Privacy Policy

• SSH hosts, keys, passwords, vault data, and terminal content stay on your computer unless you connect to a remote server or turn on an optional cloud feature.
• No Zync-operated servers: the desktop app talks to your machines, public update hosts (GitHub), and third-party APIs you configure, not to Zync-owned infrastructure.
• We do not sell your data. Zync has no advertising or user-tracking telemetry in the desktop app.
• Optional features (Google Drive backup/sync, cloud AI APIs) send data only to the third-party services you configure or approve.
• This website is a static marketing/docs site with basic analytics. It never receives app credentials.

Zync is a local desktop application. The project does not run servers that store your SSH credentials, vault files, terminal history, or sync payloads.

• Vault, connections, and settings are stored on your device in the data directory you choose.
• Google OAuth and Drive sync connect directly between your computer and Google, not through a Zync proxy.
• Cloud AI (if enabled) connects directly from your computer to the provider you configure (Ollama locally, or your API key provider).
• Updates and marketplace metadata are fetched from public hosts such as GitHub when you use those features.

https://zync.thesudoer.in is a separate static website for downloads and documentation. It is not a Zync application backend and does not process vault or SSH data from the desktop app.

Zync stores data in a local data directory you choose at setup (or the default app data folder). Typical files include:

• connections.json: saved hosts, folders, tunnel definitions, and auth configuration
• settings.json: UI preferences, AI provider settings, and API keys you enter
• vault.redb: encrypted vault database (when vault is enabled)
• Snippet files, session/tab restore state, and sync metadata

No Zync-operated telemetry: the app does not send usage analytics, crash reports, or credential payloads to any Zync-operated server, because none exist for application data.

OS credential store: when you opt in, Zync may store device-bound unlock material in your operating system secure store (Windows Credential Manager, macOS Keychain, or Linux secret service) for vault session restore and Google sync token storage. This stays on your device.

The optional local vault encrypts SSH passwords and private keys at rest using Argon2id key derivation and authenticated encryption. Your vault passphrase is never uploaded anywhere.

• Recovery key: you may generate a recovery key; store it offline. Losing both passphrase and recovery key means local vault data cannot be recovered.
• Remember unlock on this device: optional convenience feature that caches unlock material in the OS credential store. Use "Forget device" on shared machines.
• Legacy plaintext: hosts not yet migrated to the vault may still store secrets in local connection files until you secure them via the vault migration flow.

See the vault documentation for architecture details.

Google integration is opt-in. If you connect Google Drive for encrypted backup or sync, Zync opens Google's OAuth screen in your system browser. After you approve, OAuth tokens are stored locally (including refresh tokens in the OS credential store where supported).

OAuth scopes requested by Zync:

• https://www.googleapis.com/auth/drive.appdata: read/write a hidden app-specific folder in Google Drive (not your normal visible Drive files)
• email: identify which Google account is connected

What is uploaded: encrypted backup blobs you explicitly upload (vault snapshots, sync collections for hosts/tunnels/snippets/settings). Zync does not scan or index your personal Drive files outside the app data folder.

What is not uploaded: your vault passphrase, recovery key, or raw SSH private keys in plaintext.

You can disconnect inside Zync or revoke access in Google Account → Third-party access. OAuth traffic is between your device and Google; Zync does not operate an OAuth proxy server.

AI features are disabled until you configure them. All requests go directly from your machine to the provider you choose, never through Zync-operated servers. API keys live in local settings.json.

AI Command Bar (command suggestions):

• Sends limited context, such as a short excerpt of recent terminal output and basic session metadata, not full scrollback.
• Providers: Ollama (localhost), Google Gemini, OpenAI, Anthropic, Groq, or Mistral with your API key.
• Ollama: prompts stay on your machine when using a local instance.

AI Agent (autonomous tool-use over SSH): experimental / not fully optimized

• The agent can run shell commands, read files, and list directories on connected servers using tools. It is under active development and may behave unpredictably.
• May send more context to your chosen AI provider than the Command Bar, including your goal, prior agent messages, command output, file listings, and tool results from the current run.
• Destructive or high-risk actions can prompt for approval, but safeguards are not complete. Review carefully before enabling on production systems.
• Not recommended for sensitive environments until you have reviewed provider policies and tested on non-production hosts.

Cloud AI providers have their own privacy policies. You are responsible for what you send to them. See AI Command Bar documentation for redaction and safety behavior on command suggestions.

When you connect to a host, Zync establishes an SSH connection from your device to that server. Authentication material (password, key, or vault-resolved secret) is used locally to complete the handshake.

Remote operators (server admins, network paths, jump hosts) may log connection metadata or session activity according to their own policies. Zync does not control remote server logging.

SFTP file transfers move data between your machine and servers you connect to.

Zync supports installable plugins and themes from the community marketplace (hosted on GitHub). When you install an extension:

• Plugin code runs inside Zync's plugin sandbox with declared permissions.
• Third-party extensions are not authored by the Zync core team unless marked official. Review extension source before installing.
• Vault raw secrets are not exposed to plugins by default; plugins receive only data you explicitly grant through supported APIs.

Installing a plugin may cause network requests to servers that plugin defines (outside Zync's control).

Even without using sync or AI, the desktop app may contact these public endpoints for product functionality:

• Auto-update check: github.com/zync-sh/zync/releases/... to compare your installed version with the latest release manifest.
• Release notes / About screen: GitHub's public API for version and contributor information when you open those views.
• Extension marketplace: raw.githubusercontent.com/zync-sh/zync-extensions/... when you browse or install marketplace items.
• Icon assets: optional remote icon URLs for connection display (e.g. public icon CDNs).

These requests do not include your SSH credentials or vault contents.

This site is a static marketing and documentation website. It is not part of the Zync application backend. The Zync project does not run servers that store or process your SSH, vault, or terminal data.

When you browse this site, the following may occur:

• Microsoft Clarity: anonymous session analytics (heatmaps/recordings) to improve the website. See Microsoft's privacy statement.
• GitHub public API: the site may fetch the public star count for display (via a small cached request on the hosting platform).
• Third-party static hosting: the site is deployed on a standard static/edge hosting platform, which may keep routine access logs (IP, browser, pages requested) for security and operations. Those logs are not linked to Zync app data.

The website does not receive vault passphrases, SSH keys, or terminal output from the desktop application. The landing-page source repository is private; privacy questions should go through the public Zync app repository linked below.

We do not sell, rent, or trade your personal information. Data leaves your device only when:

• You connect to remote SSH/SFTP servers;
• You enable optional Google sync or cloud AI providers;
• You download installers or updates from GitHub or package mirrors;
• You browse this website (analytics/logs as described above).

• Do not enable Google sync or AI features if you want zero third-party cloud use.
• Avoid the experimental AI Agent on production servers until you accept its limitations.
• Disconnect Google and revoke tokens anytime from Zync or Google Account settings.
• Delete local data by removing Zync's data directory or using in-app reset tools.
• Block website analytics with browser extensions or Do Not Track settings (site may still log server requests).

Because Zync stores data locally, export and deletion are primarily under your control on your device. Uninstalling Zync does not automatically erase your data directory unless you delete it manually.

You are responsible for protecting your device, OS account, vault passphrase, recovery key, and SSH private keys. Recommendations:

• Use strong, unique vault passphrases (12+ characters).
• Do not enable "Remember unlock" on shared or untrusted machines.
• Keep offline backups of recovery keys before relying on vault encryption.
• Review third-party AI and plugin permissions before use.
• Treat the AI Agent as experimental: verify commands and outputs on non-critical hosts first.

Zync is a developer tool not directed at children under 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children.

We may update this policy when features or legal requirements change. The "Last updated" date at the top shows the current version. Material changes will be reflected on this page; continued use of the website or app after updates constitutes acceptance of the revised policy.

Zync is an open-source desktop application. The Zync project does not operate application servers. For privacy questions or corrections to this policy, contact the maintainers via the public app repository:

• github.com/zync-sh/zync/issues

For Google OAuth support email in Cloud Console, use the maintainer address you monitor for project support (e.g. your Gmail listed on the OAuth consent screen).