Privacy Policy - Oxygen AI Positron for Desktop

Effective Date: June 3, 2026

1. INTRODUCTION

1.1 About This Privacy Policy

This Privacy Policy describes how Syncro Soft SRL ("we," "us," or "our") collects, uses, processes, and protects your personal information when you use the Oxygen AI Positron for Desktop Plugin (the "Plugin") as an add-on within Oxygen XML Editor, Oxygen XML Author, Oxygen XML Developer, or Oxygen JSON Editor (collectively, the "Host Application").

Important: The Host Application is a standalone desktop application that runs entirely on your computer (on-premise). It is not a SaaS (Software-as-a-Service) or cloud-based application. The Plugin is an add-on installed locally within this desktop application that enables AI-powered features by connecting to external AI services that you configure.

1.2 Scope of This Privacy Policy

This Privacy Policy applies specifically to the Oxygen AI Positron for Desktop Plugin and describes:

• Data collected and processed locally by the Plugin.
• Interactions with external AI services via the Oxygen AI Positron Service or direct connections.
• Your rights and data protection.
• Privacy controls for protecting sensitive information.

1.3 Relationship with Other Privacy Policies

This Plugin operates as part of a larger ecosystem with distinct privacy policies:

• This Privacy Policy (Plugin): Governs data processing by the Plugin within your Host Application, including what document content and user inputs the Plugin sends to AI services.
• Oxygen AI Positron Service Privacy Policy: Governs account creation, authentication, billing, and API request routing through our service hub. Available at: https://www.oxygenxml.com/aipositron/privacy.html
• Host Application Privacy Policy: The Oxygen XML Editor/Author/Developer application has its own privacy policy governing the main application's data processing. Available at: https://www.oxygenxml.com/privacy_policy.html
• Third-Party AI Provider Privacy Policies: When you select an external AI provider (OpenAI, Anthropic Claude, Google Gemini, etc.), that provider's privacy policy governs how they process your AI requests.

The Plugin does not provide AI services directly. Instead, it connects to external AI services that you have independently contracted with:

• For Oxygen AI Positron Service: You must create an account at https://aipositron.oxygenxml.com/ and purchase a subscription before configuring the Plugin. In this mode, the Plugin connects to AI providers through our secure routing service. We act as a "pass-through" and we do not store or log the content of your AI requests or responses.
• For Direct AI Provider Connection: You must have an existing account with the AI provider (OpenAI, Anthropic Claude, Google Gemini, etc.) and possess valid API credentials before configuring the Plugin. Your data travels directly from your computer to the AI provider. Syncro Soft never sees, handles, or routes this data.

2. DATA WE COLLECT AND PROCESS

2.1 Categories of Data. The Plugin processes different categories of data with different characteristics:

• Plugin Configuration and Preferences (Stored Locally)
  • What We Collect:
    • Connection settings and AI provider selection
    • Custom AI action configurations and favorite prompts
    • Excluded files/folders (via .ai-ignore configuration)
    • RAG (Retrieval-Augmented Generation) settings
  • Where It's Stored: Locally on your computer in the local user preferences directory.
  • How Long: Stored indefinitely (this data persist even after uninstalling the Plugin or Host Application and must be manually deleted from preferences for complete removal).
• Authentication Credentials (Stored Locally, Encrypted).

  Note: The Plugin does not create these credentials. You must obtain them from your external AI service provider before configuring the Plugin.

  • What We Store Locally:
    • For Oxygen AI Positron Service: Auth refresh token that we obtained when you logged into your Positron Service account.
    • For Direct Connections: API keys that you obtained from your AI provider, Service endpoint URLs, Deployment names or model identifiers, Authentication tokens or client credentials (for enterprise services), Organization IDs or project IDs (if required by the provider).
  • Where It's Stored: Locally on your computer in encrypted format in the local user preferences directory.
  • How Long: Until you disconnect the service, remove credentials, or manually remove them (otherwise credentials persist in your encrypted preferences even after Plugin or Host Application uninstall).
• Conversation History and Local Caches (Stored Locally, Encrypted)

  Important: All user-specific content is stored encrypted locally and cannot be used by others without your authorization.

  • What We Store Locally:
    • Your chat messages and prompts
    • Timestamps of interactions
    • Attached files/images metadata (file names, types, sizes)
    • Tool calls and action invocations
    • Context information (document type, selection, etc.)
    • Favorite prompts and custom actions
    • Recent AI responses for quick re-access
    • RAG (Retrieval-Augmented Generation) index data from your project
    • Project structure analysis cache
  • Where It's Stored: Locally on your computer in encrypted format in the local user preferences directory. They are never transmitted to Syncro Soft servers or synchronized across devices. If you use the Plugin on a different computer, your conversation history and favorite prompts will not be available unless you manually export and import them.
  • How Long:
    • Conversation History: Stored indefinitely until manually deleted (configurable for auto-deletion).
    • Favorites: Stored indefinitely until manually deleted.
    • Caches: Subject to size limits and automatic cleanup (configurable).
    • All Data: Persists on disk even after Plugin or Host Application uninstallation. Must be manually deleted for complete removal.
• Document Content and Context (Transmitted, Not Stored by Plugin)

  When you use AI features, the Plugin may transmit the following to AI providers:

  • User Input:
    • Chat messages, prompts, and instructions
    • Voice recordings (converted to text)
    • Instructions for specific AI actions you invoke
  • Selected Text and Document Content:
    • Selected text or current paragraph
    • Full document content (when an action requires it or variables like ${document} are used)
    • Original or final versions of tracked changes
  • Contextual Information automatically included:
    • Document type (XML, DITA, DocBook, XSLT, XSD, Schematron, etc.)
    • Current cursor position, selection range and validation errors
    • Schema information and Document framework if relevant to the action
  • Project Context via RAG (when enabled):
    • Relevant project files: Content from other documents in your project
    • DITA map structure: Hierarchy and organization of DITA topics in the current map
    • Reusable components: Content from the DITA Reusable Components index
    • Related links: Content from topics referenced in the current document's relationship table or related-links
    • Indexed content: Text extracted from project files indexed by the Host Application's search functionality
  • File Attachments: Files you explicitly add to the conversation (encoded for transmission).

2.2 Privacy Controls and Content Exclusion.

The Plugin provides several mechanisms to protect sensitive information from being transmitted to AI services:

• File Exclusion via .ai-ignore. The Plugin reads .ai-ignore files from your project to determine which files and folders should be excluded from AI processing (including RAG indexing and context inclusion).
• Manual Content Review Before Transmission. The Plugin provides visual indicators and confirmation dialogs to help you understand what content will be transmitted.
• Automatic Content Filtering: Configure rules to automatically strip certain patterns (e.g., email addresses, phone numbers) before transmission.
• RAG Access Controls: Limit AI read/write access to specific directories.

2.3 Special Categories of Personal Data. The Plugin is not designed for processing Special Categories of Personal Data as defined in GDPR Article 9.

2.4 Separation of Concerns. The Plugin only processes data when:

• You have actively configured and enabled connection to an external AI service.
• AI features are invoked—either manually (chat, actions) or automatically (autocomplete, if enabled).

Otherwise, the Plugin is dormant and does not collect, transmit, or process any data.

3. THIRD-PARTY AI PROVIDERS

When you use AI features, your data will be processed by the AI provider you select (OpenAI, Microsoft Azure, Anthropic, etc.) according to their privacy policies, not this Privacy Policy. Your responsibility is to:

• Review AI provider privacy policies before using their services.
• Understand each provider's data retention and usage practices.
• Assess whether each provider is appropriate for your data types.
• Ensure you have lawful basis to send personal data to each provider.

4. DATA PROTECTION AND SECURITY

Local Data Security:

• Encryption at Rest: Conversation history, credentials, and caches are encrypted using industry-standard encryption (AES-128).
• Access Controls: Data is protected by your operating system's user account permissions.
• No Cloud Sync: Plugin data is never synchronized to cloud services by Syncro Soft.

Data in Transit:

• HTTPS/TLS Encryption: All network communications use HTTPS with TLS 1.2+ encryption.
• Certificate Validation: The Plugin validates SSL/TLS certificates to prevent man-in-the-middle attacks.
• No Intermediate Storage: Data passes directly from your computer to the configured AI service (or through Positron Service as a pass-through).

5. YOUR RIGHTS (GDPR/CCPA Compliance)

Since the Plugin is a desktop tool, you are the primary "Data Controller" for the information you process. Under GDPR and other laws, you have the right to access, delete, or limit the processing of your data. Since most data is local, you can exercise these rights by:

• Clearing your local chat history.
• Deleting your API keys/credentials from the settings.
• Managing your account at https://aipositron.oxygenxml.com/ (if you are using the plugin with Positron Service).

6. CONTACT

• Privacy Questions:
• Security Issues: