Privacy Policy | Onyx Code

TL;DR - the short version

We collect almost nothing. Onyx Code is designed to keep your code on your machine.

We never see, transmit, store, or train on your code, prompts, completions, file names, or project structure.
The only data we receive from the Software is your license code, a hashed device ID, your app version, and (if you opt in) anonymized crash reports.
Air-Gap Mode (network-level), .onyxnoai (file-level patterns), and a workspace AI kill switch (per-workspace) are three independent privacy layers, all available out of the box.
Payments are processed by Stripe; license email is delivered by Resend.
We do not use third-party tracking, advertising SDKs, session-replay tools, or telemetry by default.
You have rights under GDPR, UK GDPR, and CCPA (see section 10). Email support@onyxcode.app to exercise them.

If anything below contradicts this summary, the longer text governs.

1. Who we are (the Data Controller)

Onyx Code is operated by Onyx Code(the “Company”, “we”, “us”), a product of LOKO Technologies Ltd.. For privacy-related questions, contact support@onyxcode.app.

For purposes of GDPR and UK GDPR, we are the Data Controller for the personal data described in this policy. For the CCPA, we are a Business.

We do not have a Data Protection Officer at this time as we do not believe one is required under Article 37 GDPR; this position will be revisited if we expand into systematic large-scale processing.

2. Scope

This Policy describes how we handle personal data in connection with:

The Onyx Code desktop application(the “Software”), Free and Pro tiers.
The onyxcode.app marketing website, including pricing pages and the license recovery flow.
The license activation API. We operate this directly for purchases made via onyxcode.app/buy/pro; for purchases made through our license partner codesnatch.io(the “codesnatch-member checkout” path and the codesnatch Premium bundle path), license records, device records, and activation email delivery are operated by codesnatch under a Data Processing Agreement. See section 8 for the sub-processor disclosure.
Email communications related to license issuance, recovery, and material updates.

It does not cover:

Stripe's payment processing (governed by Stripe's privacy policy).
AI providers you connect via BYOK (governed by their privacy policies).
AI models you download and run locally (no third-party privacy policy applies; the models run on your hardware).
MCP servers you configure (governed by those servers' policies, if any).

3. What we do not collect

To make the privacy promise concrete, here is what the Software never transmits to our servers, regardless of tier or settings:

Your code. Source files, snippets, edits, diffs, syntax-tree data, embeddings - none of it.
Your prompts. What you type to the AI (chat messages, inline-edit instructions, voice transcripts) is not transmitted to us.
AI completions or chat responses. Generated by your local model or your BYOK provider; we never see them.
File or directory names.
Project structure or metadata.
Keystroke timings or behavioral biometrics.
Screen contents or screenshots (multimodal image input is processed entirely locally).
Voice audio (Whisper inference is local).
MCP traffic between you and your configured MCP servers.
Browser history, system files, contacts, location, or any data outside the Software.

This is a categorical commitment, not a setting. There is no telemetry pipeline in the Software that could transmit User Content. Air-Gap Mode disables even the activation refresh call.

Additional user-side controls

These complement the categorical promise above by letting you keep specific files out of the Software's local AI features:

Air-Gap Mode- single toggle that blocks all outbound network from the Software (Settings → Privacy). When on, only localhost and your configured external server URL are reachable.
.onyxnoai file - a gitignore-syntax file at your workspace root. Patterns there are excluded from chat context, autocomplete, RAG indexing, and any future local agent tools. Built-in defaults always cover common secrets (.env, **/secrets/**, *.pem, *.key, **/credentials*, .aws/**, .ssh/**); your file adds project-specific patterns and can negate defaults with !pattern.
Workspace AI kill switch - one per-workspace toggle that turns every AI surface off without disabling the editor. Persists in .vscode/settings.json so it travels with the repo.
AI Activity Log + audit PDF export - every AI interaction is recorded to ~/.onyxcode/activity-log/<YYYY-MM>.jsonl with counts and metadata only (timestamp, kind, workspace name, model identifier, token counts, latency, whether the call traversed the network). Never prompt text, completion text, or file contents. Default retention is 365 days.

4. What we do collect, and why

Data	When	Purpose	Legal basis (GDPR)	Retention
Email address	At Stripe checkout	License delivery, recovery, refund requests, material updates	Contract performance, Art. 6(1)(b)	Until deletion request + 7 years for tax records
License code	Server-generated at purchase	Activation, refresh, revocation	Contract performance	Until license revoked + 7 years
Hashed Machine ID	At each activation	Device-binding (3-device cap)	Contract performance	Until license revoked or device removed
App version	At each activation / refresh call	Compatibility, security update routing	Legitimate interest, Art. 6(1)(f)	90 days
IP address (activation / refresh / deactivation)	Server log; activation / deactivation security email	Fraud prevention, rate limiting, abuse detection, device-binding "was this you?" notification	Legitimate interest	Server log: 30 days, then truncated to /24 (IPv4) or /48 (IPv6). Email: delivered once at activation / deactivation; retained per your email provider.
Stripe customer / payment IDs	At checkout	Payment, dispute handling	Contract performance	7 years (tax)
Email-related events (delivered / bounced)	Sent by Resend	Diagnose delivery problems	Legitimate interest	90 days
Crash reports (opt-in)	When the Software crashes, if enabled	Bug fixes	Consent, Art. 6(1)(a)	12 months
Website analytics (Plausible)	When you visit our website	Marketing-funnel measurement, no cookies, no PII	Legitimate interest	24 months aggregated
Customer support email contents	When you email us	Responding to you	Contract / Legitimate interest	3 years

4.1 What “Hashed Machine ID” means

The Machine ID is computed by hashing stable hardware identifiers (CPU model, first MAC address, OS UUID) with SHA-256. We never see your raw hardware identifiers; we only see the hash. The hash is one-way and cannot be reversed to identify your specific device.

4.2 Crash reports - what is and is not in them

If you opt in to crash reporting (off by default), a crash report contains:

Crash type, error message, stack trace from our proprietary code.
App version, OS version, CPU architecture.
Anonymous installation ID (random UUID generated at first install, scoped to the app).
Never: file paths, file names, file contents, prompts, completions, project metadata, environment variables, or user content of any kind.

Stack traces are sanitized client-side before transmission to remove any path components from the user's home directory.

5. How we use your data

We use the data described in section 4 only for these purposes:

Delivering the Software: issuing license codes, verifying activations, refreshing tokens.
Customer support: responding to your emails.
Fraud and abuse prevention: rate-limiting, detecting credential-sharing patterns, handling chargebacks.
Service operation: diagnosing crashes, fixing bugs, routing security updates.
Limited marketing: sending material updates about the Software (you can opt out of marketing-only emails at any time; you cannot opt out of license-related transactional emails).
Legal compliance: tax records, responding to lawful requests.

We do not:

Sell your data to anyone.
Share your data with advertisers.
Use your data to train AI models. The Software is incapable of doing so anyway, since we never receive your User Content.
Build behavioral profiles for targeted advertising.

6. AI-specific disclosures

The Software integrates with AI models as follows:

Local AI models you install (e.g. Qwen, DeepSeek, Codestral) run entirely on your hardware. We do not see inputs, outputs, or even the fact that you used them.
BYOK cloud APIs (OpenAI, Anthropic, Groq, OpenRouter, others): when you configure a BYOK API key, the Software sends your prompts to that provider. We are not in the middle. That provider sees your prompts and responses subject to their privacy policy.
Self-hosted remote inference (Pro tier): when you point the Software at your own remote inference server, traffic goes between your machine and your server. We are not in the middle.
MCP servers: when you configure an MCP server, traffic goes between the Software and that server. We are not in the middle.

AI Output disclosure. AI-generated output may be inaccurate, may reproduce copyrighted material, and may contain biased or harmful content. We do not assume responsibility for AI Output (see the Terms of Service). The model card for each AI model typically lists known limitations.

7. Cookies and tracking on onyxcode.app

The marketing website uses Plausible Analytics for aggregate page-view counts. Plausible:

Does not use cookies.
Does not collect personal data.
Does not fingerprint visitors.
Stores aggregate counts only.

No third-party advertising, retargeting, or session-replay scripts are loaded on onyxcode.app.

The license recovery flow may set a short-lived (1-hour) cookie when you submit a recovery form, used solely for CSRF protection. The Stripe-hosted checkout uses Stripe's cookies as described in Stripe's privacy policy.

8. Data sharing (sub-processors)

We share personal data only with the following processors, each acting under a Data Processing Agreement:

Processor	Purpose	Data shared	Region	Safeguards
Stripe, Inc.	Payment processing, tax remittance	Email, payment details, billing address	USA + EU regions	SCC signatory; PCI-DSS Level 1
Resend	Transactional email (license codes, recovery, device-removal confirmation, security notifications) for direct purchases. We operate the `updates.onyxcode.app` verified sender; codesnatch operates its own Resend sender for codesnatch-member purchases.	Email, license code	USA	SCC signatory
Codesnatch (codesnatch.io)	License-partner backend for codesnatch-member checkouts and codesnatch Premium bundle activations. Holds license records, device records, and pending device-removal tokens; delivers activation and security emails for those purchase paths via its own Resend account.	Email, license code, hashed Machine ID, app version, device labels (if provided)	Canada + USA	Data Processing Agreement; SCC signatory; processor under DPA with the Company
Plausible Analytics	Website analytics	Aggregated page views, no PII	EU (Frankfurt)	EU-based, GDPR-native
Hosting provider	Web hosting and license API	All API request data including license codes	Global edge	SCC signatory

We will publish updates to this list at onyxcode.app/privacy when a processor is added or replaced.

9. International data transfers

If you are in the EU, UK, EEA, Switzerland, or another jurisdiction with restrictions on international transfers, your data may be transferred to and processed in the United States by certain sub-processors. These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Where applicable, an adequacy decision (e.g. the EU-US Data Privacy Framework, where the receiving party is certified).
Supplementary technical measures (encryption in transit and at rest, hashed identifiers).

You may request a copy of the SCCs by emailing support@onyxcode.app.

10. Your rights

Depending on your jurisdiction, you have some or all of the following rights. To exercise any of them, email support@onyxcode.app from the email address associated with your license code. We respond within 30 days (GDPR) or 45 days (CCPA).

10.1 Rights under GDPR / UK GDPR (EU, UK, EEA users)

Access - request a copy of the personal data we hold about you.
Rectification - correct inaccurate data.
Erasure (Right to be Forgotten) - request deletion, subject to legal retention obligations such as 7-year tax records.
Restriction - ask us to limit processing in certain cases.
Data portability - request a machine-readable copy of data you provided.
Objection - object to processing based on legitimate interest.
Withdraw consent - for any processing based on consent (e.g. crash reports), you may withdraw at any time.
Lodge a complaint with your national data protection authority. EU users: EDPB members. UK users: ICO.

10.2 Rights under CCPA / CPRA (California users)

Right to know what personal information we collect, use, and disclose.
Right to delete, subject to retention obligations.
Right to correct inaccurate data.
Right to opt out of sale or sharing - we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to limit use of sensitive personal information - we do not collect sensitive personal information as defined under CPRA.
Right to non-discrimination - exercising your rights does not affect your service.

10.3 Rights for other jurisdictions

If you are in Canada, Brazil, Australia, Japan, or another jurisdiction, you may have analogous rights under your local law. We honor reasonable requests under any applicable consumer-privacy law.

11. Children's privacy

The Software is not intended for use by children under the age of 16 (or under 13 in jurisdictions where 13 is the threshold, e.g. COPPA in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, email support@onyxcode.app and we will delete it.

12. Security

We protect personal data with industry-standard measures, including:

Encryption in transit (TLS 1.2+ for all network communication).
Encryption at rest (database and email storage).
License token signingwith Ed25519. Keys are held only in our hosting provider's secret manager.
Access controls - only authorized personnel can access production data, with audit logging.
Hashed identifiers - Machine IDs are SHA-256 hashes; we never store the raw hardware data.
Local secure storage- your activation token is stored in your operating system's secure keychain (macOS Keychain, Windows Credential Manager, libsecret on Linux), not in plain text.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you within 72 hours of becoming aware (as required by GDPR Art. 33-34) and notify the relevant supervisory authority where required.

13. Air-Gap Mode

The Software includes an Air-Gap Modetoggle (Settings → Privacy → Air-Gap Mode). When enabled:

All outbound network communication from the Software is blocked at the application layer.
License refresh calls do not occur (the cached token continues to validate Pro until expiry).
Auto-update checks do not occur.
Crash reports are not sent (regardless of opt-in status).
A brand-green “AIR-GAPPED” badge appears in the title bar.

Air-Gap Mode is enforced by the Software but is not a substitute for OS or network-level firewalls. For high-assurance environments, pair it with an OS firewall rule blocking outbound traffic from the Onyx Code process.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced at least 30 days in advance via:

A banner in the Software.
An email to the address associated with your license code.
A post at onyxcode.app/privacy.

We will retain prior versions on request.

15. Contact

For privacy questions, requests, or complaints:

Onyx Code, a product of LOKO Technologies Ltd..
support@onyxcode.app

For GDPR-specific requests, mark the subject line GDPR Request. For CCPA-specific requests, mark CCPA Request.

See our Terms of Service for the agreement that governs use of the Software.