Last Updated: December 5, 2025

1. Introduction and Scope

SARKIS AI Global Ltd. ("SARKIS AI") is committed to data sovereignty and transparency. This Privacy Policy describes how we collect, use, process, and transfer your personal data. It is engineered to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Information We Collect

We collect data in three distinct categories:

2.1 Administrative Data

Identity Data: Name, username, or similar identifier.

Contact Data: Billing address, email address, and telephone numbers.

Financial Data: Payment card details (processed securely via Stripe/PayPal; we do not store full card numbers).

2.2 AI Telemetry and Usage Data

Interaction Logs: Metadata regarding your usage of AI Agents, including timestamps, token counts, and feature utilization.

Feedback Loops: Corrections or ratings ("Thumbs Up/Down") you provide on Generated Output. This is used for Reinforcement Learning from Human Feedback (RLHF) to improve system performance, not necessarily to train content models.

2.3 Customer Input Data (The "Content")

Prompts: The specific text instructions entered into our AI interfaces.

Uploads: Files (PDFs, CSVs) uploaded for analysis.

API Payloads: Data transmitted via our API endpoints.

3. How We Use Your Information

We process your data for the following legal purposes:

PurposeData CategoryLegal Basis (GDPR)Service DeliveryAdmin, Input DataPerformance of Contract: To execute the automation workflows you requested.BillingFinancial DataPerformance of Contract: To process subscription fees.Security & Fraud PreventionTelemetry, Input DataLegitimate Interest: To detect prompt injection attacks, botnets, and AUP violations.Platform OptimizationTelemetry (Aggregated)Legitimate Interest: To analyze system load and improve latency.MarketingContact DataConsent: To send newsletters or product updates (Opt-in required).

CRITICAL NOTE ON AI TRAINING: SARKIS AI does not use your Customer Input Data or Prompts to train our foundational Third-Party Models (e.g., OpenAI GPT-4) unless you have explicitly opted into a "Custom Model Partnership." We utilize "Zero-Retention" API settings with our upstream providers where available for enterprise clients.⁹

4. Data Sharing and Sub-Processors

To provide our Services, we chain together various third-party infrastructure and AI providers. You acknowledge and agree to the transfer of your data to the following Sub-Processors:

4.1 Core AI Infrastructure

OpenAI (USA): LLM Processing. (Transfers subject to SCCs).

Anthropic (USA): LLM Processing.

Google Vertex AI (USA): Machine Learning infrastructure.

4.2 Operational Infrastructure

Amazon Web Services (AWS) / Google Cloud: Hosting and database storage.

Pinecone / Weaviate: Vector database storage for "Memory" and RAG (Retrieval-Augmented Generation).

Stripe: Payment processing.

SARKIS AI maintains Data Processing Agreements (DPAs) with all sub-processors, ensuring they implement security measures no less protective than those set out in this Policy.

5. International Data Transfers

SARKIS AI operates globally. Your Personal Data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.

5.1 Transfers to the United States.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the EU-U.S. Data Privacy Framework (DPF) where the recipient is certified. Where the recipient is not DPF certified, or for other international transfers, we implement the European Commission’s Standard Contractual Clauses (SCCs).

5.2 Transfer Impact Assessments (TIAs).

In compliance with the Schrems II ruling, SARKIS AI conducts TIAs to evaluate the risk of government surveillance in destination countries. We implement supplementary measures, including encryption at rest and in transit, to protect your data during these transfers.

5.3 Canada (PIPEDA).

For Canadian users, SARKIS AI ensures that any transfer to a third party (including outside Canada) provides a "comparable level of protection" through contractual means, consistent with Principle 1 of PIPEDA.

6. Data Retention and Deletion

6.1 Retention Policy.

Customer Input/Output: Retained for 30 days to allow for user history access and debugging, then automatically deleted from active servers.

Vector Embeddings: Retained for the duration of your active subscription (to maintain your AI Agent's "memory"). Deleted upon account termination.

Account Data: Retained for the life of the account plus 2 years for legal compliance (tax/audit).

6.2 Deletion Requests.

You may request the deletion of your account and data by emailing [email protected]. Note that we cannot delete data that has been anonymously aggregated for system metrics. If your data was used to fine-tune a model owned by a third party prior to your opt-out, it may not be technically feasible to "unlearn" that data from the model.

7. Your Rights

Under GDPR, CCPA, and PIPEDA, you have specific rights:

Right to Access: You can request a copy of your personal data.

Right to Rectification: You can correct inaccurate data.

Right to Erasure: You can ask us to delete your data ("Right to be Forgotten").

Right to Object: You can object to our processing of your data for legitimate interests.

Right to Portability: You can request your data in a structured, machine-readable format.

CCPA Specifics: California residents have the right to opt-out of the "sale" or "sharing" of personal information. SARKIS AI does not sell your personal data.

8. Security Measures

We implement industry-standard technical and organizational measures to secure your data, including:

Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit.

Access Controls: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) for all internal staff.

Vulnerability Scanning: Regular penetration testing of our API endpoints.

9. Operational Guidelines for Implementation

The legal documents drafted above are powerful tools, but their efficacy depends on proper operational implementation.

9.1 The "Clickwrap" Imperative

The research ³⁵ indicates that simple links to Terms (Browsewrap) are often unenforceable. SARKIS AI must implement a Clickwrap agreement.

Implementation: During the sign-up flow, place a checkbox that says: "I agree to the Terms of Service and Privacy Policy." This checkbox must be unchecked by default. The user must actively click it to proceed. This affirmative action is crucial for enforcing arbitration clauses and class action waivers in US courts.

9.2 Managing the "Human-in-the-Loop" Workflow

The Terms mandate HITL for high-risk use cases. The SARKIS AI platform UI should reinforce this.

UI Suggestion: When a user activates a workflow tagged as "Financial" or "Medical," trigger a modal pop-up: "Warning: This workflow is classified as High-Risk under our Acceptable Use Policy. You certify that a human will review all outputs before action is taken. [I Agree]"

Audit Trail: Log this interaction. If a client is sued for AI negligence and tries to blame SARKIS AI, this log serves as evidence that they accepted the HITL obligation.

9.3 Insurance Strategy

Given the explicit "No Hallucination Warranty," SARKIS AI faces residual risk if a client alleges the platform failed technically rather than cognitively.

Recommendation: Obtain Technology Errors & Omissions (Tech E&O) insurance. Ensure the policy includes specific endorsements for "AI Performance" and "Cyber Liability." The liability cap in the ToS (Section 9.2) should ideally match the deductible or a fraction of the coverage limit of this insurance policy.³⁶

9.4 Vendor Management: The "OpenAI Risk"

SARKIS AI is an orchestrator. If OpenAI goes down, SARKIS AI goes down.

Contractual Flow-Down: The Terms explicitly disclaim liability for Third-Party Model failures (Section 3.2). Operational teams must ensure that SARKIS AI's SLAs with clients do not promise higher uptime (e.g., 99.99%) than what OpenAI/Anthropic guarantees (often 99.9% or less). A mismatch here creates an uninsurable gap.

9.5 Handling EU "Right to Explanation"

The GDPR and the upcoming AI Act grant users a "right to explanation" for automated decisions.

Operational Response: SARKIS AI should build "Explainability" features (e.g., exposing the chain-of-thought or prompt trace) into the platform. This allows enterprise clients to fulfill their own regulatory obligations to their end-users without needing to subpoena SARKIS AI's engineering team.

10. Contact and DPO

If you have questions about this Privacy Policy or wish to exercise your rights, please contact our Data Protection Officer (DPO):

SARKIS AI Global Ltd.

Attn: Privacy Officer

Email: [email protected]

Address: 251 Sherbourne street Unit 113, Toronto M5A3Y8, Ontario CA