PRIVACY POLICY hermetis.io

Effective date: 31 May 2026

Version: 1.0

**Document scope.** This document applies to users accessing hermetis.io in its English, Latvian, or Lithuanian language version, and to clients served by **SIA "AGroup"** (Latvia). It is governed by **the laws of the Republic of Latvia**. Clients served by **AGroup sp. z o.o.** (Poland) operate under a separate set of documents available in the **Polish language version** of hermetis.io.

SIA "AGroup" takes the privacy of its clients seriously. We understand that when you share personal data with us in connection with Hermetis, you place trust in us — and we honour that trust at every stage of processing.

This Policy explains transparently: what personal data we collect, why we process it, with whom we share it, how long we keep it, and what rights you have.

§ 1. Introduction

1. This Privacy Policy (hereinafter: "Policy") describes the rules of personal data processing in connection with the use of the website available at hermetis.io (hereinafter: "Website") and in connection with other activities of the Controller described in this Policy.
2. The Policy has been prepared to fulfil the information obligations arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2026 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR").
3. Hermetis.io is operated by SIA "AGroup". The Website and the services it describes are intended exclusively for business users (B2B). We do not offer our services to consumers within the meaning of applicable consumer protection laws.

§ 2. Data Controller

1. The Controller of your personal data within the meaning of GDPR is:
2. You may contact the Controller in matters related to personal data processing in any of the following ways:

- SIA "AGroup"

- registered address: Duntes iela 3, Riga, LV-1013, Latvia

- registration No.: 40003986259

- contact email: hello@hermetis.io 

- (hereinafter: "Controller" or "AGroup").

- by email: hello@hermetis.io 

- in writing: to the registered address indicated above.

§ 3. Data Protection Officer

1. The Controller has appointed a Data Protection Officer (DPO) to handle all matters related to personal data protection.
2. The DPO can be contacted at:
   • email: dataprotection@hermetis.io 
   • in writing: to the Controller's registered address with the note "DPO — Bartosz Kapuściński".

§ 4. AGroup's role in data processing — key distinction

AGroup acts in different roles with respect to personal data, depending on the context:

Context	AGroup's role
Use of the Website hermetis.io (browsing, forms, cookies)	Data Controller
Sales and marketing communications (CRM, demo, meetings)	Data Controller
Newsletter (marketing and educational information)	Data Controller
Use of the Hermetis system (SaaS and on-premise) by an AGroup client for HR and payroll purposes	Data Processor, acting on behalf of the Client — who is the Controller of their employees' and contractors' personal data

 

1. This Policy concerns only the cases in which AGroup acts as Data Controller (Website, forms, sales communications, newsletter).
2. The rules of personal data processing within the provision of the Hermetis system (where AGroup acts as Processor) are governed by a separate Data Processing Agreement (DPA), concluded with each Client individually together with the main service agreement. The DPA specifies in particular:
   • subject matter and duration of processing;
   • nature and purpose of processing;
   • types of personal data and categories of data subjects;
   • obligations and rights of the Controller (Client);
   • rules of sub-processing.

§ 5. Categories of data subjects

This Policy applies to the following categories of natural persons:

1. Website visitors — persons using the Website, including by browsing its content;
2. Persons completing forms on the Website — in particular the "Book a meeting" Form and the "Watch a demo" Form;
3. Persons contacting AGroup — by email, phone, or other communication channels;
4. Newsletter subscribers — persons who have given their consent to receive marketing communications by electronic means;
5. Persons participating in product demonstrations — both in interactive demos (Storylane) and in live presentations;
6. Persons representing AGroup's potential or existing Clients — including persons designated as contact points within commercial negotiations, contract conclusion, or contract execution.

§ 6. Purposes, legal bases, scope of data, and retention periods

6.1. Handling inquiries via the "Book a meeting" Form (Calendly widget)

Element	Description
Purpose	Booking a meeting, handling the inquiry, conducting sales conversations
Data categories	First name, last name, business email, optionally: phone number, company name, message content, preferred meeting time
Legal basis	Art. 6(1)(b) GDPR — pre-contractual measures at the data subject's request; Art. 6(1)(f) GDPR — legitimate interests of the Controller in conducting commercial activities
Retention period	For the period necessary to handle the inquiry and conduct commercial correspondence, no longer than 36 months from the last contact.

 

6.2. Handling inquiries via the "Watch a demo" Form

Element	Description
Purpose	Granting access to an interactive product demo (Storylane), follow-up communication after the demo
Data categories	First name, last name, business email, optionally: phone number, company name, job title
Legal basis	Art. 6(1)(b) GDPR — pre-contractual measures; Art. 6(1)(f) GDPR — legitimate interests
Retention period	For the period necessary to provide the demo and conduct follow-up communications

 

6.3. Conducting interactive demos (Storylane)

Element	Description
Purpose	Presentation of the Hermetis system functionality in an interactive form
Data categories	Demo session interaction data (clicks, page views, time spent on individual screens)
Legal basis	Art. 6(1)(b) GDPR — pre-contractual measures; Art. 6(1)(f) GDPR — legitimate interests of the Controller in measuring product interest
Retention period	For the demo session duration and the period necessary for analysis of session data

 

6.4. Newsletter

Element	Description
Purpose	Sending marketing, educational, and product information about AGroup and the Hermetis system
Data categories	First name, business email; data about newsletter interactions (opens, clicks on links)
Legal basis	Art. 6(1)(a) GDPR — consent of the data subject; applicable e-privacy and electronic communications law of Latvia — consent to receive commercial communications by electronic means and consent to the use of electronic communications equipment for direct marketing purposes
Retention period	Until consent is withdrawn; after withdrawal — confirmation of withdrawal is kept for the limitation period of claims, maximum 6 years
Opt-out	At any time by clicking the "Unsubscribe" link in the footer of every newsletter message or by contacting the Controller at dataprotection@hermetis.io

 

The newsletter is sent via the HubSpot platform (HubSpot Ireland Ltd., Dublin, Ireland), which acts as a data processor. Within the platform, message opens and link clicks are monitored in order to measure the effectiveness of communication and better tailor content. Interaction data may be used to segment recipients. We do not make decisions producing legal effects or similarly significantly affecting you in an automated way. The newsletter is sent as a rule no more than once a month; AGroup reserves the right to send less frequently or occasionally more frequently, in particular in case of significant product information or industry events.

6.5. Conducting email and phone correspondence

Element	Description
Purpose	Handling correspondence, maintaining contact with potential and existing Clients, business partners
Data categories	Identification and contact data, content of correspondence
Legal basis	Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures; Art. 6(1)(f) GDPR — legitimate interests of the Controller
Retention period	For the period necessary to achieve the purpose and to defend against any claims

 

6.6. CRM — managing relationships with Clients and prospects

Element	Description
Purpose	Managing the sales process, handling commercial contacts, maintaining interaction history
Data categories	Identification and contact data of persons representing potential/existing Clients, interaction history, status in the sales process
Legal basis	Art. 6(1)(b) GDPR — pre-contractual measures / performance of a contract; Art. 6(1)(f) GDPR — legitimate interests of the Controller in conducting commercial activities
Retention period	For the duration of the active commercial relationship and 36 months from the last contact, or until objection is raised.

 

6.7. Website analytics

Element	Description
Purpose	Analysis of Website traffic, optimisation of the Website, measuring the effectiveness of marketing activities
Data categories	Anonymised IP address, cookie identifiers, session data (time spent, navigation paths, clicks), browser and device data
Legal basis	Art. 6(1)(a) GDPR — consent (analytical cookies require consent; details in the Cookie Policy)
Retention period	According to the lifetime of individual cookies (see Cookie Policy)

 

6.8. Marketing purposes and firmographic data enrichment (Apollo.io)

Element	Description
Purpose	Identification of companies visiting the Website (at firmographic level, NOT at person level), enriching CRM data with company information (industry, size, geography)
Data categories	IP address (for company identification), firmographic data of visiting companies
Note	Apollo.io identifies companies, it does not identify persons. Visitors from private/home IP addresses are not subject to enrichment.
Legal basis	Art. 6(1)(a) GDPR — consent (marketing cookie); Art. 6(1)(f) GDPR — legitimate interests of the Controller in conducting B2B marketing
Retention period	According to the lifetime of relevant cookies; firmographic data in CRM — according to section 6.6

 

6.9. Defence against and pursuit of claims

Element	Description
Purpose	Establishment, pursuit, and defence of claims
Data categories	All data necessary for the pursuit or defence of claims
Legal basis	Art. 6(1)(f) GDPR — legitimate interests of the Controller
Retention period	Until the limitation of claims under applicable law, maximum 6 years from the end of the calendar year in which the claim became due

 

6.10. Fulfilment of legal obligations

Element	Description
Purpose	Fulfilment of obligations arising from law, including tax and accounting regulations
Data categories	Data required by legal obligations
Legal basis	Art. 6(1)(c) GDPR — legal obligation
Retention period	According to applicable regulations (e.g. accounting records — 5 years)

 

§ 7. Voluntariness of providing data

1. Provision of personal data is voluntary, however:
   • for the Contact Form, Demo Form, and Calendly widget — failure to provide data marked as mandatory makes it impossible to handle the inquiry, access the demo, or book a meeting;
   • for the newsletter — failure to provide data makes subscription impossible;
   • for the conclusion of a Hermetis service agreement — failure to provide identification and contact data of persons representing the Client makes it impossible to conclude and perform the agreement.
2. Personal data is not used for automated decision-making producing legal effects or similarly significantly affecting the data subject, including profiling within the meaning of Art. 22 GDPR.

§ 8. Recipients of personal data

1. Your personal data may be transferred to the following categories of recipients:
   • Processors acting on behalf of the Controller — in particular IT service providers, hosting, marketing tools, CRM, meeting and presentation tools, law firms, accounting offices, auditors;
   • Companies of the Everfield group — in the scope of operational support, including cybersecurity support (CISO collaboration), within the legitimate interest of the group;
   • Public authorities — in cases provided for by law, at the request of authorised bodies.

List of main processors processing data on behalf of AGroup within the scope covered by this Policy (i.e. in connection with the operation of hermetis.io and marketing activities):

Function	Provider	Processing location	Provider documentation
Website hosting (CMS), CRM, form management, newsletter	HubSpot Ireland Ltd.	Dublin, Ireland (EU)	trust.hubspot.com, legal.hubspot.com/privacy-policy, legal.hubspot.com/dpa
CDN and bot protection	Cloudflare, Inc.	Global (EU edge nodes); USA under EU-US DPF	cloudflare.com/trust-hub, cloudflare.com/trust-hub/gdpr, cloudflare.com/cloudflare-customer-dpa
Meeting booking widget	Calendly LLC	USA under EU-US DPF	calendly.com/legal/data-processing-addendum, help.calendly.com/.../GDPR-FAQs
Fraud prevention in the Calendly widget	Stripe, Inc.	USA under EU-US DPF	stripe.com/legal/privacy-center, stripe.com/privacy, stripe.com/legal/dpa
Interactive product demo	Storylane Inc.	USA under SCC + TIA	trust.storylane.io, storylane.io/privacy-policy
Website traffic analytics	Google LLC (Google Analytics 4)	USA under EU-US DPF	support.google.com/analytics/answer/6004245, support.google.com/analytics/answer/3379636
Behavioural analytics and session recordings	Microsoft Ireland Operations Limited (Clarity)	EU Data Boundary	clarity.microsoft.com/privacy, microsoft.com/en-us/trust-center/privacy/gdpr-overview
Identification of companies visiting the Website	Apollo.io (ZenLeads Inc.)	USA under EU-US DPF	apollo.io/company/privacy-center, apollo.io/privacy-policy, apollo.io/dpa
Cookie consent management	Cookiebot (Cybot A/S / Usercentrics)	EU	cookiebot.com/en/privacy-policy, support.cookiebot.com

 

1. Processing of data by the processors listed in § 8 takes place on the basis of data processing agreements (DPAs) compliant with Art. 28 GDPR, concluded:
   • in an individually negotiated form — with strategic providers, or
   • by acceptance of the publicly available DPA of the provider, incorporated into the service agreement (Terms of Service) — with SaaS service providers.

§ 9. Data transfers outside the European Economic Area

1. AGroup endeavours to ensure that personal data is processed within the European Economic Area (EEA). However, some providers of tools used on the Website and in marketing activities process data in the United States of America.
2. In the case of data transfer outside the EEA, AGroup ensures appropriate safeguards referred to in Art. 45 and Art. 46 GDPR as follows:
3. In the event of revocation of the DPF adequacy decision — transfers to providers currently relying on DPF will be automatically covered by SCC, which are embedded in their DPAs as a backup mechanism.
4. You may obtain a copy of the safeguards used by contacting the Controller or the DPO.

| Provider | Transfer mechanism |

|---|---|

| HubSpot Ireland Ltd. | Processing in the EU (Dublin, Ireland) — no transfer outside the EEA |

| Cloudflare, Inc. | EU-US Data Privacy Framework (DPF) — Commission adequacy decision 2023/1795 of 10 July 2023; SCC as backup mechanism |

| Calendly LLC | EU-US Data Privacy Framework (DPF); SCC as backup mechanism |

| Stripe, Inc. | EU-US Data Privacy Framework (DPF) + UK Extension + Swiss-US DPF; SCC as backup mechanism |

| Google LLC (Google Analytics) | EU-US Data Privacy Framework (DPF); SCC as backup mechanism |

| Microsoft Ireland Operations Ltd. (Clarity) | Processing within EU Data Boundary; in case of transfer to Microsoft Corp (USA) — DPF + SCC |

| Apollo.io (ZenLeads Inc.) | EU-US Data Privacy Framework (DPF); SCC as backup mechanism |

| Storylane Inc. | Standard Contractual Clauses (SCC) approved by Commission Decision 2021/914 of 4 June 2021; together with a Transfer Impact Assessment (TIA) |

| Cookiebot (Cybot A/S) | Processing in the EU — no transfer outside the EEA |

 

§ 10. Data subject rights

1. Under GDPR, you have the right to:
   • access to personal data (Art. 15 GDPR);
   • rectification of inaccurate or incomplete data (Art. 16 GDPR);
   • erasure of data ("right to be forgotten") in the cases specified in Art. 17 GDPR;
   • restriction of processing (Art. 18 GDPR);
   • data portability (Art. 20 GDPR);
   • object to processing based on legitimate interests of the Controller, including profiling (Art. 21 GDPR);
   • withdraw consent at any time, where processing is based on consent — withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR);
   • lodge a complaint with a supervisory authority — in Latvia, this is the Data State Inspectorate (Datu valsts inspekcija), www.dvi.gov.lv. In accordance with Art. 77 GDPR, you also have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
2. The exercise of rights is free of charge. AGroup may refuse to fulfil a request only in cases provided for by GDPR (e.g. in the case of manifestly unfounded or excessive requests).
3. AGroup responds to requests without undue delay, no later than within one month from receipt of the request. In the case of complex requests or a large number of requests, this period may be extended by a further two months, of which AGroup will inform the data subject.
4. To exercise rights, please contact: dataprotection@hermetis.io.

§ 11. Cookies and similar technologies

1. The Website uses cookies and similar technologies. Details concerning the categories of cookies used, their purposes, providers, and lifetimes are specified in a separate Cookie Policy, available at hermetis.io/cookie-policy
2. The configuration of cookie preferences is possible:
   • via the consent banner displayed on the first visit to the Website;
   • via the cookie management icon available in the footer of the Website;
   • via browser settings.

§ 12. Profiling and automated decision-making

1. AGroup does not make automated decisions producing legal effects or similarly significantly affecting the data subject within the meaning of Art. 22 GDPR.
2. AGroup uses profiling to a limited extent:
   • in CRM — for the purpose of segmentation of recipients of commercial and marketing communications (e.g. segmentation by industry, company size, geographic region);
   • in Apollo.io — for the purpose of identifying companies visiting the Website and enriching firmographic data.
3. Profiling does not produce legal or similarly significant effects for the data subject. The data subject has the right to object to profiling carried out on the basis of the Controller's legitimate interests (Art. 21 GDPR).

§ 13. Data security

1. AGroup applies appropriate technical and organisational measures to ensure the security of personal data, in particular:
   • encryption of data in transit (TLS 1.3) and at rest (AES-256);
   • access control based on the principle of least privilege; multi-factor authentication for administrative access;
   • monitoring of security events and detection of unauthorised access attempts;
   • regular backups with restoration testing;
   • regular reviews of access permissions;
   • employee training in data protection and information security;
   • confidentiality agreements with employees and subcontractors.
2. Processing of data by the processors listed in § 8 takes place on the basis of data processing agreements (DPAs) compliant with Art. 28 GDPR, concluded in an individually negotiated form or by acceptance of the publicly available DPA of the provider incorporated into the service agreement. Links to security documentation and privacy policies of individual providers are in the table in § 8.
3. AGroup holds the ISO/IEC 27001:2022 certification confirming the implementation of an Information Security Management System (ISMS) compliant with international standards.

§ 14. Changes to the Policy

1. AGroup reserves the right to amend this Policy to reflect changes in:
   • legal regulations;
   • guidelines of supervisory authorities;
   • the scope or manner of providing services;
   • tools and providers used.
2. The current version of the Policy, together with its effective date, is always available on the Website.
3. AGroup will inform of material changes to the Policy through a prominent notice on the Website or — for newsletter subscribers — by email.

§ 15. Contact

In all matters related to personal data processing, including for the exercise of rights referred to in § 10, you may contact:

• the Controller: SIA "AGroup", Duntes iela 3, Riga, LV-1013, Latvia, email: hello@hermetis.io 
• the Data Protection Officer: Bartosz Kapuściński, email: dataprotection@hermetis.io