Legal
Privacy notice
Last updated: 2026-05-30
This page explains what data the Hermes Agent Guide collects, why, where it goes, and how to get it deleted. The self-check at /audit/ is the primary surface that generates data; the rest of the guide site is read-only content.
Short version
| Question | Answer |
|---|---|
| Do my self-check answers leave my browser? | No. Scoring runs on your device. Your scenario answers never travel. |
| What about the consultant CTA at the end? | The link carries the matched offer route, your dominant risk gap, your exposure level (low / medium / high), your migration status, and a SHA-256 hash of a random session id. That is everything. |
| Do you set cookies? | No cookies, and nothing stored on your device. The raw random id is generated in memory and disappears when you close the tab; only its hash is sent, and only in the events and submissions described here. |
| Do you track me with analytics? | Page-view and interaction events go to our self-hosted cookieless Umami (EU region, hosted on roboty.pokokar.de under our control). No screen recording. No heatmap of sensitive input. No content of free-text fields. |
| If I submit my email on consultant.com, where does that go? | See the consultant.com privacy notice for the form-submission flow. The data path leaves this guide site at the CTA click. |
| What if I opt in to contribute my audit result? | Only your five category scores, your dominant gap, your exposure level, your migration status, a hashed session id, and your email if you provide one are sent to our self-hosted form processor. Never your individual answers. Opt-in only. |
| Can I get my data deleted? | Yes. Email jed@byjed.com with "delete" and any identifier you remember. Action within 72 hours. |
Self-check data flow
1. The hashed session ID
When you reach your result, the page generates a random identifier in your browser and hashes it with SHA-256 before anything leaves the tab. The raw value is discarded.
Only the hash (a 64-character string) travels anywhere. The hash:
- appears in the URL when you click a CTA to consultant.com
- gets sent to analytics with the named funnel events
Important: the hash cannot be reversed to the original value. The original random ID never existed outside your browser memory.
2. Your scenario answers
Stay in your browser. Scoring runs on your device and produces a dominant risk gap and an exposure level (low / medium / high). Those, your migration status, and the matched offer route are encoded in the consultant CTA link, alongside a hashed session id. Your individual scenario choices are never transmitted.
3. Analytics events
Our self-hosted cookieless Umami (EU region) receives events:
- Page loaded (auto-pageview, traffic baseline)
- Self-check started (first answer registered)
- Result viewed (with your dominant gap, exposure level, migration status, and a hashed session id)
- Consultant CTA clicked
The named funnel events carry a short SHA-256 hash slice as a join key (not an identity; we do not call any identify() function). Umami runs cookieless in our EU region on infrastructure we control. No screen recording. No heatmap tracking that captures sensitive input. The join key is currently unmatched on the consultant site; future work will close the cross-domain loop.
4. The optional benchmark contribution
On the self-check result you can opt in to contribute your anonymized result to a public failure benchmark. Only if you check that box and submit, the following is sent to our self-hosted form processor (n8n, EU): your five category scores, your dominant gap, your exposure level, your migration status, the hashed session id, your opt-in and consent flags, and your email if you provide one. Your individual scenario choices (the raw answers) are never sent. Legal basis: consent (Art. 6(1)(a)). Withdraw or request deletion any time via jed@byjed.com.
Where the data lives
| Processor | Purpose | Region | GDPR DPA |
|---|---|---|---|
| Vercel | Website hosting | EU + global CDN | Yes |
| Umami (self-hosted, EU) | Analytics events | EU region (our infrastructure) | N/A (own controller) |
| Operator self-hosted n8n | Optional anonymized self-check contribution (opt-in only) | Poland (EU) | Operator is controller + processor |
If you click a CTA to consultant.com and submit the form there, additional processors apply per the consultant.com privacy notice.
Your rights under GDPR
- Access (Art. 15): email jed@byjed.com with "data access request". Legal deadline 30 days; target 72 hours.
- Erase (Art. 17): email with "delete" and any identifier you remember. Target 72 hours.
- Object (Art. 21): stop analytics processing for your visit. Functionality is preserved.
- Port data (Art. 20): receive your data in a machine-readable format.
- Complain: lodge a complaint with your country's supervisory authority.
Legal basis
| Activity | Lawful basis (GDPR Art. 6) |
|---|---|
| Analytics events with hashed session ID | Art. 6(1)(f) legitimate interest |
| Optional anonymized audit contribution (opt-in) | Art. 6(1)(a) consent |
| Hosting + security logs | Art. 6(1)(f) legitimate interest |
The only consent-based collection on this site is the optional audit-result contribution above. Everything else is anonymous analytics. The consultant site has its own contact-form consent flow.
Cookies
This site sets no cookies and no local storage. The raw random id exists only in memory; only its hash leaves your device, in the events and submissions described above.
Changes to this notice
Material changes are dated at the top and logged in git. Minor typo fixes do not trigger a date update.
Data controller and contact
Data controller: byJed (Jędrzej Tabaczyński). The operating entity is being established as byJed LLC (United States).
Jędrzej Tabaczyński
jed@byjed.com
Operator details are on the consultant.com imprint page.