Version

France / EEA 1.0

Legal

/

Privacy Policy

This Privacy Policy explains how THE BORING AI LTD, PROFILE WEST, SUITE 2 FIRST, 950 GREAT WEST ROAD, BRENTFORD, TW8 9ES, United Kingdom, trading as Centurion (Centurion, we, us, our), processes personal data in connection with the websites, mobile applications, support channels, subscriptions, AI features, account functions and related services that link to or reference this Privacy Policy (together, the Services).

Contact: hello@centurionos.com

This Privacy Policy is written for a France / EEA launch of a self-use, local-first AI assistant. It is intended to work together with our Terms of Service and, where relevant, our Authorization for Use of Medical Information and Explicit Consent to Health-Data Processing.

1. Important architecture note

Centurion is designed as a local-first product.

That means:

  1. many core features can operate locally on your device; and

  2. your imported health content does not need to be sent to Centurion merely for you to store, organise or analyse it locally.

This Privacy Policy therefore distinguishes between:

  1. personal data that Centurion actually processes as controller or processor; and

  2. content that stays entirely on your device and is never sent to Centurion or its service providers.

If your health content stays only on your device and is never transmitted to Centurion or a Centurion-connected service provider, we generally do not have access to that content and do not process it on our systems. However, we may still process separate data such as your account, subscription, support, consent, security and app-operation data.

If you turn on an optional remote feature, your data may leave the device. For example, that may happen if you:

  1. use an external AI feature;

  2. send files or screenshots to support;

  3. export or share content with another service or person;

  4. activate a sync method that routes content via a third party or, if introduced in future, via Centurion infrastructure; or

  5. otherwise trigger a feature that clearly tells you your content will be processed remotely.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data we process in connection with:

  1. creating and operating Centurion accounts;

  2. subscriptions, billing and customer support;

  3. optional remote AI processing you choose to use;

  4. security, anti-abuse and fraud-prevention measures;

  5. website and application operation, including essential analytics, logs and permissions;

  6. communications with you; and

  7. any other service flow in which data is collected by or sent to Centurion.

This Privacy Policy does not govern:

  1. personal data processed solely by your device operating system, app store, browser, email provider, cloud account provider, payment card issuer or other independent third party under its own privacy terms;

  2. information that remains only on your device and is never transmitted to Centurion or its providers;

  3. third-party services, products or websites that are not operated by Centurion, even if you can access them through or alongside the Services; or

  4. healthcare services provided by independent clinicians, laboratories, hospitals or pharmacies that have their own privacy and secrecy obligations.

3. Who decides why and how data is processed

In most cases described in this Privacy Policy, THE BORING AI LTD acts as the controller because we decide why and how the relevant personal data is processed.

In some cases:

  1. a service provider acts as our processor or subprocessor on our instructions;

  2. a third party you choose to use acts as an independent controller for its own purposes; or

  3. roles may vary depending on the feature, the provider, and the technical architecture disclosed to you in-product.

Where required, we will provide additional feature-specific notices.

4. Categories of personal data we process

Depending on how you use Centurion, we may process the following categories of personal data.

4.1 Contact and account data

  • name or display name;

  • email address;

  • login credentials or authentication tokens;

  • password hashes or passkey-related metadata where applicable;

  • account identifiers;

  • country and language preferences; and

  • customer-support identifiers.

4.2 Subscription, billing and transaction data

  • subscription plan;

  • purchase status;

  • order and invoice references;

  • payment status;

  • billing country and tax-related information;

  • app-store purchase information;

  • fraud-screening signals; and

  • limited payment-related metadata.

We generally do not store full payment-card numbers ourselves. Payments are typically handled by the relevant payment processor or app-store operator.

4.3 Device, application and technical data

  • device type, operating system, app version and language;

  • IP address and approximate location inferred from IP where relevant;

  • crash logs;

  • performance logs;

  • security events;

  • authentication events;

  • error reports;

  • feature flags;

  • session timestamps; and

  • app configuration information.

4.4 Communications and support data

  • messages you send us;

  • support tickets;

  • email correspondence;

  • attachments you provide;

  • screenshots, if you send them;

  • feedback;

  • bug reports; and

  • complaint-handling records.

4.5 Health-related and other sensitive data that reaches us only in certain cases

Centurion is a self-use assistant and does not require server-side submission of health data for local-only use. However, if you intentionally trigger a remote feature or send us health content, we may process data such as:

  • symptoms, conditions, diagnoses, medications and allergies;

  • laboratory results and other medical records;

  • doctor letters, referrals and discharge summaries;

  • imaging reports and related documents;

  • wellness or lifestyle information entered in a health context;

  • genetic information if contained in a file you import or send;

  • biometrics or measurements in a health context; and

  • AI-generated summaries, tags, action points or other derived outputs relating to that material.

This category may constitute special category personal data, including data concerning health, under GDPR.

4.6 AI interaction data

If you use an optional remote AI feature, we may process:

  • prompts and questions;

  • attachments you send with prompts;

  • relevant surrounding context needed to answer the prompt;

  • generated outputs;

  • quality and safety signals;

  • model-routing and token-usage data; and

  • limited logs needed for abuse prevention, troubleshooting, reliability or legal compliance.

4.7 Consent and preference data

  • records of your privacy choices;

  • records of health-data consents;

  • marketing preferences;

  • cookie or tracker choices, where applicable; and

  • settings showing which features you have enabled or disabled.

4.8 Data we do not ordinarily receive in local-only mode

If you import medical files, notes or health information and keep them only in local-only mode, Centurion may not receive that content at all. In that case, the content is not held on our systems unless and until you later choose a remote feature that transmits it.

5. Where we get personal data from

We may obtain personal data:

  1. directly from you, for example when you create an account, subscribe, contact support, send prompts, upload content to a remote feature or configure settings;

  2. from your device or browser, for example through app-operation logs, crash reports, security events or site/app trackers;

  3. from payment processors or app stores, for example purchase confirmations, subscription status, fraud or refund signals;

  4. from external AI providers, for example outputs, moderation signals or processing metadata generated in response to a prompt you sent through a remote AI feature;

  5. from operating-system, cloud or identity providers, to the extent a feature you enable relies on them;

  6. from other recipients you choose, for example where you import a file from another app or service; and

  7. from legal, regulatory or anti-fraud sources, where necessary to comply with law or protect the Services.

6. How we use personal data and our legal bases

The table below summarises the main purposes for which we process personal data.

Purpose

Categories involved

GDPR Article 6 legal basis

Article 9 condition where health data is involved

Create and manage your account, authenticate you, provide the Services, and make local-first features available

account data, device data, consent data

Performance of a contract; pre-contract steps

Not usually applicable unless health data is remotely processed

Process subscriptions, billing, refunds and accounting

account data, transaction data, fraud signals

Performance of a contract; legal obligation; legitimate interests in payment security and revenue protection

Not usually applicable

Provide customer support and respond to complaints or technical issues

account data, communications data, technical data, attachments you send us

Performance of a contract; legitimate interests in support and service reliability; legal obligation where applicable

Explicit consent where you choose to send health data to support; legal claims where necessary

Operate optional remote AI features at your request

prompts, attachments, AI interaction data, technical data

Performance of a contract or provision of the requested feature; legitimate interests in safety and abuse prevention

Explicit consent for one or more specified purposes where special-category health data is transmitted

Keep security logs, detect misuse, investigate incidents, prevent fraud and enforce our Terms

device data, account data, technical logs, selected communications

Legitimate interests in securing the Services and protecting users; legal obligation where applicable

Where special-category data appears incidentally, processing is limited to what is necessary for security, legal claims or compliance

Maintain records of consent, objections, withdrawals and other compliance steps

consent data, account data

Legal obligation; legitimate interests in demonstrating compliance

Where relevant, explicit consent records and compliance records

Send service communications such as verification messages, billing notices, security alerts and important feature notices

contact data, account data, subscription data

Performance of a contract; legal obligation; legitimate interests in operating the Services

Not usually applicable

Send marketing communications where allowed

contact data, preference data, limited usage data

Consent where required; otherwise legitimate interests where the law allows

We do not use health data for marketing without a separate explicit consent and a lawful basis

Improve reliability, diagnose bugs, understand service usage and maintain product performance

technical data, device data, support data, limited usage data

Legitimate interests in improving and securing the Services; consent where required under tracker rules

We do not use identifiable health data for general product improvement or model training unless separately disclosed and separately authorised

Comply with legal obligations, respond to lawful requests, and establish, exercise or defend legal claims

any data relevant to the issue

Legal obligation; legitimate interests in legal defence

Article 9(2)(f) where necessary for legal claims; other Article 9 conditions where required by law

Handle mergers, acquisitions, financing, due diligence or restructuring

account data, transaction data, selected business records

Legitimate interests in business continuity and corporate transactions

Special-category data is minimised and protected; if a transaction materially changes processing, we will update this Policy or notify you as required

7. Local-only mode and what it means in practice

7.1 Health content kept only on your device

If you use Centurion in a way that keeps your imported health content only on your device and does not transmit it to Centurion or Centurion-connected providers:

  1. we generally do not collect or store that content on our systems;

  2. we cannot usually read, correct, delete or export that content for you from our servers because we do not have it; and

  3. you remain responsible for managing that content on your device, including deletion, backup and device security.

7.2 Device-cloud sync, including iCloud or similar platform sync

If you activate a sync or backup mechanism offered by your device operating system or cloud account provider, such as iCloud or an equivalent platform sync service:

  1. copies of your local content may be processed by that provider under its own terms and privacy information;

  2. other devices linked to the same account may be able to restore or access that content;

  3. Centurion may not have access to that synced content if it is not routed through Centurion-controlled infrastructure; and

  4. where a particular sync method does route content through Centurion or our processors, we will tell you in-product and this Privacy Policy will apply to that processing.

7.3 No general promise of zero externalisation

Local-first does not mean zero risk and does not mean that nothing can ever leave the device. For example:

  • the operating system may create backups;

  • screenshots, clipboard data or notifications may expose content;

  • you may export or share content; and

  • support or remote AI features may transmit selected content if you choose to use them.

8. Optional remote features and when data leaves the device

We may process your data remotely when you intentionally use an optional remote feature.

8.1 External AI processing

If you choose a feature that uses an external model or API, we may send the necessary prompt, selected attachment, surrounding context and technical metadata to the relevant provider to generate the requested output.

Depending on the architecture, we and/or the external provider may retain limited logs or output copies for:

  1. delivering the feature;

  2. security and abuse prevention;

  3. debugging and reliability;

  4. legal compliance; and

  5. support if you report an issue.

8.2 Support uploads and troubleshooting

If you send us a medical file, screenshot, prompt history or other sensitive material in connection with a support request, we will process it to investigate and respond to your issue.

8.3 Export or sharing at your direction

If you instruct the Service to export or share content, the selected data will be disclosed to the recipient or service you designate. That recipient may then process the data under its own rules.

8.4 Future hosted features

If Centurion later introduces a feature that creates a Centurion-hosted health-data store or other externally hosted health-data workflow, we may provide a feature-specific notice, update this Policy, or ask for additional consent or agreement as appropriate.

9. When we share personal data

We may share personal data with the following categories of recipients.

9.1 Service providers and processors

These may include providers of:

  • cloud infrastructure and hosting for non-local account or support data;

  • authentication and account security;

  • customer support tooling;

  • email or notification delivery;

  • payment processing;

  • fraud detection;

  • crash reporting and performance monitoring;

  • analytics;

  • document or file-processing services; and

  • legal, audit or compliance support.

9.2 External AI providers

If you use a remote AI feature, we may share the necessary prompts, attachments, context and metadata with external AI or model providers that help us generate the requested output.

Depending on the provider and feature, the provider may act as:

  1. our processor or subprocessor;

  2. a separate controller for limited abuse-prevention, safety or legal-compliance functions; or

  3. another role disclosed in the feature notice or provider documentation.

9.3 Payment processors, app stores and platform providers

We may share data with the relevant payment processor, app-store operator or platform provider to process purchases, manage subscriptions, detect fraud, process refunds or enable the technical operation of the Services.

9.4 Operating-system or cloud-account providers you choose to use

If you enable iCloud or another platform-level sync or backup service, the relevant provider may process your data in accordance with its own terms and privacy information.

9.5 Recipients you direct

We may disclose data to the people, apps, services or storage locations that you choose when you export or share content.

9.6 Authorities, legal recipients and dispute-resolution bodies

We may disclose personal data where necessary to:

  • comply with law or lawful requests;

  • protect rights, safety or property;

  • detect or prevent fraud, abuse or security incidents;

  • establish, exercise or defend legal claims; or

  • respond to regulators, courts or supervisory authorities.

9.7 Corporate transaction recipients

If we are involved in a merger, acquisition, financing, reorganisation or sale of assets, personal data may be disclosed to counterparties and advisers subject to confidentiality, security and legal constraints.

10. What we do not do as part of the current privacy position

Unless we clearly tell you otherwise and obtain any required consent or other legal basis:

  1. we do not sell your health data;

  2. we do not use your identifiable health data for targeted advertising;

  3. we do not use your identifiable health data for general model training;

  4. we do not use your identifiable health data for unrelated secondary research or publication; and

  5. we do not require you to upload health records to Centurion merely to use local-only features.

11. Cookies, SDKs, trackers and app permissions

11.1 Websites, cookies and similar technologies

If we operate a website or web portal, we and our service providers may use cookies, pixels, local storage, SDKs or similar technologies.

We use them for purposes such as:

  1. keeping the site secure and functioning;

  2. remembering session or language settings;

  3. measuring audience and performance;

  4. diagnosing faults; and

  5. where applicable and with consent where required, improving product and marketing effectiveness.

Where applicable law requires consent for non-essential cookies, trackers or SDKs, we will ask for it before placing or reading them. Where analytics can lawfully operate under an exemption or opt-out framework, we will explain that in the relevant cookie or tracker notice.

11.2 Mobile-app permissions

If you use our mobile app, we may ask for device permissions such as:

  • files/photos/camera, so you can import or scan documents;

  • microphone, if you use dictation or audio capture;

  • notifications, if you want reminders, alerts or service messages; and

  • any other permission clearly explained at the time of request.

You can usually manage those permissions in your device settings.

11.3 Advertising

We do not use your health data for targeted advertising. If we ever introduce advertising or cross-context tracking that requires consent under applicable law, we will ask first.

12. International transfers

Centurion is a UK company and may use providers located in the UK, EEA, United States and other jurisdictions.

When personal data is transferred outside the EEA, we will rely on an appropriate transfer mechanism as required by applicable law, such as:

  1. an adequacy decision;

  2. standard contractual clauses or another approved safeguard; or

  3. a derogation that applies to the specific transfer.

Because optional remote AI features may rely on providers outside your country, using those features can involve cross-border transfers of prompts, attachments, outputs and logs.

You may contact us to request more information about the transfer safeguards relevant to data we process.

13. Data retention

We keep personal data for no longer than necessary for the purposes described in this Privacy Policy, taking into account legal, contractual, security and operational needs.

In general:

  1. account data is kept while your account remains active and thereafter for as long as needed for service continuity, disputes, fraud prevention, security and applicable limitation periods;

  2. billing, tax and transaction records are kept for the period required by applicable accounting, tax and audit obligations;

  3. support and complaint records are kept for as long as reasonably necessary to handle the issue, maintain continuity and defend legal claims;

  4. security logs and technical diagnostics are typically kept for a limited period, unless longer retention is needed for an incident, abuse investigation, legal hold or compliance reason;

  5. consent and withdrawal records are kept for as long as needed to demonstrate compliance;

  6. remote AI inputs and outputs are kept only for the period necessary for the selected feature and the related security, support and compliance needs disclosed for that feature; and

  7. local-only content on your device remains under your control until you delete it, overwrite it, remove the app, or your own backup or cloud provider deletes it under its own retention settings.

Deleting content inside the app may not automatically delete:

  • operating-system backups;

  • cloud-synced copies outside Centurion's systems;

  • exports you created;

  • data held by recipients you selected; or

  • logs retained for legal, security or compliance reasons.

14. Your rights

Subject to applicable law and depending on the context, you may have the right to:

  1. obtain confirmation whether we process your personal data;

  2. access your personal data;

  3. rectify inaccurate personal data;

  4. erase personal data;

  5. restrict processing;

  6. object to processing based on legitimate interests;

  7. withdraw consent at any time where processing relies on consent;

  8. receive data portability for data processed by automated means on the basis of consent or contract;

  9. lodge a complaint with a supervisory authority; and

  10. seek a judicial remedy where your rights have been infringed.

To exercise your rights, contact us at hello@centurionos.com.

We may need to verify your identity before responding. We may also ask you to clarify the scope of your request.

14.1 Response timing

We aim to respond without undue delay and normally within one month, subject to lawful extensions where requests are complex or numerous.

14.2 Limits where data is only local

If the relevant content has never been sent to us and remains only on your device, we may not be able to access, export, correct or delete it for you because we do not control it. In that case, you may need to act directly on your device, through your cloud provider, or through the third party to whom you sent the content.

14.3 Complaints

If you are in France, you may complain to the CNIL. If you are elsewhere in the EEA, you may complain to your local supervisory authority. You may also complain to the authority of the Member State where you live, work, or where the alleged infringement occurred.

15. Automated processing and AI

Centurion uses automated systems and AI-related processing in certain features.

15.1 AI outputs

If you choose a remote AI feature, your prompts and selected data may be processed automatically to generate outputs, summaries, classifications or other responses.

15.2 No solely automated decision with legal or similarly significant effect in the core service

Centurion's core self-use assistant is not intended to make solely automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. AI outputs are informational and support-oriented. You remain responsible for how you use them.

15.3 Safety and abuse detection

We may use automated tools to detect spam, abuse, security threats, fraud or policy violations, and in some cases this may lead to rate limits, temporary blocks or manual review.

15.4 Human review

Where necessary for support, safety, abuse prevention, legal compliance or system integrity, authorised personnel may review limited prompts, outputs, logs or attachments.

16. Security

We implement technical and organisational measures designed to protect the personal data we process, taking into account the sensitivity of the data and the risks involved. Depending on the context, these measures may include:

  • encryption in transit;

  • encryption at rest for server-side data where applicable;

  • role-based access controls;

  • logging and monitoring;

  • vendor due diligence;

  • least-privilege access;

  • environment separation; and

  • incident-response procedures.

No method of storage or transmission is completely secure. You also play an important role in protecting your data by:

  1. using strong device and account credentials;

  2. protecting your email and cloud accounts;

  3. disabling sync or backup if you do not want local content copied externally;

  4. reviewing what you export or share; and

  5. avoiding the use of shared or unmanaged devices for sensitive information.

17. Third-party services and linked platforms

The Services may interoperate with or sit alongside third-party services such as:

  • Apple iCloud or similar sync/back-up services;

  • app stores;

  • payment processors;

  • email providers;

  • recipient apps you choose for export or sharing; and

  • external AI providers.

Those third parties may process your personal data under their own privacy notices and legal terms. We encourage you to review them carefully.

18. Children

The Services are not intended for children under 18. We do not knowingly offer the Services to minors in this launch configuration. If you believe a minor has provided personal data to us in breach of this policy, contact us so we can investigate and take appropriate action.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make a material change, we will notify you by appropriate means, such as an in-app notice, website notice or email, where required or appropriate. The updated version will be identified by its effective date.

20. Contact us

If you have questions about this Privacy Policy or want to exercise your rights, contact:

THE BORING AI LTD
PROFILE WEST, SUITE 2 FIRST
950 GREAT WEST ROAD
BRENTFORD
TW8 9ES
United Kingdom
Email: hello@centurionos.com