Privacy Policy

Last updated: April 2026

1. Who We Are

This Privacy Policy applies to Hermes Spawn, a service provided by Bepitic (the "Data Controller"). We are committed to protecting your privacy and handling your personal data transparently and securely.

This policy describes what data we collect, how we use it, who we share it with, and your rights under the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data We Collect

2.1 Account Data

Data: Name, email address, hashed password, account creation date.
Legal Basis: Contract performance (GDPR Art. 6(1)(b)).
Purpose: To create and manage your account, authenticate your identity.

2.2 Usage & Security Data

Data: IP address, user agent string, session identifiers, login/logout times, activity logs (e.g., server creation, settings changes, configuration updates).
Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)) — security monitoring, abuse prevention, and service improvement.
Purpose: To maintain a security audit trail, detect unauthorized access, and troubleshoot issues.

2.3 Billing Data

Data: Paddle customer ID, subscription ID, subscription status, billing dates, plan details. We do NOT collect or store credit card details.
Legal Basis: Contract performance (GDPR Art. 6(1)(b)).
Purpose: To manage your subscription and provisioning rights.

2.4 Infrastructure Data

Data: VPS names, Hetzner server IDs, IPv4/IPv6 addresses, SSH public keys, server plans, configuration files, agent profiles and settings.
Legal Basis: Contract performance (GDPR Art. 6(1)(b)).
Purpose: To provision and manage your VPS instances.

2.5 Communications

Data: Content of support requests or emails you send us.
Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
Purpose: To provide customer support and address inquiries.

3. How We Use Your Data

We use your personal data to:

  • Create and manage your account.
  • Provision and manage VPS instances on your behalf.
  • Process payments (handled by Paddle as Merchant of Record).
  • Maintain a security audit trail and monitor for unauthorized access.
  • Send transactional notifications (account confirmations, billing events, security alerts).
  • Provide customer support.
  • Comply with legal obligations.

4. Data Sharing & Third Parties

We do not sell, rent, or share your personal data with advertisers or data brokers. We only share data with the following third-party services that are essential to operating the Service:

4.1 Hetzner Cloud

Role: VPS infrastructure provider.
Data Shared: Server names, SSH public keys, cloud-init scripts, server specs.
Location: Nuremberg, Germany (EU).
Policy: Hetzner Privacy Policy

4.2 Paddle (Merchant of Record)

Role: Payment processing, tax calculation, and compliance.
Data Shared: Email, name, billing address (handled directly by Paddle). We receive only subscription IDs, status, and customer references — not your payment details.
Policy: Paddle Privacy Policy

4.3 Resend (Transactional Email)

Role: Email delivery for account confirmations, notifications, and password resets.
Data Shared: Email address, email content (if configured).
Location: United States.
Safeguards: Covered by the EU-US Data Privacy Framework or Standard Contractual Clauses.

5. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active and for 30 days after account deletion (recovery window).
  • Activity logs: Retained for 12 months for security audit purposes.
  • Billing records: Retained for 5 years in accordance with Spanish tax law (Ley General Tributaria Art. 66).
  • Session data: Deleted upon logout or after 2 hours of inactivity.
  • Password reset tokens: Deleted immediately after use or after 1 hour of expiry.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

  1. Right of Access: Request a copy of all personal data we hold about you.
  2. Right to Rectification: Request correction of inaccurate or incomplete data.
  3. Right to Erasure: Request deletion of your personal data ("right to be forgotten"). You can delete your account directly from the settings dashboard or by contacting us.
  4. Right to Data Portability: Request your data in a structured, machine-readable format.
  5. Right to Object: Object to processing based on legitimate interest.
  6. Right to Withdraw Consent: Withdraw any previously given consent at any time.
  7. Right to Complain: Lodge a complaint with your local data protection supervisory authority (in Spain, AEPD).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

7. Data Security

  • Passwords are hashed using the bcrypt algorithm.
  • VPS access uses SSH public key authentication only; root passwords are disabled.
  • All data in transit is encrypted via HTTPS/TLS.
  • Database access is restricted to authorized application processes only.
  • Activity logs track all administrative actions for auditing and incident response.

8. International Data Transfers

Your primary data is stored within the European Union (Hetzner Cloud, Nuremberg, Germany). Some third-party services may process data outside the EEA (e.g., Resend in the US). Where this occurs, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions by the European Commission.
  • EU Standard Contractual Clauses (SCCs).
  • Participation in the EU-US Data Privacy Framework.

9. Cookies

Hermes Spawn uses only strictly necessary session cookies for authentication and security purposes. We do not use:

  • Analytics or tracking cookies (no Google Analytics or similar).
  • Marketing or advertising cookies.
  • Third-party tracking pixels.

Because we only use essential cookies, a cookie consent banner is not required. You can manage or delete cookies through your browser settings.

10. Children's Privacy

The Service is not intended for persons under the age of 14 (the minimum age for digital consent in Spain under the LOPDGDD). We do not knowingly collect personal data from children. If we become aware that a child under this age has provided us with personal data, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service dashboard at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.

12. Data Controller & Contact

Data Controller: Bepitic
Email: [email protected]
Website: hermesspawn.com

If you have questions or requests regarding your personal data, please contact us using the information above. We aim to respond to all legitimate requests within 30 days.

Disclaimer: This document is provided as a template and does not constitute legal advice. You should consult a qualified legal professional to ensure compliance with applicable laws and regulations, especially regarding GDPR and data processing agreements with third-party services.