Sarkis AI Inc.
    Sarkis AI Inc.

    Privacy Policy

    Effective Date: 1 July 2026
    Last Updated: 30 June 2026
    Website: sarkisaitech.com

    1. Introduction and Scope

    Sarkis AI Inc. ("Sarkis AI," "we," "us," or "our") is committed to protecting the privacy and security of personal information, including personal health information, that we collect, use, and disclose in the course of operating our business.

    This Privacy Policy applies to our website at sarkisaitech.com, our AI automation services, agents, and systems provided to healthcare clinics, medical spas, and other healthcare organizations, and all personal information we handle as a service provider to our clients.

    We operate under three primary privacy frameworks:

    • PIPEDA — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 — Canada's federal private-sector privacy law
    • PHIPA — Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A — Ontario's health privacy law
    • HIPAA — Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the HITECH Act — U.S. federal health privacy law applicable when we serve U.S.-based covered entities

    Where these frameworks overlap, we apply the standard that provides the greatest protection to individuals.

    2. About Sarkis AI Inc. and Your Privacy Officer

    Sarkis AI Inc.
    Toronto, Ontario, Canada | sarkisaitech.com

    Designated Privacy Officer

    Under PIPEDA Principle 1 (Accountability), we are required to designate an individual accountable for our compliance with privacy obligations.

    Sarkis Satjian
    Privacy Officer, Sarkis AI Inc.
    Email: privacy@sarkisaitech.com

    Our Privacy Officer is responsible for overseeing compliance with PIPEDA, PHIPA, and HIPAA; receiving and responding to privacy inquiries and complaints; ensuring staff training on privacy obligations; conducting privacy impact assessments; and coordinating breach response and regulatory notifications.

    3. What Information We Collect

    3a. Business Contact Information

    When healthcare clinics, medical spas, or other organizations engage our services, we collect names and professional titles of contact persons; business email addresses, phone numbers, and mailing addresses; business registration information; billing and payment information; and communications, contracts, and agreements.

    3b. Personal Health Information (On Behalf of Healthcare Clients)

    When our AI systems and automation tools are deployed within a healthcare client's environment, we may have incidental access to personal health information (PHI) belonging to the clinic's patients. We do not seek out, collect, or independently process PHI for our own purposes.

    Under PHIPA, personal health information means identifying information about an individual in oral or recorded form relating to: physical or mental health; provision of health care; health card number; body part or bodily substance donation; test results; health insurance plan; or payments or eligibility for health care.

    Under HIPAA, protected health information (PHI) means individually identifiable health information transmitted or maintained in any form relating to: past, present, or future physical or mental health condition; provision of health care; or payment for health care.

    See Section 6 for our full obligations with respect to PHI.

    3c. Website Usage Data and Cookies

    When you visit sarkisaitech.com, we may automatically collect IP address and general geographic location; browser type and version; pages visited and time spent; referring URLs; and device type and operating system. See Section 13 for cookie details.

    3d. AI Interaction and Usage Data

    When healthcare clients use our AI agents and automation systems, we may collect query logs and system interaction data; performance metrics and error logs; configuration settings and workflow data; and aggregated, de-identified usage statistics.

    We do not use PHI encountered through client systems to train our own AI models without explicit written authorization from the applicable health information custodian and, where required, patient consent.

    4. Legal Basis for Processing

    Under PIPEDA — 10 Fair Information Principles

    Our collection, use, and disclosure of personal information is guided by the 10 Fair Information Principles in Schedule 1 of PIPEDA:

    • Accountability — We designate a Privacy Officer (Section 2)
    • Identifying Purposes — We identify purposes at or before time of collection (Section 5)
    • Consent — We obtain meaningful consent (Section 7)
    • Limiting Collection — We collect only what is necessary
    • Limiting Use, Disclosure, and Retention — We use and disclose only for identified purposes; retain only as long as necessary (Sections 5, 8, 10)
    • Accuracy — We maintain information in accurate, complete, and up-to-date form
    • Safeguards — We protect information with appropriate security (Section 11)
    • Openness — This Privacy Policy is our public statement of practices
    • Individual Access — Individuals may request access (Section 12)
    • Challenging Compliance — Individuals may challenge our compliance through our Privacy Officer or the OPC (Section 17)

    Under PHIPA — Agent Role

    Sarkis AI Inc. acts as an agent to health information custodians under PHIPA section 17. We do not act as a health information custodian. We receive, access, and process PHI only as directed by and on behalf of our custodian clients. All consent obligations remain with the custodian.

    Before accessing any PHI, we execute a written PHIPA Agent Agreement with the custodian. This written agreement is required under PHIPA and sets out permitted purposes, security requirements, and our obligations.

    Under HIPAA — Business Associate Role

    When we provide services to U.S.-based covered entities, Sarkis AI Inc. acts as a Business Associate as defined under 45 CFR § 160.103.

    We will not access, receive, transmit, maintain, or create PHI on behalf of any U.S. covered entity without first executing a written Business Associate Agreement (BAA) that meets the requirements of 45 CFR § 164.504(e).

    5. How We Use Information

    We use personal information for business operations (delivering services, managing accounts, billing, client communications); service improvement (de-identified, aggregated usage analysis, testing, development); legal and compliance obligations; and security and fraud prevention.

    We do not sell personal information. We do not use personal information for targeted advertising. We do not use PHI for our own commercial purposes beyond the provision of services authorized by the custodian or covered entity.

    6. Personal Health Information — Dedicated Section

    Our Role

    We are a technology service provider. We do not provide health care directly. We process PHI solely as an agent on the instructions of the health information custodian (PHIPA) or the covered entity (HIPAA).

    Written Agreements Required Before Any PHI Access

    PHIPA: A written PHIPA Agent Agreement must be executed before any access to personal health information. This satisfies PHIPA s.17 requirements.

    HIPAA: A Business Associate Agreement (BAA) must be executed before any access to PHI. No PHI will be accessed absent a signed BAA.

    Minimum Necessary Standard

    We apply the minimum necessary standard to all PHI access — using, disclosing, and requesting only the minimum required to accomplish the permitted purpose. This applies under HIPAA (45 CFR § 164.502(b)) and our PHIPA policy.

    Permitted Uses and Disclosures of PHI

    We use and disclose PHI only as authorized by the custodian or covered entity, or as required by law, including: automating scheduling and intake workflows; supporting patient communications on behalf of the healthcare provider; assisting with billing and administrative tasks; and providing technical support and maintenance.

    We do not use PHI to train, refine, or improve AI models or for any purpose beyond delivering the contracted services, without express written authorization.

    Sub-Processors

    Where our services involve third-party platforms processing PHI, we conduct due diligence before engagement; require appropriate data processing agreements and BAAs; maintain a sub-processor list available upon request; and provide advance notice of material sub-processor changes.

    Consent and Circle of Care

    Consent for PHI collection and use is the responsibility of the health information custodian or covered entity. To the extent our AI systems support workflows among providers in a patient's circle of care, PHI may flow among those providers consistent with PHIPA section 38(1), as directed by the custodian.

    Retention and Secure Destruction

    We retain PHI only as long as required by our agreements and applicable law. Retention aligns with PHIPA (minimum 10 years from last entry, or until patient turns 18, whichever is later), HIPAA Security Rule (45 CFR § 164.310(d)), and BAA record retention requirements (minimum 6 years). Destruction methods include cryptographic erasure, secure deletion, physical shredding, and degaussing. All destruction is documented.

    Individual Rights Regarding PHI

    Rights to access and amend health information are exercised through the custodian (PHIPA) or covered entity (HIPAA), not Sarkis AI Inc. We will promptly refer any individual who contacts us directly to the appropriate custodian or covered entity.

    7. Consent

    How We Obtain Consent

    For personal information collected directly from individuals (website visitors or business contacts), we obtain consent at or before collection — express (written, electronic, or verbal) where sensitivity requires, or implied from actions or context for less sensitive information. We always identify purposes at or before collection.

    Withdrawing Consent

    You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting privacy@sarkisaitech.com. We will inform you of the consequences, which may include inability to continue certain services.

    PHI — Consent Managed by Custodian

    For PHI accessed as an agent under PHIPA or as a Business Associate under HIPAA, patient consent is obtained and managed by the custodian or covered entity. Our processing is governed by our agreements with those organizations.

    8. Disclosure and Sharing

    We do not sell personal information. We share it only as follows:

    • Service Providers and Sub-Processors: Trusted third parties assisting in delivering our services, bound by privacy and security obligations at least as protective as this Policy. Where PHI is involved, sub-processors execute appropriate data processing agreements and BAAs.
    • Healthcare Clients: PHI is disclosed to custodians and covered entities in accordance with our agreements, including system logs and audit records for compliance purposes.
    • Legal Requirements: Where required by law, court order, or government authority. We notify affected parties where permitted.
    • Business Transfers: In merger, acquisition, or asset sale, personal information may transfer subject to equivalent privacy protections. PHI transfers comply with applicable law and our contractual obligations.
    • With Consent: In other circumstances with your express consent.

    9. Cross-Border Data Transfers

    Sarkis AI Inc. is based in Toronto, Ontario, Canada. We may transfer personal information outside Canada, including to the United States, when using cloud hosting or software services operated by U.S.-based providers; serving U.S.-based covered entities under HIPAA; or engaging sub-processors in other jurisdictions.

    We use contractual protections to ensure personal information transferred outside Canada receives comparable protection. For PHI transferred to or processed in the United States, sub-processors comply with HIPAA and execute appropriate BAAs.

    Clients requiring Canadian-only data residency for PHI should contact compliance@sarkisaitech.com.

    10. Data Retention

    Information TypeRetention Period
    Business contact informationDuration of relationship + 7 years
    Website usage dataUp to 2 years
    AI interaction data (identifiable)Up to 12 months
    De-identified/aggregated usage dataIndefinite (service improvement)
    PHI under PHIPAPer custodian schedule; min. 10 years from last entry or age 18
    PHI under HIPAAPer BAA; BAA records min. 6 years

    When personal information is no longer required, we securely delete, destroy, or de-identify it.

    11. Security Safeguards

    We implement comprehensive administrative, physical, and technical safeguards aligned with PIPEDA Principle 7, PHIPA O. Reg. 329/04, and the HIPAA Security Rule (45 CFR Part 164, Subpart C).

    • Administrative: Designated Privacy Officer; privacy and security policies reviewed regularly; employee training at onboarding and annually; role-based access control; confidentiality agreements for all staff and contractors; privacy impact assessments; vendor due diligence; documented incident response plan; regular audits.
    • Physical: Office access controls; secure workstation policies; secure paper disposal by certified shredding; device management policies.
    • Technical: TLS 1.2+ encryption in transit; AES-256 encryption at rest; multi-factor authentication for PHI systems; access logging and audit trails; automatic session timeouts; intrusion detection; vulnerability assessments and penetration testing; patch management; data backup and disaster recovery.

    12. Your Privacy Rights

    Under PIPEDA — Canada

    Access: You may request access to your personal information; we respond within 30 days.

    Correction: You may request correction of inaccurate or incomplete information; where we disagree, we note your request in the file.

    Withdraw Consent: See Section 7.

    Complaint to OPC:
    Office of the Privacy Commissioner of Canada (OPC)
    30 Victoria Street, Gatineau, Quebec K1A 1H3
    Toll-free: 1-800-282-1376 | www.priv.gc.ca

    Submit requests to privacy@sarkisaitech.com — Subject: "Privacy Request – PIPEDA." Proof of identity may be required.

    Under PHIPA — Ontario

    Access to Health Records: Requests are directed to the health information custodian (your healthcare provider), not Sarkis AI Inc. We will refer you to the appropriate custodian.

    Correction: Requests for correction of PHI are made to the custodian.

    Complaint to IPC:
    Information and Privacy Commissioner of Ontario (IPC)
    2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8
    Toll-free: 1-800-387-0073 | www.ipc.on.ca

    Under HIPAA — United States

    HIPAA rights are exercised through the covered entity, not Sarkis AI Inc. directly. We assist covered entities in fulfilling these requests upon their instruction.

    Access (45 CFR § 164.524) | Amendment (45 CFR § 164.526) | Accounting of Disclosures (45 CFR § 164.528) | Request Restrictions

    Complaint to HHS:
    U.S. Department of Health and Human Services, Office for Civil Rights
    www.hhs.gov/ocr | 1-800-368-1019

    13. Cookies and Tracking

    Cookie TypePurpose
    Strictly NecessaryBasic website function (session management, security)
    AnalyticsAggregated understanding of site usage
    FunctionalPreferences (language, settings)

    We do not use cookies for advertising or cross-site tracking. You may control cookies through your browser settings. Where required by law, we obtain consent before placing non-essential cookies.

    14. Children's Privacy

    Our website and services are not directed to individuals under 18. We do not knowingly collect personal information directly from children under 18. In our role as agent or Business Associate to healthcare organizations, we may have incidental access to PHI of minor patients; this PHI is handled per Section 6 and our agreements with the custodian. If you believe we have inadvertently collected information from a person under 18, contact privacy@sarkisaitech.com.

    15. Breach Notification

    Internal Response

    Upon discovering a potential breach, we: contain it immediately; assess scope and impact; notify our Privacy Officer and activate our incident response plan; and document it in our breach register.

    Under PIPEDA

    Under the Breach of Security Safeguards Regulations (SOR/2018-64), where a breach creates a real risk of significant harm, we report to the OPC as soon as feasible and notify affected individuals directly as soon as feasible. We maintain a breach register recording all security safeguard breaches regardless of notification threshold.

    Under PHIPA

    If a breach involves PHI held on behalf of a custodian, we notify the custodian without unreasonable delay, and within 24 hours where feasible, or as required by our services agreement. The custodian determines whether notification to the IPC and affected individuals is required. We cooperate fully in investigation, remediation, and regulatory reporting.

    Under HIPAA

    If we discover a breach of unsecured PHI, we notify the affected covered entity without unreasonable delay, and no later than 60 calendar days after discovery, as required by 45 CFR § 164.410. Our notification includes: date of breach and discovery; nature of PHI involved; who used or received the PHI; description of what happened; and steps taken to investigate, mitigate, and prevent recurrence. The covered entity notifies affected individuals, HHS, and where applicable, media outlets.

    16. Changes to This Policy

    We may update this Privacy Policy to reflect changes in our services, applicable law, or privacy practices. Material changes will be posted with a new effective date, and clients will be notified by email or through our client communications channels where required by law. Where material changes affect PHI handling, we notify the applicable custodians and covered entities and update agreements as needed.

    17. How to Contact Us and How to File a Complaint

    Sarkis Satjian
    Privacy Officer, Sarkis AI Inc.
    Toronto, Ontario, Canada

    PurposeContact
    General privacy questionsprivacy@sarkisaitech.com
    PIPEDA access/correction requestsprivacy@sarkisaitech.com — "Privacy Request – PIPEDA"
    PHIPA Agent Agreement inquiriescompliance@sarkisaitech.com
    HIPAA BAA inquiriescompliance@sarkisaitech.com

    We acknowledge inquiries promptly and respond within 30 days.

    Regulatory Authorities

    Canada — Federal (PIPEDA)
    Office of the Privacy Commissioner of Canada (OPC)
    30 Victoria Street, Gatineau, QC K1A 1H3
    1-800-282-1376 | www.priv.gc.ca

    Ontario — Health Privacy (PHIPA)
    Information and Privacy Commissioner of Ontario (IPC)
    2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
    1-800-387-0073 | www.ipc.on.ca

    United States — Federal Health Privacy (HIPAA)
    U.S. Department of Health and Human Services, Office for Civil Rights
    www.hhs.gov/ocr | 1-800-368-1019

    Sarkis AI Inc. | sarkisaitech.com | Toronto, Ontario, Canada

    This Privacy Policy was prepared for Sarkis AI Inc. and reflects the company's obligations under PIPEDA, PHIPA, and HIPAA as of the effective date above. It is a professional compliance document and does not constitute legal advice. Sarkis AI Inc. recommends that healthcare clients seek independent legal counsel regarding their own compliance obligations.

    Last updated: 30 June 2026

    Privacy Policy | Sarkis AI Inc.

    Read the Sarkis AI Inc. privacy policy covering data handling, privacy-conscious workflows, and healthcare-sensitive communication standards.

    Data Handling

    We implement privacy-conscious workflows designed with healthcare-sensitive communication standards in mind.

    Avatar
    Welcome to Sarkis AI Inc. I’m Alfredo. I help clinics respond faster, recover missed leads, and book more appointments. How can I help today?