Privacy Policy

Last updated: April 2026

This Privacy Policy governs the processing of users' personal data through the website Omicron Knowledge Base, available at https://omicron.javocsoft.com.

For users located in the European Union or Spain, the processing of personal data is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD), as well as Law 34/2002 on Information Society Services and Electronic Commerce (LSSI‑CE). For users located outside the EU, Omicron still applies privacy by design principles and provides tools to manage and delete personal data.

1. Data Controller

In accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws, we inform you that the controller of your data is:
Controller: Javier González Serrano (JavocSoft)
Address: Barcelona, Spain
Email: admin@javocsoft.com

2. Data we process

Through the Website we may process the following categories of personal data, which can be contained in the files you upload to the platform:

• Account and access data (for example, email address, username, hashed password).
• Technical usage data (IP address, session identifiers, access logs, etc.).
• Content of documents uploaded by the user in the following formats: pdf, doc, docx, xls, xlsx, txt and md. Such content may include personal data of third parties (names, email addresses, professional information, etc.).
• Content of rich text notes and knowledge capsules (question‑answer pairs) created by the user, which may also contain personal data.
• Data derived from processing the uploaded documents, such as text fragments and embedding vectors stored in a vector database, used to enable semantic search and AI‑based queries.
• Data stored by the user in the Secure Vault: credential name, folder, username, password, authentication keys (TOTP secrets, API keys), notes, tags and website URLs. All fields are encrypted with AES‑256‑GCM at rest using a per‑user key. Passwords, usernames and authentication keys are never indexed for AI search, never sent to any external AI provider, and are only accessible to the owning user. Only the credential name, folder and notes fields are indexed for semantic search (they may be included as context fragments in calls to AI services solely to answer questions about the user's stored credentials).
• Text notes created by the user may contain references to stored credentials in the form of @sc;XXXXXXXXXXXX tokens. These tokens are plain‑text identifiers that are indexed as part of the note content; they do not expose any credential secret.

The controller does not access the content of the documents, notes or knowledge capsules in clear text: files are stored encrypted both in the database and on disk. Users cannot access other users' content, and the administrator cannot view document content, titles, note content, capsule answers, download the files in clear text, or see the generated text fragments.

3. Purposes of the processing

Your data will be processed for the following purposes:

• To create and manage your user account in Omicron Knowledge Base.
• To allow you to upload, store (in encrypted form) and manage the documents, notes and knowledge capsules you provide to the service.
• To process your documents, notes and knowledge capsules in order to extract text fragments, send those fragments to an external AI service to generate embedding vectors, and store the resulting vectors in a vector database (Qdrant running on servers hosted in Spain), so that advanced semantic search and query features can be provided.
• To send relevant text fragments from your documents, notes and knowledge capsules as context to an external AI service in order to generate answers to your conversational queries.
• To allow you to store private credentials (passwords, API keys, TOTP secrets, etc.) in an encrypted personal vault, and to enable the AI assistant to reference those credentials by name in its responses, without ever accessing or transmitting secret values (passwords, usernames, authentication keys).
• To maintain the security of the service, prevent misuse or unlawful use, and manage technical incidents.
• To send you service‑related communications (technical notices, changes to terms, etc.), where necessary.

4. Legal basis for processing

The legal bases for processing your personal data are:

• Performance of a contract (Art. 6.1.b GDPR): providing the Omicron Knowledge Base service under the terms accepted by the user.
• Legitimate interest (Art. 6.1.f GDPR) of the controller in maintaining the security of the Website, preventing fraud and improving the quality of the service.
• Where applicable, consent (Art. 6.1.a GDPR) for additional specific purposes (for example, analytics cookies).

5. Recipients and processors

As a general rule, your data will not be disclosed to third parties, unless required by law. However, certain providers need access to personal data as processors:

• Infrastructure hosting provider: Linode / Akamai, which hosts the servers running the Website and the vector database in data centers located in Spain or within the European Union.
• AI service providers that receive text fragments of your uploaded content for two purposes: (a) generating embedding vectors during document, note and capsule processing, in order to enable semantic search; and (b) as context to generate answers to your conversational queries. Depending on the platform configuration, one or more external AI service providers located outside the EEA (in the United States) may be used. Appropriate safeguards apply as described in section 6 below. Credential secrets (passwords, usernames and authentication keys) are never transmitted to any AI provider.
• Analytics provider: Google LLC (Google Analytics 4), which receives anonymised usage data only when the user has given explicit consent through the cookie consent banner.

Appropriate data processing agreements have been entered into with all such providers, in accordance with Article 28 GDPR.

6. International data transfers

The controller aims to ensure that personal data is processed within the European Economic Area (EEA). If any AI or infrastructure provider carries out data transfers outside the EEA, such transfers will be based on an adequacy decision by the European Commission or on appropriate safeguards such as standard contractual clauses, in accordance with Articles 44 et seq. GDPR.

7. Data retention

Personal data will be kept for as long as the user maintains an active account and does not request deletion, and for the periods required to comply with legal obligations or for the exercise or defence of legal claims.

Uploaded documents, notes, knowledge capsules and their associated embeddings may be deleted when the user deletes their account or content, or after a reasonable period of inactivity as indicated in the Terms of Use. Encrypted backups are retained for a maximum of 14 days solely for disaster recovery purposes.

8. Users' rights

In accordance with the GDPR and the LOPDGDD, you may exercise your rights of access, rectification, erasure, restriction of processing, data portability and objection at any time, as well as withdraw your consent where applicable.

Omicron provides self‑service tools that allow you to manage your account settings, download your data and permanently delete your account along with all associated data directly from the application interface.

To exercise these rights by other means, please send a written request to: admin@javocsoft.com.

You also have the right to lodge a complaint with the competent supervisory authority. Within Spain, this is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es).

9. Data security

The controller applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of information stored in databases and on disk.
• Logical separation of each user's data, so users cannot access other users' documents, notes or capsules.
• Access restrictions: the system administrator cannot view document content, note content or capsule answers in clear text, cannot download files in clear text, and cannot access the generated text fragments.
• Credential secrets (passwords, usernames, authentication keys) stored in the Secure Vault are never sent to any AI service, never indexed in the vector database, and are never accessible to the administrator in clear text.
• Daily automated backups of all system data, stored locally and on a geographically separate off‑site server. All external copies are encrypted before transfer and are subject to a 14‑copy retention policy.
• Defined procedures for detecting, reporting and managing security incidents.

10. Cookies and storage technologies

This Website uses cookies set by Google Analytics 4 to collect anonymous, aggregated usage statistics. These analytics cookies are only loaded after you give your explicit consent through the cookie consent banner shown on your first visit.

The Website also uses browser local storage (localStorage) to store strictly necessary technical preferences, such as interface theme, language selection and your cookie consent choice. This information is not shared with third parties.

11. Changes to this Privacy Policy

The controller reserves the right to amend this Privacy Policy to adapt it to legal or case‑law developments, as well as to changes in the provision of the service. In the event of material changes, users will be informed through the Website or by other appropriate means.