HERMÉSZ • Gateway
Auth · organizations · snapshot transport

Privacy Policy

Last updated: June 2026

HERMÉSZ is a workforce scheduling and operational coordination platform designed for healthcare and organizational environments.

This public notice explains the categories of information that may be processed by HERMÉSZ. Before onboarding users, each deploying organization must provide any deployment-specific privacy information required by applicable law and its internal policies.

1. Scope and responsibility

HERMÉSZ supports workforce scheduling, operational coordination, organizational planning, and related administrative functions.

For organization-local workforce and operational data, the deploying organization determines authorized users, purposes, retention periods, and the information entered into the system. Gateway account and security data are processed as necessary to operate authenticated access to the pilot service.

2. Data categories

HERMÉSZ is not intended for unnecessary sensitive personal information or clinical patient records.

  • user account information, including name, email address, and role
  • scheduling, assignment, department, and organizational membership data
  • operational requests and approvals
  • authentication and session information
  • system, security, and audit logs
  • transactional email metadata

3. Purpose and lawful handling

Information is processed to provide authenticated access, scheduling and coordination functions, operational integrity, security monitoring, troubleshooting, backup, and recovery.

The deploying organization is responsible for identifying the legal basis applicable to its workforce and operational processing.

4. Security

  • password hashing and session validation
  • role-based access restrictions
  • audit logging and rate limiting
  • signed request validation and controlled mutation boundaries
  • encrypted transport, firewall controls, and protected service communication

5. Email communication

HERMÉSZ sends transactional and operational emails only, such as invitations, password resets, account lifecycle notices, and organization-related notifications.

HERMÉSZ does not use purchased mailing lists or unsolicited marketing campaigns.

6. Retention and service providers

Retention periods for organization-local records are determined by the deploying organization according to operational and legal requirements. Security and audit information may be retained for integrity, troubleshooting, and incident review.

Trusted hosting, security, email delivery, and backup providers may process information only as necessary to operate the service.

7. Requests and contact

Users should normally direct data-access, correction, deletion, restriction, or retention questions to their deploying organization. For gateway-account, privacy, or operational inquiries, contact [email protected].