JURNITI°← Back to site
Legal

Privacy Policy

Effective date: May 10, 2026

This Privacy Policy describes how OranAI LLC, a Wyoming limited liability company doing business as “jurniti” (“jurniti,” “we,” “us,” or “our”), collects, uses, shares, and protects information about you when you use the managed Hermes Agent service available at jurniti.com, app.jurniti.com, and Customer-tenant subdomains (collectively, the “Service”).

This Policy is incorporated by reference into the Terms of Service and uses the capitalized terms defined there.

1. Who We Are

The data controller for personal data processed in connection with the Service is OranAI LLC, with principal office at 1007 N Orange St., 4th Floor, 2817, Wilmington, DE 19801, United States. For privacy questions, contact us at privacy@jurniti.com.

2. Information We Collect

2.1 Account Information

When you create an account we collect:

  • your email address and (optionally) name;
  • authentication tokens (we use magic-link sign-in; the link is hashed before storage and rotates after use);
  • a session cookie used to keep you signed in;
  • your selected plan, billing region, and Subscription preferences.

2.2 Billing Information

Payments are processed by Stripe, Inc. We do not store payment-card numbers, security codes, or full account details. We retain only the Stripe customer identifier, Subscription status, invoice IDs, the last four digits of your payment method (as Stripe returns them), and billing history necessary to operate the Service and to comply with tax and accounting obligations.

2.3 Service Usage Data

To operate the Service we record:

  • microVM identifiers, plan tier, the physical-host region (for example, Frankfurt), host assignment, start and stop timestamps;
  • aggregate network ingress/egress totals for billing and abuse prevention;
  • the IP address from which you access the dashboard or API (used for security and rate-limiting; not used for advertising);
  • browser, operating system, and approximate geographic location derived from IP, used to detect compromised sessions;
  • events that the platform flags as potentially abusive (sustained CPU at the plan limit, traffic patterns matching scanning, etc.).

2.4 Audit Logs

We maintain an audit log of administrative actions performed on your account through the control plane (account creation, plan changes, microVM provisioning, refunds, support intervention). Audit-log entries automatically redact fields whose names match secret-shaped patterns (for example, anything matching *key*, *token*, *secret*) before persistence.

2.5 Communications

If you contact us by email or through any support channel we provide, we retain the content of those messages, the email addresses involved, and any attachments, for the purpose of responding to and reviewing the support request.

2.6 Cookies and Similar Technologies

We use one essential first-party session cookie to keep you signed in. We do not use third-party analytics SDKs, advertising cookies, marketing pixels, fingerprinting, or behavioral tracking. See Section 12 for details.

3. What We Do Not Collect

Because the Service is designed around per-tenant Firecracker microVMs with hardware-enforced isolation, the following categories of data live only inside your microVM and are not visible to, transmitted to, stored by, or accessible to jurniti:

  • Your model API keys (BYOK Keys). Keys you paste into the Hermes Agent inside your microVM (for OpenRouter, OpenAI, Anthropic, Nous Portal, or any other model provider) reside only on your microVM’s persistent volume. We do not proxy your model traffic.
  • The content of agent messages, prompts, and model outputs. Conversations between you (or your end-users) and the Hermes Agent stay inside your microVM.
  • The contents of your persistent volume. Files, configuration, code, and data you store on the mounted persistent volume in your microVM are not read by us.
  • Third-party model provider request and response bodies. Your microVM calls model providers directly over the public internet using your BYOK Keys; we do not sit in the path.

Aggregate metadata (microVM CPU/RAM/disk/bandwidth usage totals, billing-relevant counters) is visible at the host level and is collected for abuse detection and capacity planning; this metadata does not include the contents listed above.

4. How We Use Information

We use the information described in Section 2 to:

  • provide, maintain, and operate the Service for you;
  • process payments, send invoices, and provide refunds;
  • communicate with you about your account, the Service, and changes to these policies;
  • respond to support requests and customer inquiries;
  • detect, prevent, and address fraud, abuse, security incidents, and Acceptable Use violations;
  • comply with legal obligations and respond to lawful requests from law-enforcement and regulatory authorities;
  • improve the Service in aggregate, non-identifying ways (for example, understanding which plan tiers are used most).

5. Legal Bases for Processing (EEA, UK, Switzerland)

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR (or the UK GDPR / Swiss FADP, as applicable):

  • Performance of a contract (Article 6(1)(b)) for account, billing, and Service-operation processing;
  • Compliance with legal obligations (Article 6(1)(c)) for tax, accounting, and lawful-request processing;
  • Legitimate interests (Article 6(1)(f)) for security, fraud prevention, abuse detection, and aggregate Service improvement, balanced against your rights and freedoms;
  • Consent (Article 6(1)(a)) where we ask for it expressly, for example before enrolling you in a non-essential mailing list (we do not currently operate any such list).

6. How We Share Information; Sub-Processors

We do not sell or rent personal data. We share information only with the following categories of recipients and only as necessary to operate the Service:

6.1 Sub-Processors

The current list of sub-processors that may process personal data on our behalf:

  • Stripe, Inc. (United States) — payment processing, subscription management, invoicing.
  • Resend, Inc. (United States) — transactional email delivery (sign-in links, billing receipts, account notices).
  • Hetzner Online GmbH (Germany) — bare-metal hosting in Frankfurt for the Firecracker microVMs that run Customer workloads.
  • Equinix, Inc. (United States and Germany) — fallback bare-metal hosting for the Firecracker microVMs (used only for capacity overflow).
  • Amazon Web Services, Inc. (United States) — control-plane infrastructure for the dashboard and APIs (Postgres, application server, secrets storage).
  • Cloudflare, Inc. (United States) — DNS, TLS termination at the edge, content delivery network for the marketing site, basic DDoS mitigation.

Each sub-processor is contractually required to process personal data only on our documented instructions and with appropriate technical and organizational safeguards. Material changes to this list will be communicated to active Customers by email at least thirty (30) days before the change takes effect; if you object, you may terminate the affected Subscription for a pro-rated refund of any prepaid unused Subscription Fees.

6.2 Legal Disclosures

We may disclose information if required to do so by law, regulation, court order, subpoena, or governmental request, or if we believe in good faith that disclosure is reasonably necessary to (a) comply with legal process, (b) protect the safety of any person, (c) address fraud or security issues, or (d) protect our rights or property. Where legally permitted, we will notify the affected Customer in advance.

6.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity. We will notify you by email and through the dashboard before any such transfer becomes effective and before your information becomes subject to a different privacy policy.

6.4 With Your Direction

We share information with third parties when you direct us to do so (for example, by configuring the Hermes Agent inside your microVM to call a particular model provider with your BYOK Keys; that call leaves your microVM directly, without passing through us).

7. International Data Transfers

Personal data may be transferred to, and processed in, countries other than the country in which you are resident. Specifically, microVM hosting takes place in Germany while our control plane operates in the United States, so account and billing data crosses the EU–US border.

Where personal data of EEA, UK, or Swiss data subjects is transferred to a country that the European Commission has not deemed to provide an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and the UK Addendum or the Swiss FADP equivalent, as applicable, together with supplementary technical and organizational measures.

8. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy:

  • Account data — for as long as your account is active, plus thirty (30) days after termination, after which we delete or anonymize it (subject to longer retention required for tax, accounting, or other legal obligations).
  • Persistent volume contents — preserved for seven (7) days after Subscription termination so you can request restoration, then permanently deleted.
  • Snapshots (Pro and Max plans) — the same seven-day window post-termination, then permanently deleted.
  • Audit logs — ninety (90) days, then permanently deleted, unless retained longer for an open security investigation or legal hold.
  • Billing records — up to seven (7) years to comply with U.S. federal and state tax-record-retention requirements.
  • Support communications — two (2) years from the last interaction.

9. Your Rights

Depending on where you live, you may have the following rights with respect to personal data we hold about you:

9.1 Rights for EEA, UK, and Swiss Data Subjects

  • Access a copy of your personal data (GDPR Art. 15);
  • Rectification of inaccurate or incomplete data (Art. 16);
  • Erasure in certain circumstances (Art. 17);
  • Restriction of processing in certain circumstances (Art. 18);
  • Data portability — receive your data in a structured, machine-readable format (Art. 20);
  • Object to processing based on legitimate interests (Art. 21);
  • Withdraw consent where processing is based on consent (Art. 7), without affecting the lawfulness of processing before withdrawal;
  • Lodge a complaint with a supervisory authority (Art. 77).

9.2 Rights for California Residents (CCPA / CPRA)

  • Right to know what categories and specific pieces of personal information we have collected about you, the purposes, the categories of sources, and the categories of third parties with whom we share it;
  • Right to delete personal information we have collected from you, subject to exceptions;
  • Right to correct inaccurate personal information;
  • Right to opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising;
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the Service;
  • Right to non-discrimination for exercising any of the above rights.

9.3 How to Exercise Your Rights

To exercise any of these rights, email privacy@jurniti.com from the email address associated with your account. We will respond within thirty (30) days (or, where required by law, within forty-five (45) days, with one possible extension as permitted). We may need to verify your identity by asking you to confirm details associated with your account before fulfilling certain requests.

10. Children

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has provided us with personal data, please email privacy@jurniti.com and we will take steps to delete that information.

11. Security

We implement reasonable technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

  • TLS encryption for all data in transit between you and the Service;
  • encryption at rest for the persistent volumes attached to your microVM and for Postgres-resident control-plane data;
  • hardware-enforced KVM isolation between tenant microVMs running on the same physical host;
  • egress rate limiting and per-tenant network namespaces to contain abuse;
  • access-controlled audit logs of administrative actions;
  • least-privilege scoping of operator and contractor access;
  • periodic credential rotation and second-factor protection on operator accounts.

No system is completely secure. In the event we become aware of a personal-data breach affecting your information, we will notify the relevant supervisory authorities and affected Customers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach (consistent with GDPR Art. 33), and as required by applicable U.S. state breach-notification laws.

12. Cookies

We use a single first-party session cookie to keep you signed in to the dashboard. This cookie is strictly necessary for the operation of the Service and is exempt from consent requirements under EU ePrivacy rules. We do not use:

  • third-party analytics or tag managers (no Google Analytics, no Segment, no Mixpanel);
  • advertising or marketing cookies;
  • retargeting pixels (no Meta Pixel, no LinkedIn Insight Tag, no TikTok Pixel);
  • cross-site tracking technologies or fingerprinting libraries;
  • session-replay tooling (no FullStory, no Hotjar).

If we ever introduce optional cookies (for example, for opt-in product analytics), we will update this Policy and request your consent before setting them.

13. Data Processing Addendum

For Customers acting as data controllers under the GDPR (or equivalent UK or Swiss law) and using the Service to process their end-users’ personal data, we make a Data Processing Addendum (DPA) available on request. Email legal@jurniti.com from the address associated with your account.

14. Changes to This Policy

We may update this Policy from time to time. When we do, we will post the updated Policy at jurniti.com/privacy and update the “Effective date” at the top. For material changes (including new categories of data collected or new purposes of processing), we will provide at least thirty (30) days’ advance notice by email or through the dashboard. Continued use of the Service after the updated Policy takes effect constitutes acceptance of the update.

15. Contact Us

For privacy questions, requests to exercise your rights, or to report a privacy concern, contact us at:

  • Email: privacy@jurniti.com
  • Legal notices: legal@jurniti.com
  • Mail: OranAI LLC, 1007 N Orange St., 4th Floor, 2817, Wilmington, DE 19801, United States