Privacy notice
Last updated: 2026-05-30
This page explains what data this site collects, why, where it goes, and how to get it deleted. Short version first, details below.
Short version
| Question | Answer |
|---|---|
| Do you track me without asking? | No. No cookies set before you interact. No analytics until you click Start. |
| Do you store my IP address? | The hosting provider (Vercel) processes your IP for transport and security logs, with short retention. We do not store your IP in any analytics or form submission. |
| What if I submit the email form? | Your email plus a hashed session ID get stored for 90 days. Then they are deleted. |
| Can I get my data deleted anytime? | Yes. Email jed@byjed.com with "delete" and your email address. Action within 72 hours. |
| Do you share data with anyone? | Only with the email form processor and analytics. Both run in the EU. No ad networks. No data brokers. |
| Does this meet GDPR requirements? | Designed to. EU-based processors, consent recorded, deletion on request, DPAs in place. Final legal assessment is yours or your counsel's. |
What gets collected, when, and why
1. The hashed session ID
When you land on the audit tool at hermesagentguide.com/audit/, the tool generates a random identifier in your browser. That identifier is immediately hashed using SHA-256. The raw value is discarded before anything leaves the tab.
Only the hash (a 64-character string of letters and numbers) travels anywhere. The hash:
- appears in the URL when you click a CTA to consultant.com
- gets stored in your browser's local storage for 14 days so if you come back, the same session continues
- gets sent to analytics with every event
- gets sent to the email form if you submit it
Why: to measure whether audit tool visitors go on to book a consulting conversation. Without it, the funnel is invisible and KPIs are guesses.
Important: the hash cannot be reversed to the original value. The original random ID never existed outside your browser memory.
2. The email form
If you fill out the form at the bottom of this site, the following gets submitted:
- Your name
- Company (optional)
- Your email
- Where you are with Hermes Agent (dropdown)
- Free-text context (optional)
- The hashed session ID (from above)
- The tier of the audit CTA you arrived from (if any)
This goes to a self-hosted form processor (n8n on EU infrastructure), then to Brevo (transactional email relay, EU region) for the operator alert. Both have GDPR DPAs in place.
The operator receives the submission by email and responds within 48 hours.
Storage: submissions retained for 90 days, then purged manually by the operator.
Your email is used to reply to your inquiry. Not for newsletters. Not for cold outreach. Not shared.
3. Analytics events
Analytics receives page-view and interaction events from this site:
- Page loaded
- Which tier section you scrolled to
- Which link you clicked
- Whether you started the form
Every event carries the hashed session ID. Analytics runs in the EU region with a GDPR DPA. Events do not include the content of free-text fields. No screen recording. No heatmap tracking that captures sensitive input.
Where the data lives
| Processor | Purpose | Region | GDPR DPA |
|---|---|---|---|
| Vercel | Website hosting | EU + global CDN | Yes |
| Operator self-hosted n8n | Form webhook + optional anonymized audit contribution (receive, validate, route) | Poland (EU) | Operator is controller + processor |
| Brevo | Outbound form alert emails (transactional) | Paris + Frankfurt (EU) | Yes |
| Umami (self-hosted, EU) | Analytics events | EU region (our infrastructure) | N/A (own controller) |
No other processors receive your data. No advertising networks. No data brokers. No affiliate tracking.
Your rights under GDPR
Under Art. 15 to 22 of the GDPR, you have the right to:
- Access (Art. 15): get a copy of everything stored about you. Email jed@byjed.com with "data access request". Legal deadline 30 days; target acknowledgment 72 hours.
- Rectify (Art. 16): correct incorrect data. Same email path.
- Erase (Art. 17): have all your data purged. Email with "delete" and the email you submitted. Legal deadline 30 days; target action 72 hours.
- Restrict processing (Art. 18): ask that we pause certain processing while a dispute or correction is open.
- Port data (Art. 20): receive your data in a machine-readable format.
- Object (Art. 21): stop processing (including analytics events). Withdrawing consent may disable the site's analytics for your visit; functionality is preserved.
- Not be subject to automated decision-making (Art. 22): this site does not use automated decision-making or profiling that produces legal or significant effects.
- Complain: lodge a complaint with your country's supervisory authority.
Legal basis for processing
| Processing activity | Lawful basis (GDPR Art. 6) |
|---|---|
| Email form submission (name, company, email, context) | Art. 6(1)(a) consent (checkbox) |
| Analytics events with hashed session ID | Art. 6(1)(f) legitimate interest |
| Optional anonymized audit contribution (opt-in) | Art. 6(1)(a) consent |
| Hosting + security logs (IP, request) | Art. 6(1)(f) legitimate interest |
Cookies
This site sets no cookies before you interact with the form. The form uses a hidden honeypot field for spam protection, which sets no cookies and collects no data.
Local storage (for the hashed session ID, 14-day TTL) is not a cookie. It stays in your browser and is never transmitted back except as an analytics event property.
Changes to this notice
Material changes post-ship are dated at the top and logged in git. Minor typo fixes do not trigger a date update.
Data controller and contact
Data controller: byJed (Jędrzej Tabaczyński). The operating entity is being established as byJed LLC (United States); see the imprint for operator details.
Jędrzej Tabaczyński
jed@byjed.com
For formal GDPR requests, the email path above is the fastest route.