Central AI LLC ("Central," "Central AI," "we," "our," or "us"), a subsidiary of Wing AI Technologies, Inc., operates an AI-powered platform of business tools including the AI Receptionist, AI Chat Agent, AI Executive Assistant, Sales CRM, Scheduler, Outbound Caller, and related services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Services.

This Privacy Policy applies to personal information processed in the United States and Canada. The Services are operated from and intended for use within the United States and Canada. If you access the Services from outside these jurisdictions, you do so at your own risk and acknowledge that your information will be transferred to and processed in the United States.

By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Services. Capitalized terms not defined in this Policy have the meanings given in our Terms of Service.

1. Scope and Our Role

This Policy applies to personal information processed through the Services and through our website, mobile, desktop, and integration interfaces.

Central operates in two distinct capacities depending on context:

• As a controller (or "business" under California law), with respect to information about our direct customers (account holders, billing contacts, prospects, and website visitors).

• As a service provider, processor, or business associate, with respect to information about our customers' end-users — the customers, leads, patients, clients, or contacts of a business using Central. In that capacity, our processing is governed by our agreement with the customer (the controller), and end-users should generally direct privacy requests to that customer in the first instance.

2. Information We Collect

We may collect the following categories of personal information:

2.1 Information You Provide Directly

• Account and contact information (name, business name, email, phone number, role/title)

• Authentication credentials

• Billing information (payment cards are processed by third-party payment processors; we do not store full card numbers)

• Content you submit through the Services, including chat messages, AI prompts, documents, configuration settings, customer lists, contact records, and integration credentials

2.2 Information Collected Automatically

• Device and connection data (device type, browser, operating system, IP address, approximate location derived from IP)

• Usage data (access times, features used, click and interaction data, error logs)

• Cookies and similar technologies (see Section 9)

2.3 Information from Voice and Messaging Channels

When you, your team, or your end-users interact with the AI voice receptionist or other voice-enabled features, we record, transcribe, and process the audio of the call. When interactions occur via chat, SMS, or other messaging channels, we store the content and metadata of those messages.

Voice and messaging features include an AI disclosure consistent with applicable law. By continuing the interaction after disclosure, the speaker is deemed to consent to the recording and processing described in this Policy.

2.4 Information from Third Parties and Integrations

• Information received from integrations our customers enable (e.g., Tekmetric, Dentrix, Google Workspace, Microsoft 365, calendar and CRM systems, payment processors)

• Analytics and advertising service providers

• Publicly available sources and data enrichment providers

• Information from referral or partnership programs

Information received through an integration is governed both by this Policy and by the source platform's terms and the customer's instructions to us.

3. How We Use Information

We use personal information to:

• Provide, operate, maintain, secure, and improve the Services

• Authenticate users and protect accounts

• Process transactions, subscriptions, and billing

• Personalize user experience and surface relevant features

• Train, fine-tune, and improve our own AI models and prompts, subject to the limitations in Section 5

• Generate aggregated, de-identified, or anonymized analytics

• Respond to inquiries and provide customer support

• Send service-related communications and, where permitted, marketing communications (which you may opt out of at any time)

• Detect, prevent, and address fraud, security incidents, abuse, and technical problems

• Comply with legal obligations and enforce our agreements

4. Legal Bases (Where Applicable)

Where required by applicable law (including Canadian provincial privacy laws), we rely on one or more of the following bases to process personal information: performance of a contract, our legitimate business interests in operating and securing the Services, your consent, and compliance with legal obligations. For Canadian users, we rely on the consent and limited-use principles set out in PIPEDA and applicable provincial private-sector privacy legislation.

5. AI Training and Model Use

Our approach to using personal information for AI training mirrors the framework set out in our Terms of Service:

• We may use Customer Data, Input, and Output to train, fine-tune, and improve our own AI models, except where the data is categorically excluded or where the customer has opted out.

• We do not use the following categories of data to train AI models:

  • Data flowing through third-party integrations (including but not limited to Tekmetric, Dentrix, athenahealth, Jane App, Google Workspace, Microsoft 365, and other CRM, EHR, shop management, calendar, email, and similar platforms)

  • The substantive content of voice calls, chat messages, and other communications between our customers' end-users and customer-facing AI features (including the AI Receptionist and AI Chat Agent)

  • Sensitive Data (as defined in Section 7)

  • Data of customers subject to a BAA, DPA, MSA, or other written agreement that excludes training use

  • Data of customers established in jurisdictions whose laws restrict the use of personal data for AI training without specific consent

• We do not share personal information with third-party AI model providers for the purpose of training those providers' general-purpose foundation models. Where we use third-party AI infrastructure to provide the Services (for example, to perform inference), our agreements with those providers prohibit them from using your information to train their own models.

• We may use personal information to create and refine customer-specific personalization — embeddings, retrieval indices, prompt templates, configuration profiles, and similar artifacts scoped to a single customer account or tenant — to improve the Services as delivered to that customer. Personalization artifacts are not used to train shared models that serve other customers.

• We may use aggregated, de-identified, or anonymized data derived from the Services for any lawful business purpose.

Customers may opt out of any AI training use of their data at any time through account settings or by emailing support@trycentral.com. Opt-out becomes effective on a going-forward basis within thirty (30) days and does not require us to retrain or unwind models that lawfully incorporated data before the opt-out.

6. How We Disclose Information

We may disclose personal information to:

• Service providers and sub-processors who perform services on our behalf, including cloud hosting, telephony, AI model inference, analytics, payments, customer support, and infrastructure providers. These parties are bound by written agreements limiting their use of personal information to providing services to us. A current list of material sub-processors is available at https://trust.trycentral.com.

• Integration partners that a customer has chosen to enable, where disclosure is necessary to provide the integrated functionality.

• Affiliates and successors, including our parent Wing AI Technologies, Inc. and any successor in connection with a merger, acquisition, financing, reorganization, or sale of assets.

• Legal and safety recipients, including when we believe in good faith that disclosure is necessary to comply with law, legal process, court order, subpoena, or governmental request; to enforce our agreements; or to protect the rights, property, or safety of Central, our users, or others.

• Other parties with your consent or at your direction.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act.

7. Sensitive Data

Consistent with our Terms of Service, "Sensitive Data" refers to data subject to heightened legal protection, including protected health information (PHI), financial account numbers, Social Security numbers and other government-issued identification numbers, biometric identifiers, authentication credentials, attorney-client privileged communications, precise geolocation, and other categories classified as sensitive or special category data under applicable law.

Routine business contact information — including names, business email addresses, business phone numbers, and business addresses — is not Sensitive Data.

Customers are not permitted to transmit Sensitive Data through the Services without first executing a separate written agreement (such as a BAA or DPA). Customers who transmit Sensitive Data without such an agreement do so at their own risk, and we may suspend the account.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)

• Role-based access controls and least-privilege principles

• Multi-factor authentication on administrative accounts

• Audit logging, monitoring, and incident response procedures

• Regular vulnerability scanning and penetration testing

• Vendor security review and contractual data protection requirements

Central maintains a security program aligned with SOC 2 Type II, ISO/IEC 27001, and (where applicable to specific customer engagements under a BAA) HIPAA. Despite these measures, no system can be guaranteed to be fully secure, and we do not warrant that personal information will be free from unauthorized access.

Customer responsibility for credentials, sensitive data transmission, and account security is set out in our Terms of Service.

9. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, local storage, and similar technologies to authenticate sessions, remember preferences, measure usage, and improve the Services. You can control cookies through your browser settings; disabling certain cookies may affect functionality.

We do not currently respond to "Do Not Track" browser signals, but we will honor recognized opt-out preference signals (such as the Global Privacy Control) where required by law.

10. Data Retention

We retain personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

• For active accounts, we retain customer and end-user data for the duration of the subscription.

• Upon termination of an account or disconnection of an integration, we will delete or de-identify personal information sourced through the Services within thirty (30) days, except where retention is required for legal, audit, tax, fraud prevention, security, or backup purposes.

• Encrypted backups are purged on our standard backup rotation cycle.

• Customers may request earlier deletion of specific records to honor end-user privacy requests, subject to identity verification and our standard procedures.

• AI model weights and artifacts derived from data lawfully incorporated before deletion may be retained, as described in Section 5.

11. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• The right to know what personal information we have collected and how we use it

• The right to access or obtain a copy

• The right to correct inaccurate information

• The right to deletion

• The right to restrict or object to certain processing

• The right to data portability

• The right to withdraw consent where processing is based on consent

• The right to opt out of the sale or sharing of personal information, or of profiling that produces legal or similarly significant effects

To exercise any of these rights, email support@trycentral.com with a clear description of your request. We will respond within the time required by applicable law. We may need to verify your identity before fulfilling a request and may decline where permitted by law.

If we act as a service provider, processor, or business associate, please direct your request to the customer that controls the data; we will assist that customer as required by our agreement.

You will not be discriminated against for exercising your privacy rights.

12. California Residents (CCPA / CPRA)

If you are a California resident, you have the rights described in Section 11, and the following additional disclosures apply.

Categories of personal information we have collected in the past twelve (12) months: identifiers (name, email, phone, IP address); commercial information (transaction and subscription data); internet or network activity; approximate geolocation; audio information (call recordings on voice channels); professional or employment-related information; and inferences drawn from the foregoing. We do not knowingly collect sensitive personal information for the purpose of inferring characteristics about a consumer.

Sources: directly from you, automatically through your use of the Services, from integrations you or your business has enabled, and from service providers.

Business purposes: as described in Section 3.

Categories of recipients: as described in Section 6.

Sale or sharing: We have not sold personal information or shared it for cross-context behavioral advertising in the preceding twelve (12) months, and we do not do so.

Retention: as described in Section 10.

How to exercise rights: Email support@trycentral.com with "California Privacy Request" in the subject line. You may designate an authorized agent to submit requests on your behalf; we will require verification of identity and authority.

Shine the Light: California residents may also request information about disclosure of personal information to third parties for those third parties' direct marketing purposes. We do not make such disclosures.

13. Other U.S. State Privacy Rights

Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Delaware, Minnesota, Maryland, Rhode Island, and others as such laws come into effect) may have rights substantively similar to those described above. To exercise these rights, email support@trycentral.com. If we deny a request, you may have the right to appeal by replying to our denial; we will respond within the time required by applicable law.

14. Canadian Residents (PIPEDA and Provincial Laws)

If you are a Canadian resident, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial private-sector privacy legislation (including Quebec's Law 25, British Columbia's PIPA, and Alberta's PIPA) may apply.

You may have the rights described in Section 11, and additionally:

• The right to know whether we hold personal information about you and to access that information

• The right to request correction of inaccurate or incomplete personal information

• The right to withdraw consent, subject to legal or contractual restrictions

• The right to know how your personal information is being used and to whom it has been disclosed

• For Quebec residents, additional rights under Law 25 including the right to data portability and the right to be informed of automated decision-making that produces legal or similarly significant effect.

Your information may be transferred to, stored, and processed in the United States and other jurisdictions. United States privacy laws may differ from those in Canada and may permit access by law enforcement and other authorities under different conditions than would apply in Canada.

To exercise rights or make a complaint, email support@trycentral.com with "Canadian Privacy Request" in the subject line. You also have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

15. Voice, Messaging, and AI Disclosure Notices

The Services include features that record voice calls, send SMS and other text messages, and conduct conversations using artificial intelligence agents. By placing or receiving a call processed by the Services, or by sending or receiving a message through the Services, you and any other participants consent to the recording, transcription, processing, and storage of those communications as described in this Policy. If you do not consent, do not continue the communication.

Customers using the Services to place outbound calls or send messages are responsible for obtaining all consents required under applicable law, including the Telephone Consumer Protection Act (TCPA) and state mini-TCPA statutes in the United States, Canada's Anti-Spam Legislation (CASL), and state and provincial recording and two-party consent laws (including California, Florida, Illinois, Maryland, Massachusetts, Pennsylvania, Washington, and similar Canadian provincial laws).

Where required by applicable law (including California Business and Professions Code § 17940 et seq.), the AI Features will disclose to the end-user that they are interacting with an artificial intelligence agent rather than a human.

16. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or under 16 in jurisdictions where that higher threshold applies). If we learn that we have collected such information without verified parental consent, we will delete it.

17. Third-Party Services

The Services may contain links to, or integrate with, third-party websites, services, or platforms. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Review the privacy policies of any third party before providing personal information to it.

18. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice through the Services, by email, or by other reasonable means. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.

19. Contact

If you have questions about this Policy or our privacy practices, contact us at:

Central AI LLC, a subsidiary of Wing AI Technologies, Inc.

Email: support@trycentral.com

Mailing address: 251 Little Falls Drive, Wilmington, DE 19808

Trust documentation: https://trust.trycentral.com

For legal notices and Cure Notices under our Terms of Service: legal@trycentral.com