Privacy Policy

This Privacy Policy describes how Sarakinov Consulting Inc. ("Sarakinov Consulting," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our professional services and website at sarakinovconsulting.com.

This policy applies to all personal information we handle, whether collected online, in person, by telephone, or through written correspondence. By engaging our services or using our website, you acknowledge that you have read and understood this policy.

This policy is written to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and is designed to be compatible with forthcoming requirements under the Consumer Privacy Protection Act (CPPA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR).

Sarakinov Consulting Inc. is an independent information security and privacy advisory firm incorporated in Ontario, Canada. We provide Fractional CISO Advisory, Enterprise Security Architecture, and Privacy & Risk Advisory services to organizations across North America and internationally.

For purposes of applicable privacy legislation, Sarakinov Consulting Inc. is the organization responsible for the personal information under its control.

4.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Submit a contact form on our website (name, email address, organization, enquiry details)
• Book a strategy session via our scheduling tool (name, email address, calendar availability)
• Engage us for advisory services (contact details, professional role, organizational information)
• Correspond with us by email, telephone, or video conference
• Sign contracts or service agreements

4.2 Information Generated During Service Delivery

In the course of providing advisory services, we may handle information that includes:

• Security assessment findings and recommendations
• Architectural documentation and risk registers
• Meeting notes, deliverables, and project correspondence
• Contact details of client personnel involved in engagements

Where client engagements involve personal information about the client's own customers or employees, that information is handled in accordance with our data processing agreements and the client's instructions.

4.3 Information Collected Automatically — Website Visitors

Our website does not use cookies or client-side tracking technologies. When you visit sarakinovconsulting.com, our web host's server logs may automatically record standard technical information including your IP address, browser type, referring URL, and pages visited. This information is retained for security monitoring purposes only and is not used for marketing or profiling.

We use personal information only for the purposes for which it was collected, including:

• Responding to enquiries — to reply to messages submitted via our website or sent directly by email
• Scheduling — to confirm and manage advisory sessions booked through our scheduling tool
• Service delivery — to provide contracted advisory services, produce deliverables, and manage client relationships
• Contracting and billing — to execute agreements, issue invoices, and maintain financial records as required by law
• Communications — to send relevant updates or follow-up information where you have requested or consented to receive them
• Legal and regulatory compliance — to meet obligations under applicable law, including responding to lawful requests from authorities
• Security monitoring — to protect our systems and detect or investigate unauthorized access

We do not use personal information for automated decision-making, profiling, or targeted advertising.

Under Canadian privacy law, we rely on the following bases for collecting and using personal information:

• Consent — where you have provided express or implied consent, such as when you submit a contact form or book a session
• Contractual necessity — where processing is necessary to fulfill a service agreement you have entered into with us
• Legal obligation — where we are required to retain or disclose information by applicable law
• Legitimate interests — for security monitoring and maintaining the integrity of our systems, where those interests are not overridden by your privacy rights

For individuals in the European Economic Area or United Kingdom, these same bases align with GDPR Articles 6(1)(a), (b), (c), and (f) respectively.

We do not sell, rent, or trade personal information. We may share information in the following limited circumstances:

7.1 Service Providers

We use a small number of trusted service providers to support our operations. These include:

• Cloud storage and productivity tools — for document management and project collaboration
• Email and communications platforms — for client correspondence
• Scheduling tools — for managing advisory session bookings (currently Calendly)
• Form processing — for handling website contact form submissions (currently Formspree)
• Web hosting — for serving sarakinovconsulting.com

All service providers are engaged under terms that restrict their use of personal information to the specific purposes for which it is shared and require them to maintain appropriate security safeguards.

7.2 Legal Requirements

We may disclose personal information where required or permitted by law, including in response to a court order, regulatory requirement, or lawful request from a law enforcement or government authority.

7.3 Business Transactions

In the event of a business transaction such as a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before any such transfer and will ensure appropriate protections are in place.

Some of our service providers store or process data in jurisdictions outside Canada, including the United States. When personal information is transferred internationally, we take steps to ensure that it receives a level of protection consistent with Canadian privacy law, including through contractual safeguards.

By providing your personal information to us, you acknowledge that it may be transferred to, stored in, or processed in countries outside your country of residence, where privacy laws may differ from those in your jurisdiction.

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Our general retention guidelines are:

• Website enquiries (not resulting in an engagement): 12 months from last contact
• Client engagement records: 7 years from completion of the engagement, in accordance with applicable legal and tax requirements
• Contracts and financial records: 7 years as required by Canadian tax law
• Server logs (web hosting): 1 year minimum, for security monitoring purposes
• Scheduling records (Calendly): Governed by Calendly's data retention policies

When personal information is no longer required, we securely delete or anonymize it.

As an information security advisory firm, we apply the same principles to our own data handling that we recommend to clients. Our security practices include:

• Encryption of data in transit (TLS) and at rest where applicable
• Access controls and authentication requirements for systems holding personal information
• Principle of least privilege applied to internal access
• Secure disposal of physical and digital records containing personal information
• Vendor security review for service providers handling personal information on our behalf

No method of electronic transmission or storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a privacy breach that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA.

11.1 Our Website Does Not Use Cookies

sarakinovconsulting.com does not use cookies of any kind — no session cookies, analytics cookies, advertising cookies, or any other client-side tracking technologies. No cookies are set on your device when you visit our website.

We do not use Google Analytics, social media pixels, remarketing tags, or any other tracking or profiling tools. Do Not Track (DNT) and Global Privacy Control (GPC) signals are therefore honoured by default — there is nothing to opt out of.

11.2 Third-Party Services

Two third-party services linked from our website may collect information independently when you interact with them directly:

• Calendly — our booking link opens on calendly.com. Calendly's own privacy policy applies when you visit their site. Calendly does not embed on our pages and does not set cookies on sarakinovconsulting.com.
• Formspree — our contact form submits data to Formspree's servers for processing and delivery. Formspree processes only the information you enter in the form and does not set cookies on sarakinovconsulting.com.

We encourage you to review the privacy policies of these services if you wish to understand how they handle your information.

Subject to applicable law, you have the following rights with respect to your personal information:

• Access — to request a copy of the personal information we hold about you
• Correction — to request that inaccurate or incomplete information be corrected
• Withdrawal of consent — to withdraw consent for processing at any time, where consent is the basis for processing, subject to legal or contractual restrictions
• Erasure — to request deletion of your personal information where it is no longer necessary for the purpose for which it was collected and no legal obligation requires its retention
• Complaint — to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your applicable supervisory authority

For individuals in the EU or UK, additional rights under GDPR apply, including the right to data portability and the right to object to processing based on legitimate interests.

To exercise any of these rights, please contact us using the information in Section 16. We will respond within 30 days.

Our services are directed exclusively at business professionals and organizations. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently received personal information from a minor, we will delete it promptly.

Our website may contain links to external websites, including Calendly and professional resources. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this policy from time to time to reflect changes in our practices, legal requirements, or the services we use. When we make material changes, we will update the version number and effective date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website or services after a policy update constitutes acceptance of the revised terms.

For questions, concerns, or requests related to this policy or your personal information, please contact our Privacy Officer: