1. Introduction

Sarakinov Consulting Inc. (“SCI,” “we,” “us,” or “our”) is an independent information security and privacy consulting firm committed to protecting the privacy and security of personal information entrusted to us.

As privacy professionals, we hold ourselves to the highest standards of data protection. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in accordance with applicable privacy laws, including:

• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
• Provincial privacy legislation where applicable
• The General Data Protection Regulation (GDPR) for European data subjects
• Other applicable privacy and data protection laws

This Policy reflects our commitment to privacy by design and demonstrates our dedication to transparency in all data handling practices.

↑ Back to top

2. Scope and Application

This Privacy Policy applies to:

• Personal information collected through our website (www.sarakinovconsulting.com)
• Personal information collected during client engagements and consulting services
• Personal information collected from prospective clients, partners, and vendors
• Personal information of event attendees, newsletter subscribers, and marketing contacts
• Business contact information where it constitutes personal information under applicable law

↑ Back to top

3. Definitions

Personal Information: Any information about an identifiable individual, including but not limited to name, email address, phone number, business contact details, IP addresses, and professional credentials.

Sensitive Personal Information: Information requiring enhanced protection, such as government identifiers, financial information, health information, or information revealing security vulnerabilities.

Processing: Any operation performed on personal information, including collection, use, storage, disclosure, and deletion.

Data Subject: An individual whose personal information we process.

Controller: The entity that determines the purposes and means of processing personal information.

Processor: An entity that processes personal information on behalf of a controller.

↑ Back to top

4. Privacy Officer Contact Information

Our designated Privacy Officer oversees compliance with this Policy and applicable privacy laws.

For privacy-related inquiries, requests to exercise your rights, or complaints, please contact our Privacy Officer using the information above.

↑ Back to top

5. Personal Information We Collect

We collect only the personal information necessary to provide our services and operate our business. The types of personal information we may collect include:

5.1 Client and Prospective Client Information

• Full name and professional title
• Business and personal contact information (email, phone, address)
• Company name and business details
• Professional credentials and certifications
• Project requirements and specifications
• Communication preferences
• Payment and billing information
• Information necessary for security assessments and consulting services

5.2 Website Visitors

• IP address and device information
• Browser type and version
• Pages visited and time spent on our website
• Referring website and navigation patterns
• Cookie identifiers (with consent where required)

5.3 Newsletter and Marketing Contacts

• Name and email address
• Company and job title
• Industry sector and interests
• Communication preferences
• Engagement metrics (email opens, link clicks)

5.4 Event Participants

• Name and contact information
• Organization and professional role
• Dietary restrictions or accessibility requirements
• Registration and attendance information

5.5 Vendors and Partners

• Business contact information
• Tax identification numbers (for payment processing)
• Banking information (for vendor payments)
• Contract and agreement details
• Performance and compliance information

5.6 Sensitive Information

We may collect sensitive personal information only when necessary for specific consulting engagements, such as:

• Information about security vulnerabilities or incidents
• Access credentials for security assessments (handled with enhanced security)
• Compliance documentation containing sensitive business information

We apply enhanced security measures and obtain explicit consent before collecting sensitive personal information.

↑ Back to top

6. How We Collect Personal Information

We collect personal information through various means:

6.1 Direct Collection

• Client engagement forms and contracts
• Email, phone, and video conference communications
• In-person meetings and consultations
• Service delivery platforms and project management tools
• Event registration forms
• Newsletter subscription forms
• Contact forms on our website

6.2 Automatic Collection

• Website analytics tools
• Cookies and similar tracking technologies
• Server logs and application logs
• Email marketing platforms (tracking engagement)

6.3 Third-Party Sources

• Professional networking platforms (LinkedIn)
• Event organizers and co-hosts
• Business directories and public sources
• Referrals from existing clients or partners

We will inform you of the source of your personal information upon request.

↑ Back to top

7. Purposes for Collection, Use, and Disclosure

We collect, use, and disclose personal information only for specific, legitimate purposes:

7.1 Service Delivery

• Performing information security assessments and audits
• Providing privacy consulting and compliance services
• Conducting risk assessments and gap analyses
• Developing policies, procedures, and documentation
• Delivering training and awareness programs
• Incident response and breach management support
• Ongoing advisory and support services
• Quality assurance and service improvement

7.2 Client Relationship Management

• Responding to inquiries and providing quotes
• Negotiating and executing service agreements
• Managing client accounts and project workflows
• Communicating about projects, deliverables, and timelines
• Addressing concerns and resolving issues
• Seeking feedback and conducting satisfaction surveys

7.3 Billing and Payment Processing

• Generating invoices and processing payments
• Managing accounts receivable
• Maintaining financial records
• Tax reporting and compliance

7.4 Legal and Compliance Obligations

• Complying with applicable laws and regulations
• Responding to lawful requests from authorities
• Establishing, exercising, or defending legal claims
• Maintaining professional liability insurance
• Meeting professional regulatory requirements

7.5 Business Operations

• Managing vendor and supplier relationships
• Conducting internal audits and quality control
• Business continuity and disaster recovery planning
• Cybersecurity monitoring and incident response
• Maintaining accurate business records

7.6 Marketing and Communications

• Sending newsletters, articles, and thought leadership content
• Announcing events, webinars, and training opportunities
• Sharing industry updates and regulatory changes
• Promoting our services to prospective clients
• Building and maintaining professional relationships

7.7 Website and Technology Operations

• Operating and improving our website
• Understanding user behaviour and preferences
• Troubleshooting technical issues
• Preventing fraud and security incidents
• Optimizing user experience

We will identify the purpose for collecting personal information before or at the time of collection. If we wish to use information for a new purpose not previously identified, we will notify you and obtain consent where required.

↑ Back to top

8. Legal Basis for Processing

For individuals in jurisdictions requiring specification of legal basis (such as the GDPR), we process personal information based on:

8.1 Contractual Necessity

Processing necessary to perform our consulting services under client agreements.

8.2 Consent

Processing based on your explicit or implied consent, which you may withdraw at any time.

8.3 Legitimate Interests

Processing necessary for our legitimate business interests, such as:

• Marketing our services to business contacts
• Preventing fraud and security incidents
• Improving our services and operations
• Network and information security

We balance our legitimate interests against your rights and will not process your information where your interests override ours.

8.4 Legal Obligation

Processing necessary to comply with legal or regulatory requirements.

8.5 Vital Interests

Processing necessary to protect someone’s life or physical safety (rare circumstances).

↑ Back to top

9. Consent

9.1 Obtaining Consent

We obtain consent for the collection, use, and disclosure of personal information, except where otherwise permitted or required by law. Consent may be:

• Express Consent: Obtained through written or verbal agreement, checkboxes, or electronic acceptance
• Implied Consent: Reasonably inferred from your actions, such as providing business contact information for professional purposes

We obtain express consent for:

• Sensitive personal information
• Marketing communications
• Sharing information with third parties (except service providers)
• Uses beyond the original collection purpose

9.2 Withdrawing Consent

You may withdraw consent at any time by contacting our Privacy Officer. We will inform you of the implications of withdrawing consent, which may include our inability to provide certain services.

Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.

9.3 Website Consent

By submitting personal information through our website, you consent to its collection, use, and disclosure for the purposes identified at the time of collection and in accordance with this Policy.

↑ Back to top

10. Disclosure to Third Parties

10.1 Service Providers and Processors

We may share personal information with trusted third-party service providers who assist us in operating our business, including:

• Cloud Hosting Providers: For website hosting and data storage
• Email and Communication Platforms: For business communications and marketing
• Payment Processors: For processing client payments
• Project Management Tools: For collaboration and workflow management
• Professional Services: Accountants, lawyers, and insurers
• IT Service Providers: For technical support and cybersecurity

All service providers are contractually obligated to:

• Process personal information only for specified purposes
• Implement appropriate security measures
• Comply with applicable privacy laws
• Not use personal information for their own purposes
• Return or delete personal information when services conclude

10.2 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, personal information may be transferred to a successor organization. We will notify you and ensure the receiving organization honours this Policy.

10.3 Legal Requirements

We may disclose personal information when required or permitted by law, including:

• Responding to court orders, subpoenas, or legal processes
• Cooperating with law enforcement or regulatory authorities
• Protecting our rights, property, or safety
• Investigating fraud, security incidents, or policy violations
• Enforcing our terms and conditions

10.4 With Your Consent

We may share personal information with other third parties when you provide explicit consent for such disclosure.

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

↑ Back to top

11. International Data Transfers

11.1 Data Storage and Processing Locations

Personal information may be stored and processed in Canada, the United States, and other jurisdictions where our service providers operate. When we transfer personal information outside Canada or the European Economic Area (EEA), we ensure appropriate safeguards are in place.

11.2 Safeguards for International Transfers

For transfers to countries without adequate privacy protections, we implement safeguards such as:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data Processing Agreements with enhanced security requirements
• Adequacy decisions recognizing equivalent privacy protection
• Your explicit consent for specific transfers

11.3 U.S. Data Transfers

Some of our service providers are located in the United States. Personal information transferred to the U.S. may be accessible to U.S. authorities under lawful access provisions. We select U.S. service providers carefully and require strong contractual protections.

↑ Back to top

12. Data Retention

12.1 Retention Principles

We retain personal information only as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods are based on:

• The nature of the information and sensitivity
• Contractual obligations and client requirements
• Legal, regulatory, and professional obligations
• Legitimate business needs
• The potential for legal claims

12.2 Specific Retention Periods

• Client Project Files: 7 years after project completion (professional liability requirements)
• Financial Records: 7 years after fiscal year-end (tax and accounting requirements)
• Contracts and Agreements: 7 years after termination or expiry
• Marketing Contacts: Until consent is withdrawn or contact becomes inactive (3+ years)
• Website Analytics: 26 months (industry standard)
• Email Communications: Duration of client relationship plus 2 years
• Security Logs: 1 year minimum (cybersecurity best practices)

12.3 Secure Disposal

When personal information is no longer required, we securely delete or destroy it using methods that prevent reconstruction or retrieval, including:

• Secure data wiping and degaussing for electronic media
• Shredding or pulverizing physical documents
• Secure deletion protocols for cloud-stored data

↑ Back to top

13. Security Safeguards

13.1 Commitment to Security

As information security professionals, we implement comprehensive safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.

13.2 Technical Safeguards

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (for example AES-256)
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection/prevention systems
• Endpoint Protection: Anti-malware, device encryption, remote wipe capabilities
• Vulnerability Management: Regular security assessments and patch management
• Backup and Recovery: Encrypted backups with tested restoration procedures
• Security Monitoring: 24/7 monitoring of systems and security events

13.3 Organizational Safeguards

• Privacy and Security Policies: Comprehensive internal policies and procedures
• Access Restrictions: Need-to-know and least privilege principles
• Background Checks: Screening for employees and contractors with access to sensitive data
• Training and Awareness: Regular privacy and security training for all personnel
• Confidentiality Agreements: Binding obligations for all staff and contractors
• Incident Response Plan: Documented procedures for security incidents
• Vendor Management: Due diligence and contractual security requirements

13.4 Physical Safeguards

• Secure Facilities: Restricted access to offices and server rooms
• Locked Storage: Secure cabinets for physical documents
• Clean Desk Policy: Removal of sensitive materials when unattended
• Visitor Controls: Sign-in procedures and supervised access
• Secure Disposal: On-site shredding and certified destruction services

13.5 Regular Security Reviews

We conduct regular security assessments, including:

• Annual privacy and security audits
• Penetration testing and vulnerability assessments
• Review and update of security controls
• Third-party security certifications and validations

↑ Back to top

14. Your Privacy Rights

14.1 Right to Access

You have the right to request confirmation of whether we hold your personal information and to access that information. We will provide:

• Confirmation of processing activities
• Categories of personal information held
• Purposes of processing
• Third parties to whom information has been disclosed
• Source of the information (if not collected directly)
• Retention period or criteria for determining retention

We will provide access within 30 days of receiving your request, subject to extensions permitted by law.

14.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. We will:

• Update or correct information as requested
• Notify third parties of corrections where we disclosed the information
• Provide confirmation of corrections made

Please assist us in maintaining accurate information by notifying us of changes.

14.3 Right to Deletion (Right to be Forgotten)

You may request deletion of your personal information when:

• It is no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• Personal information was unlawfully processed
• Legal obligations require deletion

We may retain information where required by law or for legitimate purposes such as establishing, exercising, or defending legal claims.

14.4 Right to Data Portability

You have the right to receive personal information you provided to us in a structured, commonly used, and machine-readable format, and to transmit that information to another organization where technically feasible.

14.5 Right to Object

You have the right to object to processing of your personal information where:

• Processing is based on legitimate interests
• Personal information is used for direct marketing
• Personal information is used for research or statistical purposes

We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

14.6 Right to Restrict Processing

You may request restriction of processing when:

• You contest the accuracy of personal information (during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the information but you require it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

14.7 Right to Withdraw Consent

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To withdraw consent for marketing communications, use the unsubscribe link in our emails or contact our Privacy Officer.

14.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

European Union: Contact your local data protection authority

14.9 Exercising Your Rights

To exercise any of these rights, contact our Privacy Officer using the information in Section 4. We may require verification of your identity before responding to requests.

We will respond to requests within 30 days (or as required by applicable law), with possible extensions communicated to you in advance.

There is no fee for making a request, although we may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests.

↑ Back to top

15. Cookies and Website Technologies

15.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They enable websites to recognize your device and remember information about your visit.

15.2 Types of Cookies We Use

Strictly Necessary Cookies

Essential for website operation and security. These cannot be disabled.

• Session management
• Security and fraud prevention
• Load balancing

Functional Cookies

Enhance website functionality and personalization (with consent).

• Language preferences
• User interface preferences
• Remember login status

Analytics Cookies

Help us understand how visitors use our website (with consent).

• Page views and navigation patterns
• Traffic sources and demographics
• Performance metrics and error tracking

15.3 Cookie Management

You can control cookies through your browser settings:

• Block all cookies
• Block third-party cookies only
• Delete cookies after each session
• Receive notifications when cookies are sent

Note: Disabling cookies may affect website functionality.

15.4 Other Tracking Technologies

Local Storage: We may use browser local storage for session management and user preferences.

Server Logs: We automatically collect IP addresses, browser types, and access times for security and analytics purposes.

Email Tracking: Our marketing emails may include tracking pixels to measure open rates and engagement (with consent).

15.5 Do Not Track and Global Privacy Control

We honour Do Not Track (DNT) signals and Global Privacy Control (GPC) preferences set in your browser. When these signals are detected, we:

• Do not use analytics cookies
• Do not track browsing behaviour
• Limit data collection to essential functions only

15.6 Cookie Consent

For website visitors in jurisdictions requiring cookie consent (such as the EU), we provide a cookie consent banner allowing you to:

• Accept or decline optional cookies
• Customize cookie preferences by category
• Withdraw consent at any time

↑ Back to top

16. Data Breach Notification

16.1 Incident Response

We maintain a comprehensive incident response plan to detect, respond to, and recover from security incidents and data breaches.

16.2 Notification to Authorities

In the event of a data breach that poses a real risk of significant harm, we will notify relevant authorities as required by law, including:

• Office of the Privacy Commissioner of Canada (within timelines specified by PIPEDA)
• EU supervisory authorities (within 72 hours under GDPR)
• Other applicable regulatory bodies

16.3 Notification to Affected Individuals

We will notify affected individuals when a breach poses a real risk of significant harm. Notifications will include:

• Description of the breach and personal information affected
• Time and circumstances of the breach
• Steps we are taking to mitigate harm and prevent future breaches
• Contact information for questions and assistance
• Steps individuals can take to protect themselves

16.4 Documentation

We maintain records of all security incidents and breaches, including:

• Facts and circumstances of the incident
• Impact assessment and affected individuals
• Remedial actions taken
• Notifications provided to authorities and individuals

↑ Back to top

17. Children’s Privacy

Our services are directed to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18.

If we become aware that we have inadvertently collected personal information from a minor, we will:

• Delete the information immediately
• Not use or disclose the information
• Notify the Privacy Officer for review

If you believe we have collected information from a minor, please contact our Privacy Officer immediately.

↑ Back to top

18. Automated Decision-Making

18.1 Limited Automated Processing

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

18.2 Analytics and Segmentation

We may use automated tools for:

• Website analytics and user behaviour analysis
• Email marketing segmentation based on engagement
• Lead scoring for business development

These activities do not result in automated decisions that significantly affect you and are conducted with appropriate safeguards.

↑ Back to top

19. Changes to This Policy

19.1 Updates and Revisions

We may update this Privacy Policy periodically to reflect:

• Changes in our practices or services
• New legal or regulatory requirements
• Technological developments
• Feedback from stakeholders

19.2 Notification of Changes

Material changes will be communicated through:

• Prominent notice on our website
• Email notification to active clients and contacts
• Updated “Last Updated” date at the top of this Policy

19.3 Version Control

We maintain a version history of this Policy. Previous versions are available upon request from our Privacy Officer.

19.4 Continued Use

Your continued use of our services after notification of changes constitutes acceptance of the updated Policy. If you do not agree with changes, please discontinue use and contact us to discuss your options.

↑ Back to top

20. Questions and Complaints

20.1 Contact Us

For questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact:

20.2 Complaint Handling Process

We take all privacy complaints seriously and will:

1. Acknowledge receipt of your complaint within 5 business days
2. Investigate the matter thoroughly and impartially
3. Provide a response within 30 days (or notify you of extension)
4. Take appropriate corrective actions if needed
5. Document the complaint and resolution

20.3 Escalation

If you are not satisfied with our response, you may escalate your complaint to:

For EU Data Subjects: Contact your local data protection authority or supervisory authority.

↑ Back to top