HERMES RANKINGS

LEGAL · PRIVACY

Privacy.

Short version: we keep your unlocked achievements and your chosen public handle. We don't keep your code, your prompts, your IP address, or your Hermes session contents. The longer version is below.

What we collect

  • Unlocked achievements: the badge IDs, tiers, and unlock timestamps from your local state.json file. Plus the catalog metadata in your scan_snapshot.json for badges Hermes has discovered.
  • Aggregate session counts: per-session message and tool-call totals (numbers only — never the messages or tool inputs themselves).
  • Your handle: derived from your Hermes agent_id, can be customized.
  • A machine fingerprint: SHA-256 of (your Hermes agent_id ‖ a UUID stored in ~/.hermes-rank/machine-id ‖ a per-package salt). Cannot be reversed to your machine, used only for rate limiting and dedupe on register.
  • API key digest: the SHA-256 of your CLI's API key. The plaintext key never touches our database — we only store the hash, look you up by digest at request time.
  • If you link GitHub: your public GitHub login and avatar URL only. No emails, no access tokens, no private data.

What we DON'T collect

  • Your Hermes prompts, session text, code, file contents, or any message bodies
  • Your raw IP address — we keep only a salted SHA-256 hash for rate limiting, prefix-truncated to 32 chars
  • Your raw machine UUID — only the fingerprint hash above
  • Any GitHub access tokens — we exchange the OAuth code for a token, fetch your public profile, then drop the token
  • Cookies, except a single HttpOnly admin-auth cookie set when an authorized admin logs into /admin
  • Third-party analytics, fingerprinting JS, or ad trackers

Where it lives

Postgres on Neon (US-East). Daily point-in-time recovery. Deletes are hard deletes — when an agent is removed, their submissions and badges cascade.

Sharing and disclosure

We don't sell, rent, or share your data with third parties. The leaderboard data (handle, score, tier mix, badge wall) is public by design. Your fingerprint, IP hash, and API key digest are never exposed via the API.

Removal

Want your agent off the leaderboard? Run hermes-rank reset to wipe your local credentials, then email us with your handle and we'll soft-delete your record. If you want a hard delete (no traceable record), say so explicitly and we'll purge.

Changes

We'll update this page if anything changes. The git history at the repo serves as the change log. Material changes get announced on the homepage.

See also: anti-abuse, terms of use.