Privacy Policy

1. Who We Are

Central-Intel LLC ("we," "us," or "our") operates the Central-Intel desktop application (available for macOS, Windows, and Linux), the Central-Intel mobile application (available on iOS and Android), and the associated web service at central-intel.ai. We provide a multi-provider AI assistant platform that lets you connect your own AI API keys, run local AI models, build personal knowledge bases, and run automated AI workflows.

For questions about this policy, contact us at [email protected].

2. Information We Collect

Account information

When you sign in using a social login provider (Google, GitHub, or others supported by our authentication system), we receive your email address from that provider. This is the only piece of personally identifiable information stored on our servers. We do not receive your name, profile picture, or any other profile data from the OAuth provider unless you explicitly grant additional permissions.

Device name

When you first authenticate on a device, your device's name (e.g. "Kevin's iPhone") is sent to our server along with your authentication token. This is used to identify authorized devices in your account settings. You can revoke device access at any time.

Billing information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store only a Stripe customer ID on our servers — no card numbers, no billing addresses, no payment details of any kind.

Usage metadata (billing transparency)

When you use Central-Intel Cloud credits to make AI requests through our relay, we log the following metadata: the model name used, the request type (chat or extraction), prompt and completion token counts, estimated and actual cost, and a timestamp. This data powers the transaction history visible in your account settings. We never log the content of your messages, prompts, or AI responses — only the billing metadata described above.

Billing cost calculation

To calculate token costs accurately, we use LiteLLM, an open-source library (MIT license) that maintains a community-updated pricing database for AI models. LiteLLM runs entirely within our server process — it performs token counting and cost lookups locally and does not send your messages, tokens, or any user data to external servers. Its pricing database is a static JSON file bundled with the library.

Session cookie

When you sign in to the Central-Intel web portal, we set a single authentication cookie called ci_session. This cookie is httpOnly, secure, and strict same-site, with a maximum age of 7 days. It contains an opaque session identifier — no personal data. We do not use any tracking, analytics, or advertising cookies.

Device identity keys

Each device you use with Central-Intel generates a unique cryptographic keypair (X25519 for encryption, Ed25519 for signing). The public keys are registered on our server so your devices can discover and verify each other during the pairing process. Private keys never leave your device — they are encrypted at rest and are not transmitted to us or any third party.

What we do NOT collect

• Your chat messages or conversation history
• Documents or files you upload to your knowledge base
• The plaintext content of your memory items (encrypted copies may transit our server for cross-device sync — see Section 4)
• Your AI provider API keys (OpenAI, Anthropic, etc.)
• Crash reports, behavioral telemetry, or advertising analytics (we do offer opt-in anonymous usage analytics — see below)
• Location data of any kind
• Contacts, photos, or other device content

Health data (Android — Health Connect)

If you grant permission, the Android app can read data from Health Connect: steps, heart rate, resting heart rate, heart rate variability (HRV), VO2 max, sleep sessions, nutrition, weight, body fat percentage, lean body mass, basal metabolic rate (BMR), active and total calories burned, exercise sessions, and floors climbed. This data is pulled at the time of your request only — it is injected into the AI prompt context so your assistant can provide personalized health insights. It is never stored on our servers, never written to any database, and never transmitted outside of the AI request you initiated. You can revoke health permissions at any time in the app settings.

Calendar data (Google Calendar)

If you connect Google Calendar, the app syncs your calendar events (read-only) into your local knowledge base for contextual responses. Calendar OAuth tokens are encrypted using Fernet symmetric encryption and stored on our server — the tokens allow the app to fetch your events, but your calendar data itself stays on your device. You control which calendars are connected, and you can disconnect at any time.

Email data

You can add emails to your local knowledge base for contextual AI responses. Email content is processed and stored entirely on your device — it is not transmitted to our servers.

Anonymous usage analytics (opt-in)

If you opt in (default: off), we collect anonymous usage data to understand feature adoption and improve the app experience. This includes: which screens are visited, how often, session duration, experience level selected, onboarding progress, feature usage patterns, and model selection. This data uses a random device UUID (not your hardware ID, IMEI, or any personal identifier), is not linked to your identity, and is auto-deleted after 90 days. We never collect message content, file content, personal information, or API keys through analytics. You can opt out at any time in Settings, which immediately clears any pending analytics events.

Anonymous benchmark results (opt-in, desktop only)

When you run a local model benchmark on the desktop app and analytics opt-in is enabled, we also collect: hardware class (e.g. "NVIDIA 24 GB"), model name, quantization format, tokens/sec, time-to-first-token, accuracy score, and app version. These fields are aggregated across devices, kept in a bounded recent-sample window, and auto-deleted after 90 days. No device identifier, no account, no message content, no personal information is included. This data is used solely to improve the model-compatibility predictions shown to all users.

3. How We Use Your Information

We use the limited information we collect for the following purposes:

• Authentication: Your email address identifies your account and allows you to sign in across devices.
• Device authorization: Your device name lets you see and manage which devices are connected to your account.
• Billing: Your Stripe customer ID enables subscription management, usage-based billing for Central-Intel cloud model credits, and account balance checks.
• Service communications: We may use your email to send transactional messages (password reset, billing receipts, service outage notices). We do not send marketing emails without your explicit opt-in.
• Billing transparency: Usage metadata (model name, token counts, cost) lets you review your transaction history and verify charges.

We do not use your information to train AI models, build advertising profiles, or sell data to any third party for any purpose.

4. Data Stored on Your Device

The vast majority of Central-Intel data never leaves your device. The following is stored locally using iOS Core Data (on iPhone), Android Room (on Android), or SQLite and the local filesystem (on the desktop application), and is not synced to our servers unless you opt into cross-device memory sync (see below):

• Chat history: All conversations with AI models are stored locally only.
• Profiles: Your custom system prompts, model preferences, and temperature settings.
• Pipelines: Automation workflows you create.
• Knowledge base (RAG): PDFs and documents you upload, including their full text content and vector embeddings computed for semantic search.
• Memory items: Facts extracted from conversations and stored for future context.
• API keys: Your AI provider API keys (OpenAI, Anthropic, Gemini, etc.) are stored in the OS-level encrypted keychain and are only accessed locally to make API calls on your behalf.
• Local AI models: Central-Intel uses llama.cpp as the default local inference engine. Model weights (Llama, Gemma, Qwen, and others) are downloaded to your device and run entirely locally — prompts sent to local models never leave your device. You can also connect to Ollama instances on your local network. These models are provided under their respective licenses: Meta Llama Community License, Google Gemma Terms, and Qwen (Apache 2.0).
• Preferences: Theme, experience level, and app goals.

Important: Because this data is local-only, it is permanently lost if you uninstall the app. We cannot restore it for you. We recommend exporting any important data before uninstalling.

Cross-device memory sync

If you enable memory sync, your memory items are encrypted on your device using AES-256-GCM with a vault key that only your devices possess, then transmitted to our relay server as opaque encrypted blobs. Our server cannot decrypt these items — it stores them temporarily in RAM (with a 24-hour time-to-live) to facilitate delivery to your other devices. The server holds only the encrypted ciphertext, a random nonce, and a timestamp — never the plaintext. Encrypted sync data does not survive a server restart and is purged automatically when the TTL expires.

5. Third-Party AI Providers

Central-Intel connects to AI providers that you explicitly configure. When you send a message, that message — along with any relevant context from your knowledge base or memory — is transmitted directly to the provider you selected. We do not intercept, log, or retain that content.

The providers you may connect, and links to their privacy policies, are:

Provider	Privacy Policy
Central-Intel Cloud (default)	This document
OpenAI	openai.com/policies/privacy-policy
Anthropic	anthropic.com/privacy
Google Gemini	policies.google.com/privacy
Groq	groq.com/privacy-policy
Mistral AI	mistral.ai/privacy
Together AI	together.ai/privacy
Cohere	cohere.com/privacy
DeepSeek	deepseek.com/privacy_policy
xAI (Grok)	x.ai/legal/privacy-policy
OpenRouter	openrouter.ai/privacy
Azure OpenAI	Microsoft Privacy Statement
Ollama (optional, LAN/local)	Fully local inference — prompts stay on-device or your LAN. See ollama.com/privacy.
llama.cpp (default local engine)	Fully local inference — prompts never leave your device. See github.com/ggerganov/llama.cpp.

Subscription authentication ("Sign in with Claude" / "Sign in with ChatGPT")

Some providers — currently Anthropic (Claude Pro / Max), OpenAI (ChatGPT Plus / Pro), and xAI (SuperGrok / X Premium+) — let you sign in to a personal AI subscription and route requests against that subscription instead of an API key. We support this so users with an existing subscription don't have to pay twice. This mode is intentionally different from the rest of the app, and you should understand the trade-off before turning it on.

• Authentication is non-anonymous to the provider. You sign in to the provider with your own account credentials via their OAuth flow. The provider sees that you are signed in and processes your subsequent inference requests under your account — exactly as if you were using their first-party app. This is unavoidable: subscription- based inference fundamentally requires the provider to know which subscriber to bill.
• We use OAuth client identifiers that the providers have allowlisted. None of Anthropic, OpenAI, or xAI currently offers a way for third-party apps to register their own OAuth client for subscription inference. To make subscription mode work today, the desktop app announces itself to the provider's OAuth server using a public OAuth client identifier that the provider has allowlisted: for Anthropic and OpenAI, the identifier published by the provider's own first-party CLI (Claude Code CLI / Codex CLI); for xAI, the identifier allowlisted by xAI for the open-source hermes-agent project. For Anthropic and OpenAI, chat requests are then executed by invoking the installed first-party CLI binary as a subprocess on your device, so the actual call that reaches the provider is structurally indistinguishable from running the CLI manually in a terminal. For xAI, chat requests are made via direct HTTPS to api.x.ai/v1 with the OAuth Bearer token — no CLI subprocess. This is the same approach used by other open-source community projects that integrate with these subscriptions. If a provider publishes a dedicated third-party-client program in the future, we will switch to it. Central-Intel does not bundle, distribute, or modify the first-party CLIs — you install them directly from the provider (xAI has no CLI prerequisite).
• Your access tokens are encrypted on your device. The tokens issued by the provider's OAuth server are stored in a local encrypted SQLite database (Fernet symmetric encryption) on the desktop. They are never transmitted to our relay server. Signing out of the provider, or signing out of Central-Intel entirely, wipes the tokens immediately.
• Subscription mode is fully optional and off by default. Subscription authentication is not enabled until you click "Sign in with Claude", "Sign in with ChatGPT", or "Sign in with SuperGrok" on the relevant provider card. API-key mode and local-model mode remain anonymous-by-default and continue to behave exactly as they did before subscription auth existed.
• Personal, single-user use only. Subscription mode is intended for use of your own subscription, on devices you control. Section 7a of our Terms of Service prohibits using subscription mode to provide access to other people — including via the desktop tunnel feature, paired device sharing, or any other mechanism that would route other people's requests through your subscription. Multi-tenant or resale use violates both these Terms and the provider's Terms of Service.
• Your usage on a subscription plan is governed by the provider's terms. Once you sign in, the provider's usage policy, rate limits, and acceptable-use rules apply to your activity through Central-Intel just as they would in the provider's own client. See the provider's privacy policy in the table above and Section 7a of our Terms for the full user-responsibility breakdown.
• The feature may be disabled at any time. Because subscription mode operates in territory the providers have not formally blessed, we reserve the right to disable it for any provider at any time (e.g. if the provider requests we do so, rotates the OAuth client identifier, or changes its terms in a way that makes the integration non-viable). Disablement is not a breach and you are owed no refund or credit for an optional, off-by-default feature being turned off. See Section 7a of our Terms of Service.

Embeddings: When you add documents to your knowledge base, their text is sent to OpenAI's Embeddings API to generate vector representations for semantic search. This occurs only if you have connected an OpenAI API key. The text is sent under your API key, subject to OpenAI's privacy policy linked above.

Local network discovery (desktop)

The desktop application can scan your local network (the /24 subnet your device is connected to) for other Ollama instances running on your LAN. This scan sends TCP connection probes to port 11434 on addresses within your local network, followed by HTTP requests to any responding hosts to confirm they are running Ollama. This traffic stays entirely within your local network and is not routed through our servers. No information about discovered devices is sent to us.

Important: Central-Intel acts as a relay — we route your requests to the AI provider you choose, but we cannot guarantee how each provider handles your data, particularly international providers which may be subject to different data protection laws. We minimize the data we send (only the messages and context necessary for your request), but once data reaches a provider, their privacy policies govern its handling.

You are responsible for reviewing the privacy policies of the providers you choose to connect. You can use Central-Intel in a fully local mode by using llama.cpp or Ollama (which run on your own machine) and skipping all cloud provider integrations.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• Supabase: Our authentication and database provider. Your email address and account metadata are stored on Supabase infrastructure. Supabase's privacy policy is available at supabase.com/privacy.
• Stripe: Payment processing for paid plans. Stripe's privacy policy is available at stripe.com/privacy.
• AI providers: As described in Section 5, your messages are sent to the AI provider(s) you configure. This is a core function of the app, not incidental data sharing.
• LiteLLM: We use the open-source LiteLLM library (MIT license, maintained by BerriAI) for billing cost calculations and token counting. LiteLLM runs entirely on our server as a local Python library — no user data is sent to BerriAI or any LiteLLM-operated service. It accesses a bundled pricing database to compute per-request costs. We include this disclosure for full transparency, consistent with our commitment to letting you know every piece of software that touches your account data.
• Cloudflare: All web traffic to central-intel.ai passes through Cloudflare's network, which acts as our CDN, DNS provider, and DDoS protection layer. Cloudflare may process your IP address and standard HTTP metadata (user agent, request headers) in its role as a reverse proxy. Additionally, our contact form uses Cloudflare Turnstile (a CAPTCHA alternative) to prevent spam — when you submit the contact form, Turnstile collects browser interaction signals and sends them to Cloudflare for verification. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.
• HuggingFace: When you search for or download a local AI model, your search query and your device's IP address go directly to HuggingFace (huggingface.co) — this traffic does not pass through our relay and is not anonymized, because you connect to HuggingFace yourself. We never send your prompts, files, memories, or identity. Adding a HuggingFace token is optional (only needed for gated models or higher rate limits); if you add one, it is stored encrypted on your device, used only to authenticate your own requests, and removed when you sign out — we never transmit it anywhere but HuggingFace. HuggingFace's privacy policy is available at huggingface.co/privacy.
• Google Play Developer API: If you purchased credits or a subscription via Google Play, we verify purchase tokens with Google's Android Publisher API to confirm validity. Google's privacy policy is available at policies.google.com/privacy.
• Legal requirements: We may disclose information if required by law, court order, or to protect the rights and safety of our users or the public.

7. Data Retention and Deletion

On our servers: We retain your email address, account record, device public keys, and usage metadata (transaction history) for as long as your account is active. Encrypted memory sync data is held in server RAM only, with a maximum 24-hour time-to-live — it is not written to permanent storage and does not survive a server restart. If you request account deletion, we will permanently delete your account and all associated server-side data (including usage logs, device identities, and any in-memory sync data) within 30 days.

On your device: Local data (chat history, knowledge base, memory items, pipelines) persists until you manually delete it within the app, or until you uninstall the app. Signing out clears your authentication credentials and API keys from the keychain but does not automatically delete conversation history or knowledge base content — that is in your control.

To request account deletion, email [email protected] with the subject line "Account Deletion Request."

8. Security

We take reasonable measures to protect your information:

• All communication between the app and our servers uses HTTPS/TLS encryption.
• API keys and credentials are stored in the OS-level encrypted keychain (iOS Keychain / Android Keystore) or Fernet-encrypted files (desktop), not in plain-text storage.
• Authentication uses industry-standard OAuth 2.0 with PKCE — we never handle your social login passwords.
• Our servers do not store your chat messages, documents, or AI provider API keys.
• End-to-end encryption: Memory items synced between devices are encrypted with AES-256-GCM using a vault key that is generated on your first device, shared to additional devices via an authenticated pairing protocol (X25519 ECDH key agreement), and never transmitted to our server in plaintext.
• Device identity verification: Each device generates a permanent cryptographic keypair. Devices authenticate each other during pairing and sync, preventing unauthorized devices from accessing your data.
• Zero-knowledge relay: Our relay server handles encrypted sync data but possesses no decryption keys. It cannot read your memory items, vault key, or any content that passes through it during sync.
• Encrypted at rest: Device private keys and vault keys are encrypted at rest on your local filesystem and protected by your device's security mechanisms.

No method of transmission over the internet is 100% secure. While we work to protect your information, we cannot guarantee absolute security.

9. Children's Privacy

Central-Intel is not directed at children under the age of 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it promptly.

10. Your Rights

Depending on where you live, you may have rights including:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Opt-out: Opt out of any marketing communications (note: we currently send none).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

11. Changes to This Policy

We may update this policy from time to time. When we do, we'll update the effective date at the top of this page. For material changes, we'll notify you via email or in-app notice. Continued use of Central-Intel after a policy change constitutes your acceptance of the updated policy.

We will never make a "gotcha" change — if we ever decide to start collecting more data, we'll tell you clearly, in advance, and give you the option to opt out or close your account.

12. Contact

Questions, concerns, or requests about this privacy policy:

Email: [email protected]
Web: central-intel.ai/contact