brand directory on herm.io, through automated means. - Overload the Service with excessive requests or conduct any activity that degrades the performance or availability of the platform for others.

Misuse - Use the Service for any illegal, fraudulent, or unauthorized purpose. - Harass, threaten, abuse, or intimidate other users or brands. - Upload, transmit, or distribute any content that is harmful, defamatory, obscene, or otherwise objectionable. - Use the Service to send spam, unsolicited messages, or bulk communications (except through the referral system as permitted under Section 5). - Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Herm app, backend services, Chrome Extension, or any part of the Service — except where such activity is expressly permitted by applicable law (for example, under the Computer Programs Directive or equivalent legislation).

3. Chrome Extension Rules

The Herm Chrome Extension captures purchase data from supported e-commerce sites to improve your offer matching. By installing and using the extension, you agree to the following rules in addition to the general rules above.

Your own accounts only. You must only use the extension with e-commerce accounts that belong to you. Capturing order data from someone else's account — whether a family member, friend, colleague, or any other person — is strictly prohibited.

No tampering. You must not modify, reverse-engineer, decompile, disassemble, or tamper with the extension, its code, or its scraper configurations. The scraper configurations are delivered by Herm's backend and must not be altered, intercepted, or replicated.

Personal use only. The extension is provided for your personal use within the Herm platform. You must not use it to systematically extract data for any purpose outside of Herm, including research, competitive analysis, or data aggregation.

No commercial exploitation. You must not distribute, resell, license, or commercially exploit any data captured by the extension.

No consent bypass. You must not attempt to bypass, disable, or circumvent the per-page permission mechanism or the consent banner. The extension's consent flow is a core privacy safeguard and must not be interfered with.

No automated abuse. You must not use scripts, bots, browser automation tools, or other automated means to trigger the extension, simulate captures, or interact with the extension programmatically.

4. Email Features Rules

Herm offers optional email connection (Gmail OAuth) and MBOX file upload features to extract purchase transaction data. By using these features, you agree to the following rules.

Your own email accounts only. You must only connect Gmail accounts that belong to you. Connecting someone else's Gmail account — even with their knowledge — is prohibited.

Your own MBOX files only. You must only upload MBOX files containing email data from accounts that belong to you. Uploading files from someone else's email account is prohibited.

Personal use only. You must not use the email features to extract data for any purpose outside of the Herm platform.

5. Referral System Rules

Herm's referral system allows you to invite friends to join the platform. When using the referral system, you agree to the following rules.

Genuine invitations only. You may only send referral invitations to people you personally know and who you reasonably believe would be interested in Herm. Sending invitations to strangers, purchased email lists, or large groups of people is prohibited.

No spam. You must not use the referral system to send bulk, unsolicited, or repeated invitations. Sending multiple invitations to the same person after they have not responded or have declined is considered spam.

No manipulation. You must not manipulate the referral system in any way, including: - Creating multiple Herm accounts to generate referrals - Referring yourself using alternate email addresses or accounts - Using fake or temporary email addresses to generate referrals - Using automated tools to send referral invitations

No misrepresentation. You must not misrepresent the nature of Herm or make false claims about the platform when inviting others.

6. Consequences of Violations

We take violations of this policy seriously. The action we take depends on the severity and nature of the violation.

Warning. For first-time or minor violations, we will send you a warning via email describing the violation and what you need to do to comply. You will be given a reasonable opportunity to correct the behavior.

Temporary suspension. For repeated violations or more serious breaches, we may temporarily suspend your account. During suspension, you will not be able to access the Service. We will notify you of the reason for the suspension and its expected duration.

Permanent termination. For severe or deliberate violations — including fraud, illegal activity, persistent abuse after warnings, or activity that threatens the security or integrity of the platform or other users — we may permanently terminate your account and delete all associated data.

Immediate action. Herm reserves the right to take immediate action, including suspension or termination without prior warning, in cases of severe abuse, fraud, security threats, or activity that poses an imminent risk to the platform or other users.

Reporting to authorities. Herm reserves the right to report illegal activity to relevant law enforcement or regulatory authorities.

Consequences are not necessarily applied in sequence. We may skip warnings and proceed directly to suspension or termination based on the severity of the violation.

7. Reporting Violations

If you suspect that another user is violating this Acceptable Use Policy, please report it to us at legal@herm.io. Include as much detail as possible about the suspected violation and we will investigate.

We will treat reports confidentially and will not disclose the identity of the reporter to the accused user, except where required by law.

8. Changes to This Policy

We may update this Acceptable Use Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via email or in-app notification at least 30 days before the changes take effect.

Previous versions are available upon request by emailing legal@herm.io.

9. Contact Us

If you have questions about this Acceptable Use Policy, contact us at:

Legal inquiries: legal@herm.io General inquiries: contact@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

For full terms governing your use of Herm, see our Terms of Service. All Herm policies are available at herm.io/policies/.

🇺🇸

CCPA Compliance

Effective date: March 24, 2026 · Last updated: March 24, 2026

1. Introduction

This CCPA Compliance Notice supplements our Privacy Policy and applies specifically to California residents whose personal information is collected by Hermio LTD ("Herm," "we," "us," or "our").

This notice is provided in accordance with the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), collectively referred to in this notice as "CCPA."

Herm is a personalized shopping offers platform. We use AI matching to connect you with relevant brand deals. We do not process payments, and we do not share your data with brands. For a full description of our services, see our Privacy Policy.

2. Categories of Personal Information Collected

The following table maps the personal information we collect to the categories defined by the CCPA (Cal. Civ. Code §1798.140):

CCPA Category	Personal Information Collected	Collected?
A. Identifiers	Email address, name, user ID, IP address, device identifiers	Yes
B. Personal information (Cal. Civ. Code §1798.80(e))	Name, email address, date of birth, country, city	Yes
C. Protected classification characteristics	Age (date of birth for 18+ verification only)	Limited
D. Commercial information	Purchase history: order numbers, order amounts, items purchased, retailer names, coupon codes used, order dates, currency codes, order status	Yes
F. Internet or other electronic network activity	App usage events, pages and screens viewed, offers viewed and redeemed, browser cookies, crash reports	Yes
G. Geolocation data	Country and city (user-provided); approximate location derived from IP address	Yes
K. Inferences	Interest categories, offer relevance scores derived from profile and purchase history	Yes

Categories we do NOT collect:

CCPA Category	Collected?
C. Protected classification characteristics (beyond age)	No
E. Biometric information	No
H. Sensory data (audio, visual, thermal, olfactory, similar)	No
I. Professional or employment-related information	No
J. Non-public education information	No
L. Sensitive personal information (as defined by CPRA)	No (beyond login credentials, which are used solely for authentication)

We do not collect financial or payment information (credit cards, bank accounts, payment methods), precise GPS geolocation, contacts or address book data, health or biometric data, or e-commerce login credentials.

3. Sources of Personal Information

We collect personal information from the following categories of sources:

Directly from you. Account registration information (email, password, name), profile information (date of birth, location, interests, social media links), referral invitations, Gmail OAuth connection, and MBOX file uploads.

From the Herm Chrome Extension (with your consent). Purchase history data captured from supported e-commerce order pages, including order numbers, dates, amounts, items, and retailer information.

From email features (with your consent). Structured transaction data extracted from purchase-related emails via Gmail OAuth or MBOX upload, including retailer names, items purchased, amounts, coupon codes, and dates. Raw email content is deleted immediately after extraction and never stored.

Automatically from your devices. Device information, app version, language/locale, IP address, app usage events (via PostHog), crash reports (via Sentry), and browser cookies on web properties (via Google Analytics, Facebook Pixel).

4. Business Purposes for Collection

We collect and use personal information for the following business purposes:

Business Purpose	CCPA Categories Used
Providing the service — account creation, authentication, delivering personalized offers	A, B
Offer personalization and AI matching — using your profile, purchase history, and interests to match you with relevant brand offers	A, B, D, G, K
Purchase history tracking — enriching your profile with purchase data from the Chrome Extension or email features to improve offer matching	D
Analytics and product improvement — understanding how users interact with the Service to improve features and fix issues	F
Security and fraud prevention — monitoring for unauthorized access, enforcing rate limits, and protecting the integrity of the platform	A, F
Marketing communications (with consent) — sending you emails about new offers and features, and measuring the effectiveness of our own advertising campaigns	A, F
Legal compliance — verifying your age (18+) and complying with applicable laws	B, C

5. Categories of Third Parties

We disclose personal information to the following categories of third parties, strictly for the business purposes described above:

Category of Third Party	Personal Information Disclosed	Purpose
Cloud infrastructure providers (AWS)	All categories	Hosting, database, email delivery, message queuing, encryption, temporary file storage
Analytics providers (PostHog, Google Analytics)	Category F (usage events, browsing behavior)	Product analytics and web traffic analysis
Error tracking providers (Sentry)	Category F (crash reports, device info)	Bug fixing and app stability
Advertising measurement providers (Facebook / Meta Pixel)	Category F (page views, conversion events)	Measuring effectiveness of Herm's own advertising campaigns (see Section 6 for detailed analysis)
Authentication providers (Google Sign-In, Apple Sign-In)	Category A (email, name)	Account authentication
Email service providers (Postmark, planned)	Category A (email addresses)	Marketing email delivery
CDN / security providers (Cloudflare)	Category A (IP addresses)	Content delivery, caching, DDoS protection
Email access providers (Google Gmail API)	Category D (purchase emails, deleted after extraction)	Transaction data extraction from Gmail

We do not disclose personal information to brands. Brands whose offers appear on Herm have zero visibility into who claims their offers. No personal information — including purchase history from the Chrome Extension or email features — is ever disclosed to brands.

6. Sale and Sharing of Personal Information

We Do Not Sell Personal Information

Herm does not sell your personal information as defined by CCPA §1798.140(ad). We have never sold personal information and have no plans to do so.

We do not receive monetary or other valuable consideration in exchange for your personal information. Your data is not disclosed to third parties for their own commercial benefit.

Facebook Pixel and "Sharing" Under CPRA

The CPRA introduced a distinct concept of "sharing," defined as making personal information available to a third party for cross-context behavioral advertising purposes (CCPA §1798.140(ah)), whether or not for monetary consideration.

We want to be transparent about how the Facebook / Meta Pixel works on our web properties and why we believe it does not constitute "sharing" under CPRA:

How we use the Meta Pixel. The Meta Pixel is installed on the Herm web application and website to measure the effectiveness of Herm's own advertising campaigns on Meta platforms (Facebook, Instagram). It allows us to understand whether people who see our ads on Meta's platforms subsequently visit Herm — a standard practice known as conversion measurement or first-party advertising attribution.

Why this is not "sharing" under CPRA. We configure and use the Meta Pixel strictly for Herm's own first-party advertising measurement. The data sent to Meta through the Pixel — page views and conversion events — is used to measure and optimize Herm's own ad campaigns, not to enable Meta to build behavioral profiles of Herm users for targeting across other websites and apps. Specifically:

The Pixel is used to measure conversions from Herm's own ad campaigns, not to enable Meta to serve third-party ads to Herm users based on their activity on Herm.
We do not configure the Pixel to create custom audiences for third-party advertisers or to enable cross-context behavioral advertising by Meta on behalf of other businesses.
The Pixel operates as a measurement tool for Herm's own marketing spend — functionally equivalent to asking "did our ad work?" rather than "help other advertisers target our users."

Additional safeguards. Regardless of our position, we apply the following safeguards:

The Meta Pixel is only activated with your consent via our cookie consent banner. It is not loaded until you affirmatively opt in to marketing cookies.
California residents may opt out of all marketing and advertising cookies by declining them in the consent banner. If you decline, the Pixel is never loaded and no data is sent to Meta.
You can withdraw consent at any time by clearing your cookies and declining marketing cookies when the consent banner reappears.

If future guidance from the California Privacy Protection Agency clarifies that first-party conversion measurement via the Meta Pixel constitutes "sharing" under CPRA, we will update this notice and our practices accordingly, including providing a "Do Not Share" mechanism.

7. Your Rights Under CCPA / CPRA

As a California resident, you have the following rights regarding your personal information:

Right to know (§1798.100, §1798.110). You have the right to request that we disclose: - The categories of personal information we have collected about you - The specific pieces of personal information we have collected about you - The categories of sources from which we collected it - The business purposes for which we use it - The categories of third parties with whom we disclose it

Right to delete (§1798.105). You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions (for example, where we need to retain the data to complete a transaction, detect security incidents, or comply with a legal obligation).

Right to correct (§1798.106). You have the right to request that we correct inaccurate personal information we maintain about you. You can correct most information directly by editing your profile in the app.

Right to opt out of sale or sharing (§1798.120). You have the right to direct us not to sell or share your personal information. As described in Section 6, Herm does not sell your personal information and does not share it for cross-context behavioral advertising. However, you can opt out of all marketing and advertising cookies (including the Meta Pixel) at any time through the cookie consent banner.

Right to limit use of sensitive personal information (§1798.121). We do not use or disclose sensitive personal information for purposes beyond those permitted under CCPA §1798.121(a). This right is not applicable to Herm's current data practices.

Right to non-discrimination (§1798.125). We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, provide a different level of quality, or suggest that you will receive a different level of service because you exercised a privacy right.

8. How to Exercise Your Rights

You can exercise your CCPA rights through any of the following methods:

Email: Send your request to privacy@herm.io. Please include "CCPA Request" in the subject line and describe the right you wish to exercise.

In-app account deletion: You can delete your account and all associated data directly through the Herm app at any time.

Data deletion request page: You can submit a deletion request at herm.io/data-deletion-request/.

We will acknowledge your request within 10 business days and provide a substantive response within 45 days of receiving a verifiable request. If we need additional time (up to 45 additional days), we will inform you of the reason and the expected timeframe.

9. Verification Process

To protect your personal information, we verify the identity of all individuals who submit CCPA requests before fulfilling them.

For requests submitted via email to privacy@herm.io: We will verify your identity by matching the email address used to submit the request with the email address associated with your Herm account. If the email addresses match, we will proceed with the request. If they do not match, or if additional verification is needed for sensitive requests (such as access to specific pieces of personal information), we may ask you to verify your identity through your Herm account or provide additional information.

For requests to delete: We may ask you to confirm your deletion request separately before processing it.

For requests for specific pieces of personal information: Given the sensitivity of this type of disclosure, we may apply heightened verification by requesting additional identifying information to confirm your identity.

We will not fulfill a request if we cannot verify the identity of the requestor to a reasonable degree of certainty.

10. Authorized Agents

California residents may designate an authorized agent to make CCPA requests on their behalf. To use an authorized agent:

The agent must provide written authorization signed by you, or a power of attorney valid under California law (Probate Code §4000-4465).
We may still require you to verify your own identity directly with us, unless the agent provides a valid power of attorney.
Authorized agent requests should be submitted to privacy@herm.io with the written authorization attached.

11. Financial Incentives

Herm does not offer financial incentives, price or service differences, or other benefits in exchange for the collection, retention, sale, or deletion of personal information. We do not operate a loyalty or rewards program that uses personal information as a condition of participation.

12. Data Retention

We retain personal information only for as long as necessary to fulfill the business purposes described in this notice. When you delete your account, all personal information is permanently erased within 72 hours.

For complete data retention details, including retention periods for specific data types, see the Data Retention section of our Privacy Policy.

13. Changes to This Notice

We may update this CCPA Compliance Notice from time to time to reflect changes in our data practices or in applicable California privacy law. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify affected users via email.

Previous versions are available upon request by emailing legal@herm.io.

14. Contact Us

If you have questions about this notice or your rights under the CCPA, contact us at:

Privacy inquiries: privacy@herm.io Data Protection Officer: Mert Can Elkaya — mert@herm.io

Hermio LTD 71-75 Shelton Street, Covent Garden London, United Kingdom, WC2H 9JQ

For the full details of our data practices, see our Privacy Policy. All Herm policies are available at herm.io/policies/.

On This Page

Policies

Privacy Policy

1. Introduction

2. Who We Are

3. What Herm Does

4. Eligibility

5. Data We Collect

5.1 Data You Provide Directly

5.2 Data Collected by the Chrome Extension

5.3 Data Extracted from Email Connections

5.4 Data Collected Automatically

5.5 Data We Do Not Collect

6. How We Use Your Data

7. Legal Bases for Processing (UK GDPR / EU GDPR)

8. Chrome Extension — Data Collection & Consent

How the Extension Works

What the Extension Does Not Do

How to Withdraw Consent

9. Email Features — Gmail Connection & MBOX Upload

Gmail Connection

MBOX File Upload

Privacy Safeguards for Email Features

How to Withdraw Consent

10. The Herm.io Website

11. Offer Redemption & Brands

12. Data Sharing & Third-Party Services

13. International Data Transfers

14. Data Retention

15. Data Security

16. Cookies & Tracking Technologies

Web App and Website

Mobile App

Chrome Extension

Pagefind (Website Search)

17. Your Rights

Supervisory Authorities

18. California Residents (CCPA)

19. Turkey Residents (KVKK)

20. Children's Privacy

21. Changes to This Policy

22. Contact Us

Terms of Service

1. Introduction

2. Eligibility

3. Account Registration

4. The Herm Platform

5. Offers & Brand Interactions

6. Chrome Extension

6.1 Installation & Account Requirement

6.2 How Data Capture Works

6.3 Consent & Permission

6.4 Your Own Accounts Only

6.5 Remote Configuration Updates

6.6 Limitations

6.7 What the Extension Does Not Do

7. Email Features — Gmail Connection & MBOX Upload

7.1 Gmail Connection

7.2 MBOX Upload

7.3 Your Own Email Only

8. Herm.io Website

9. Referral System

10. Acceptable Use

11. Intellectual Property

12. Privacy & Data

13. Service Modifications & Availability

14. Disclaimer of Warranties

15. Limitation of Liability

16. Indemnification

17. Account Suspension & Termination

By Herm

By You

Survival

18. Dispute Resolution

18.1 Informal Resolution

18.2 Arbitration

18.3 Exceptions

18.4 Class Action Waiver

19. Governing Law & Jurisdiction

20. General Provisions