Privacy Policy - Oxygen AI Positron for Web Author / Content Fusion

Effective Date: June 3, 2026

1. INTRODUCTION

1.1 About This Privacy Policy

This Privacy Policy describes how Syncro Soft SRL ("we," "us," or "our") processes data in connection with the Oxygen AI Positron Plugin (the "Plugin") when installed as a server-side add-on within Oxygen XML Web Author or Oxygen Content Fusion (collectively, the "Host Application").

This Privacy Policy governs the relationship between Syncro Soft SRL and your organization (the "Customer Organization" or "you") as the licensee and operator of the Plugin.

• You (Customer Organization) are the Data Controller for all data processed through the Plugin, including any personal data of your end users.
• We (Syncro Soft) provide the Plugin software that runs on your server infrastructure.
• Your end users are governed by your organization's privacy policies, not this document.

The Plugin is a server-side software component that:

• Runs entirely on your organization's server.
• Is installed and configured by your system administrators.
• Processes data locally on your infrastructure.
• We (Syncro Soft) do not have access to your server, your data, or your end users' data.

1.2 Scope of This Privacy Policy

This Privacy Policy describes:

• What data the Plugin software processes on your server.
• How the Plugin interacts with external AI services you configure.
• What data (if any) Syncro Soft receives or has access to.
• Your responsibilities as Data Controller.
• Technical capabilities and privacy features of the Plugin.

1.3 Related Privacy Policies and Services

• The Plugin does not provide AI services directly. Your organization must independently contract with external AI providers (OpenAI, Anthropic Claude, Google Gemini, etc.). Data transmission to these providers is governed by their privacy policies and your agreements with them.

1.4 Your Role as Data Controller

You (Customer Organization) are the Data Controller for all data processed through the Plugin:

• You determine what data is processed, for what purposes, and how long it is retained.
• You configure which AI services to connect to and what data to transmit to them.
• You are responsible for compliance with applicable data protection laws (GDPR, CCPA, etc.) regarding your end users.
• You must provide appropriate privacy notices to your end users.
• You must execute necessary Data Processing Agreements (DPAs) with AI providers.
• You are responsible for responding to data subject requests from your end users.

Syncro Soft's Role: We are the software provider. We do not:

• Access your server or your data.
• Control what data you process through the Plugin.
• Have any relationship with your end users.
• Process personal data on your behalf (except as described in Section 2 below).

2. DATA PROCESSING BY THE PLUGIN

This section describes what data the Plugin processes on your server infrastructure. All this data remains under your control. We (Syncro Soft) do not have access to any of this data unless you explicitly share it with us for support purposes.

2.1 Data Processed Locally on Your Server

The Plugin is designed to process the following categories of data on your server:

• Plugin Configuration Data (Stored in: Your server's configuration files)
  • Selected AI provider and models
  • Custom AI action configurations
  • RAG (Retrieval-Augmented Generation) settings
  • Feature enable/disable flags

  Your Control:

  • You configure all these settings through the Plugin's administration interface.
  • Data is stored in your server's file system or database.
  • You determine retention period (data persists until you modify or remove it).
• Authentication Credentials for External Services (Stored encrypted in the server configuration file)

  The Plugin stores credentials that you provide for connecting to external AI services (API keys, service endpoints, authentication tokens, organization IDs).

  Important:

  • These credentials are your secrets, obtained from your contracts with AI providers.
  • Stored encrypted on your server using industry-standard encryption (AES-128).
  • We (Syncro Soft) never have access to these credentials.
  • You are responsible for secure credential management and rotation.
• End User Data (Optional - Based on Your Configuration)

  The Plugin can be configured to store end user data on your server:

  • Conversation history: Chat messages, prompts, AI responses, timestamps
  • User preferences: Favorite prompts, custom actions, user settings
  • File attachments metadata: Names, types, sizes of files users attach
  • Performance caches: Recent AI responses, RAG indices, project structure caches

  Storage Details:

  • Encrypted at rest using AES-128 or equivalent.
  • Location: Your server's database or file system (as configured).
  • Backup and disaster recovery: Your responsibility.
  • Data deletion: You must implement appropriate deletion procedures.

2.2 Data Transmitted to External AI Services

When your end users use AI features, the Plugin facilitates transmission of data from your server to the AI services you have configured:

What Gets Transmitted:

• User prompts and chat messages
• Document content (partial or full, depending on action)
• Contextual information (document type, XML structure, validation errors, etc.)
• Project context via RAG (if enabled): related files, DITA maps, reusable components
• File attachments explicitly added by users

Data Flow:

• Data flows: User → Your Server → AI Provider
• The Plugin acts as a conduit running on your server.
• We (Syncro Soft) do not see, intercept, or log this data.
• You control what data is transmitted based on which AI features you enable, your .ai-ignore configurations, your RAG access restrictions and content filtering rules you configure.

2.3 Technical Support and Error Reporting. The Plugin may generate technical logs and error reports for plugin errors and exceptions.

• Your Control:
  • These logs are stored on your server.
  • You decide whether to share logs with us for support purposes.
  • You should review logs before sharing to ensure no sensitive data is included.
  • We only access this data if you explicitly send it to us (e.g., support tickets).

2.4 Privacy and Security Features of the Plugin. The Plugin provides technical capabilities for data protection. You are responsible for configuring and using these features appropriately:

• Access Controls:
  • File exclusion via .ai-ignore files
  • RAG access restrictions (limit AI to specific directories)
  • User permission management (control who can access AI features)
  • Feature-level enable/disable controls
• Content Protection:
  • Content filtering rules (auto-strip patterns like emails, phone numbers)
  • Manual review prompts (show users what will be transmitted)
  • Temporary RAG disable option
• Encryption:
  • Stored data encrypted at rest (AES-128)
  • Network communications encrypted in transit (TLS 1.2+)
  • Credential storage uses secure encryption

Your Responsibility:

• Configure these features according to your security requirements.
• Train administrators and users on proper usage.

3. THIRD-PARTY AI PROVIDERS - YOUR RESPONSIBILITY

The Plugin does not provide AI capabilities directly. You must independently contract with external AI providers (OpenAI, Anthropic Claude, Google Gemini, Microsoft Azure, etc.).

3.1 Data Processing by AI Providers. When the Plugin transmits data to AI providers on your behalf:

• AI providers process the data according to their privacy policies and your agreements with them.
• Syncro Soft is not a party to your agreements with AI providers.
• We do not control how AI providers process, retain, or use your data.

4. SECURITY FEATURES

The Plugin includes security features designed to protect data. However, since the Plugin runs on your infrastructure, you are ultimately responsible for security.

4.1 Security Features Provided by the Plugin

• Encryption:
  • At Rest: Conversation history, credentials, and caches are encrypted using AES-128.
  • In Transit: All network communications use HTTPS with TLS 1.2+ encryption.
  • Certificate Validation: SSL/TLS certificates are validated to prevent man-in-the-middle attacks.
• Access Controls:
  • Integration with Host Application's authentication and authorization system.
  • Role-based access control (RBAC) for Plugin configuration.
  • Per-user data isolation for conversation history.
• Privacy Controls:
  • File exclusion capabilities (.ai-ignore)
  • Content filtering options
  • RAG access restrictions
  • User permission management

5. YOUR OBLIGATIONS AS DATA CONTROLLER

Since you operate the Plugin on your infrastructure and control what data is processed, you are the Data Controller under GDPR, CCPA, and other data protection laws.

6. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify system administrators of significant changes by:

• Updating the "Effective Date" at the top of this document.
• Posting the updated policy at: https://www.oxygenxml.com/aipositron/webauthor_privacy.html
• For significant changes, we will notify registered organizational contacts via email (for Positron Service customers).

Your organization's continued use of the Plugin after the effective date of changes constitutes acceptance of the updated Privacy Policy. System administrators should review changes and update user-facing privacy notices accordingly.

7. CONTACT

For Privacy Questions:

• Email:
• System administrators should contact us for clarification on data processing practices.

For Security Issues:

• Email:
• Report security vulnerabilities or incidents promptly.