Privacy Policy
Effective Date: 1 July 2026
Last Updated: 30 June 2026
Website: sarkisaitech.com
1. Introduction and Scope
Sarkis AI Inc. ("Sarkis AI," "we," "us," or "our") is committed to protecting the privacy and security of personal information, including personal health information, that we collect, use, and disclose in the course of operating our business.
This Privacy Policy applies to our website at sarkisaitech.com, our AI automation services, agents, and systems provided to healthcare clinics, medical spas, and other healthcare organizations, and all personal information we handle as a service provider to our clients.
We operate under three primary privacy frameworks:
- PIPEDA — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 — Canada's federal private-sector privacy law
- PHIPA — Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A — Ontario's health privacy law
- HIPAA — Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the HITECH Act — U.S. federal health privacy law applicable when we serve U.S.-based covered entities
Where these frameworks overlap, we apply the standard that provides the greatest protection to individuals.
2. About Sarkis AI Inc. and Your Privacy Officer
Sarkis AI Inc.
Toronto, Ontario, Canada | sarkisaitech.com
Designated Privacy Officer
Under PIPEDA Principle 1 (Accountability), we are required to designate an individual accountable for our compliance with privacy obligations.
Sarkis Satjian
Privacy Officer, Sarkis AI Inc.
Email: privacy@sarkisaitech.com
Our Privacy Officer is responsible for overseeing compliance with PIPEDA, PHIPA, and HIPAA; receiving and responding to privacy inquiries and complaints; ensuring staff training on privacy obligations; conducting privacy impact assessments; and coordinating breach response and regulatory notifications.
3. What Information We Collect
3a. Business Contact Information
When healthcare clinics, medical spas, or other organizations engage our services, we collect names and professional titles of contact persons; business email addresses, phone numbers, and mailing addresses; business registration information; billing and payment information; and communications, contracts, and agreements.
3b. Personal Health Information (On Behalf of Healthcare Clients)
When our AI systems and automation tools are deployed within a healthcare client's environment, we may have incidental access to personal health information (PHI) belonging to the clinic's patients. We do not seek out, collect, or independently process PHI for our own purposes.
Under PHIPA, personal health information means identifying information about an individual in oral or recorded form relating to: physical or mental health; provision of health care; health card number; body part or bodily substance donation; test results; health insurance plan; or payments or eligibility for health care.
Under HIPAA, protected health information (PHI) means individually identifiable health information transmitted or maintained in any form relating to: past, present, or future physical or mental health condition; provision of health care; or payment for health care.
See Section 6 for our full obligations with respect to PHI.
3c. Website Usage Data and Cookies
When you visit sarkisaitech.com, we may automatically collect IP address and general geographic location; browser type and version; pages visited and time spent; referring URLs; and device type and operating system. See Section 13 for cookie details.
3d. AI Interaction and Usage Data
When healthcare clients use our AI agents and automation systems, we may collect query logs and system interaction data; performance metrics and error logs; configuration settings and workflow data; and aggregated, de-identified usage statistics.
We do not use PHI encountered through client systems to train our own AI models without explicit written authorization from the applicable health information custodian and, where required, patient consent.
4. Legal Basis for Processing
Under PIPEDA — 10 Fair Information Principles
Our collection, use, and disclosure of personal information is guided by the 10 Fair Information Principles in Schedule 1 of PIPEDA:
- Accountability — We designate a Privacy Officer (Section 2)
- Identifying Purposes — We identify purposes at or before time of collection (Section 5)
- Consent — We obtain meaningful consent (Section 7)
- Limiting Collection — We collect only what is necessary
- Limiting Use, Disclosure, and Retention — We use and disclose only for identified purposes; retain only as long as necessary (Sections 5, 8, 10)
- Accuracy — We maintain information in accurate, complete, and up-to-date form
- Safeguards — We protect information with appropriate security (Section 11)
- Openness — This Privacy Policy is our public statement of practices
- Individual Access — Individuals may request access (Section 12)
- Challenging Compliance — Individuals may challenge our compliance through our Privacy Officer or the OPC (Section 17)
Under PHIPA — Agent Role
Sarkis AI Inc. acts as an agent to health information custodians under PHIPA section 17. We do not act as a health information custodian. We receive, access, and process PHI only as directed by and on behalf of our custodian clients. All consent obligations remain with the custodian.
Before accessing any PHI, we execute a written PHIPA Agent Agreement with the custodian. This written agreement is required under PHIPA and sets out permitted purposes, security requirements, and our obligations.
Under HIPAA — Business Associate Role
When we provide services to U.S.-based covered entities, Sarkis AI Inc. acts as a Business Associate as defined under 45 CFR § 160.103.
We will not access, receive, transmit, maintain, or create PHI on behalf of any U.S. covered entity without first executing a written Business Associate Agreement (BAA) that meets the requirements of 45 CFR § 164.504(e).
5. How We Use Information
We use personal information for business operations (delivering services, managing accounts, billing, client communications); service improvement (de-identified, aggregated usage analysis, testing, development); legal and compliance obligations; and security and fraud prevention.
We do not sell personal information. We do not use personal information for targeted advertising. We do not use PHI for our own commercial purposes beyond the provision of services authorized by the custodian or covered entity.
6. Personal Health Information — Dedicated Section
Our Role
We are a technology service provider. We do not provide health care directly. We process PHI solely as an agent on the instructions of the health information custodian (PHIPA) or the covered entity (HIPAA).
Written Agreements Required Before Any PHI Access
PHIPA: A written PHIPA Agent Agreement must be executed before any access to personal health information. This satisfies PHIPA s.17 requirements.
HIPAA: A Business Associate Agreement (BAA) must be executed before any access to PHI. No PHI will be accessed absent a signed BAA.
Minimum Necessary Standard
We apply the minimum necessary standard to all PHI access — using, disclosing, and requesting only the minimum required to accomplish the permitted purpose. This applies under HIPAA (45 CFR § 164.502(b)) and our PHIPA policy.
Permitted Uses and Disclosures of PHI
We use and disclose PHI only as authorized by the custodian or covered entity, or as required by law, including: automating scheduling and intake workflows; supporting patient communications on behalf of the healthcare provider; assisting with billing and administrative tasks; and providing technical support and maintenance.
We do not use PHI to train, refine, or improve AI models or for any purpose beyond delivering the contracted services, without express written authorization.
Sub-Processors
Where our services involve third-party platforms processing PHI, we conduct due diligence before engagement; require appropriate data processing agreements and BAAs; maintain a sub-processor list available upon request; and provide advance notice of material sub-processor changes.
Consent and Circle of Care
Consent for PHI collection and use is the responsibility of the health information custodian or covered entity. To the extent our AI systems support workflows among providers in a patient's circle of care, PHI may flow among those providers consistent with PHIPA section 38(1), as directed by the custodian.
Retention and Secure Destruction
We retain PHI only as long as required by our agreements and applicable law. Retention aligns with PHIPA (minimum 10 years from last entry, or until patient turns 18, whichever is later), HIPAA Security Rule (45 CFR § 164.310(d)), and BAA record retention requirements (minimum 6 years). Destruction methods include cryptographic erasure, secure deletion, physical shredding, and degaussing. All destruction is documented.
Individual Rights Regarding PHI
Rights to access and amend health information are exercised through the custodian (PHIPA) or covered entity (HIPAA), not Sarkis AI Inc. We will promptly refer any individual who contacts us directly to the appropriate custodian or covered entity.
7. Consent
How We Obtain Consent
For personal information collected directly from individuals (website visitors or business contacts), we obtain consent at or before collection — express (written, electronic, or verbal) where sensitivity requires, or implied from actions or context for less sensitive information. We always identify purposes at or before collection.
Withdrawing Consent
You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting privacy@sarkisaitech.com. We will inform you of the consequences, which may include inability to continue certain services.
PHI — Consent Managed by Custodian
For PHI accessed as an agent under PHIPA or as a Business Associate under HIPAA, patient consent is obtained and managed by the custodian or covered entity. Our processing is governed by our agreements with those organizations.
8. Disclosure and Sharing
We do not sell personal information. We share it only as follows:
- Service Providers and Sub-Processors: Trusted third parties assisting in delivering our services, bound by privacy and security obligations at least as protective as this Policy. Where PHI is involved, sub-processors execute appropriate data processing agreements and BAAs.
- Healthcare Clients: PHI is disclosed to custodians and covered entities in accordance with our agreements, including system logs and audit records for compliance purposes.
- Legal Requirements: Where required by law, court order, or government authority. We notify affected parties where permitted.
- Business Transfers: In merger, acquisition, or asset sale, personal information may transfer subject to equivalent privacy protections. PHI transfers comply with applicable law and our contractual obligations.
- With Consent: In other circumstances with your express consent.
9. Cross-Border Data Transfers
Sarkis AI Inc. is based in Toronto, Ontario, Canada. We may transfer personal information outside Canada, including to the United States, when using cloud hosting or software services operated by U.S.-based providers; serving U.S.-based covered entities under HIPAA; or engaging sub-processors in other jurisdictions.
We use contractual protections to ensure personal information transferred outside Canada receives comparable protection. For PHI transferred to or processed in the United States, sub-processors comply with HIPAA and execute appropriate BAAs.
Clients requiring Canadian-only data residency for PHI should contact compliance@sarkisaitech.com.
10. Data Retention
| Information Type | Retention Period |
|---|---|
| Business contact information | Duration of relationship + 7 years |
| Website usage data | Up to 2 years |
| AI interaction data (identifiable) | Up to 12 months |
| De-identified/aggregated usage data | Indefinite (service improvement) |
| PHI under PHIPA | Per custodian schedule; min. 10 years from last entry or age 18 |
| PHI under HIPAA | Per BAA; BAA records min. 6 years |
When personal information is no longer required, we securely delete, destroy, or de-identify it.
11. Security Safeguards
We implement comprehensive administrative, physical, and technical safeguards aligned with PIPEDA Principle 7, PHIPA O. Reg. 329/04, and the HIPAA Security Rule (45 CFR Part 164, Subpart C).
- Administrative: Designated Privacy Officer; privacy and security policies reviewed regularly; employee training at onboarding and annually; role-based access control; confidentiality agreements for all staff and contractors; privacy impact assessments; vendor due diligence; documented incident response plan; regular audits.
- Physical: Office access controls; secure workstation policies; secure paper disposal by certified shredding; device management policies.
- Technical: TLS 1.2+ encryption in transit; AES-256 encryption at rest; multi-factor authentication for PHI systems; access logging and audit trails; automatic session timeouts; intrusion detection; vulnerability assessments and penetration testing; patch management; data backup and disaster recovery.
12. Your Privacy Rights
Under PIPEDA — Canada
Access: You may request access to your personal information; we respond within 30 days.
Correction: You may request correction of inaccurate or incomplete information; where we disagree, we note your request in the file.
Withdraw Consent: See Section 7.
Complaint to OPC:
Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376 | www.priv.gc.ca
Submit requests to privacy@sarkisaitech.com — Subject: "Privacy Request – PIPEDA." Proof of identity may be required.
Under PHIPA — Ontario
Access to Health Records: Requests are directed to the health information custodian (your healthcare provider), not Sarkis AI Inc. We will refer you to the appropriate custodian.
Correction: Requests for correction of PHI are made to the custodian.
Complaint to IPC:
Information and Privacy Commissioner of Ontario (IPC)
2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8
Toll-free: 1-800-387-0073 | www.ipc.on.ca
Under HIPAA — United States
HIPAA rights are exercised through the covered entity, not Sarkis AI Inc. directly. We assist covered entities in fulfilling these requests upon their instruction.
Access (45 CFR § 164.524) | Amendment (45 CFR § 164.526) | Accounting of Disclosures (45 CFR § 164.528) | Request Restrictions
Complaint to HHS:
U.S. Department of Health and Human Services, Office for Civil Rights
www.hhs.gov/ocr | 1-800-368-1019
13. Cookies and Tracking
| Cookie Type | Purpose |
|---|---|
| Strictly Necessary | Basic website function (session management, security) |
| Analytics | Aggregated understanding of site usage |
| Functional | Preferences (language, settings) |
We do not use cookies for advertising or cross-site tracking. You may control cookies through your browser settings. Where required by law, we obtain consent before placing non-essential cookies.
14. Children's Privacy
Our website and services are not directed to individuals under 18. We do not knowingly collect personal information directly from children under 18. In our role as agent or Business Associate to healthcare organizations, we may have incidental access to PHI of minor patients; this PHI is handled per Section 6 and our agreements with the custodian. If you believe we have inadvertently collected information from a person under 18, contact privacy@sarkisaitech.com.
15. Breach Notification
Internal Response
Upon discovering a potential breach, we: contain it immediately; assess scope and impact; notify our Privacy Officer and activate our incident response plan; and document it in our breach register.
Under PIPEDA
Under the Breach of Security Safeguards Regulations (SOR/2018-64), where a breach creates a real risk of significant harm, we report to the OPC as soon as feasible and notify affected individuals directly as soon as feasible. We maintain a breach register recording all security safeguard breaches regardless of notification threshold.
Under PHIPA
If a breach involves PHI held on behalf of a custodian, we notify the custodian without unreasonable delay, and within 24 hours where feasible, or as required by our services agreement. The custodian determines whether notification to the IPC and affected individuals is required. We cooperate fully in investigation, remediation, and regulatory reporting.
Under HIPAA
If we discover a breach of unsecured PHI, we notify the affected covered entity without unreasonable delay, and no later than 60 calendar days after discovery, as required by 45 CFR § 164.410. Our notification includes: date of breach and discovery; nature of PHI involved; who used or received the PHI; description of what happened; and steps taken to investigate, mitigate, and prevent recurrence. The covered entity notifies affected individuals, HHS, and where applicable, media outlets.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes in our services, applicable law, or privacy practices. Material changes will be posted with a new effective date, and clients will be notified by email or through our client communications channels where required by law. Where material changes affect PHI handling, we notify the applicable custodians and covered entities and update agreements as needed.
17. How to Contact Us and How to File a Complaint
Sarkis Satjian
Privacy Officer, Sarkis AI Inc.
Toronto, Ontario, Canada
| Purpose | Contact |
|---|---|
| General privacy questions | privacy@sarkisaitech.com |
| PIPEDA access/correction requests | privacy@sarkisaitech.com — "Privacy Request – PIPEDA" |
| PHIPA Agent Agreement inquiries | compliance@sarkisaitech.com |
| HIPAA BAA inquiries | compliance@sarkisaitech.com |
We acknowledge inquiries promptly and respond within 30 days.
Regulatory Authorities
Canada — Federal (PIPEDA)
Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street, Gatineau, QC K1A 1H3
1-800-282-1376 | www.priv.gc.ca
Ontario — Health Privacy (PHIPA)
Information and Privacy Commissioner of Ontario (IPC)
2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
1-800-387-0073 | www.ipc.on.ca
United States — Federal Health Privacy (HIPAA)
U.S. Department of Health and Human Services, Office for Civil Rights
www.hhs.gov/ocr | 1-800-368-1019
Sarkis AI Inc. | sarkisaitech.com | Toronto, Ontario, Canada
This Privacy Policy was prepared for Sarkis AI Inc. and reflects the company's obligations under PIPEDA, PHIPA, and HIPAA as of the effective date above. It is a professional compliance document and does not constitute legal advice. Sarkis AI Inc. recommends that healthcare clients seek independent legal counsel regarding their own compliance obligations.
Last updated: 30 June 2026
Privacy Policy | Sarkis AI Inc.
Read the Sarkis AI Inc. privacy policy covering data handling, privacy-conscious workflows, and healthcare-sensitive communication standards.
Data Handling
We implement privacy-conscious workflows designed with healthcare-sensitive communication standards in mind.
