Privacy Policy

Effective Date: March 16, 2026

How Kori by EMAK Telecom Collects, Uses, and Protects Personal Information
Operated by: EMAK Telecom Inc.
10330 Côte-de-Liesse, Suite 130, Montréal, QC, H8T 1A3, Canada

IMPORTANT: These documents reflect current operational reality as of the effective date. They have been prepared to comply with applicable Quebec and Canadian law, including Law 25, PIPEDA, and CRTC telecommunications privacy regulations. They should be reviewed by qualified legal counsel before going live with any customers.

This Privacy Policy explains how EMAK Telecom Inc. collects, uses, discloses, and protects personal information in connection with the Kori Platform. It has been prepared in compliance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / LPRPSP), the Personal Information Protection and Electronic Documents Act (PIPEDA), and CRTC telecommunications privacy regulations.

We believe in plain language. This policy describes what we actually do — not what we aspire to do. If something changes materially, we will update this policy and notify you in advance.

This policy covers two groups: (1) Business Customers — businesses subscribing to Kori; and (2) Callers — individuals who speak with a Kori Voice Agent when calling a business. We play different roles with respect to each group, as explained below. Note on data types: call transcripts and AI-generated call summaries are produced as part of the core Kori service. Call recordings (audio files) are an optional feature requiring explicit opt-in by the Business Customer.

1. Who We Are and Our Dual Role

The Kori Platform is operated by EMAK Telecom Inc.. In connection with the Platform and the underlying telecommunications infrastructure, EMAK Telecom operates in two capacities:

  • As a telecommunications service provider, EMAK Telecom is subject to CRTC Customer Confidential Information (CCI) obligations, which impose strict confidentiality requirements on call-related customer data.
  • As an AI application layer provider, EMAK Telecom acts as a data processor on behalf of Business Customers with respect to Caller interactions handled by Kori Voice Agents.

Privacy Officer:

EMAK Telecom Inc. — Privacy Officer: Elias Makhoul, Chief Executive Officer

10330 Côte-de-Liesse, Suite 130, Montréal, QC, H8T 1A3, Canada

Email: privacy@callkori.ai | Website: https://callkori.ai

You may contact our Privacy Officer at any time to exercise your privacy rights, ask questions, or make a complaint.

2. Scope of This Policy

This policy applies to personal information EMAK Telecom collects and processes in operating the Kori Platform. It does not govern the privacy practices of Business Customers, who are independently responsible for their own privacy obligations and disclosures to their Callers.

Your existing EMAK Telecom telecommunications service — including any call recording features — is governed by your EMAK Telecom service agreement, not this policy.

3. What Personal Information We Collect

3.1 From Business Customers

When you register for and use Kori, we collect:

  • Account information: business name, address, contact name, email, phone number, and business registration details;
  • Billing and payment information: processed through a PCI-DSS compliant payment processor — we do not store full card numbers;
  • Technical and usage data: IP addresses, login records, browser and device information, API usage, dashboard activity;
  • Agent configuration data: the opening greeting, knowledge base and FAQ content, call transfer settings, and integration parameters you configure in the Platform;
  • Support communications: records of your interactions with our team.

3.2 From Callers (via Business Customer Deployments)

When a Caller interacts with a Kori Voice Agent, the following data is generated and processed on behalf of the Business Customer:

  • Call metadata: caller phone number (ANI), called number (DNIS), call timestamp, call duration, and call disposition — stored in Canada;
  • Voice audio stream: the real-time audio of the caller's speech, transmitted to third-party AI Processing Services for speech recognition and natural language processing (see Section 6);
  • Call transcripts: a text transcript of the call generated from the processed audio — stored in Canada;
  • Interaction data: intents identified, actions taken by the Agent (bookings created, information provided, transfers initiated) — stored in Canada;
  • Any personal information voluntarily provided by the Caller during the call (e.g., name, appointment details).
  • Call recordings: if the Business Customer has opted in to enable the Kori Call Recording feature, the audio of calls is recorded and stored in encrypted form in Amazon S3 cloud storage in Canada. Recording is disabled by default and requires explicit Business Customer opt-in through the Kori portal.

We collect Caller data as a service provider on behalf of the Business Customer. The Business Customer is the responsible party for Caller Personal Information. Business Customers are responsible for disclosing to their Callers that calls may be handled by AI voice technology and that calls may be recorded.

4. How We Use Personal Information

4.1 Business Customer Data

We use Business Customer personal information to:

  • Create, manage, and administer your account;
  • Provide and operate the Kori Platform;
  • Process billing and payments;
  • Send service notifications, security alerts, and administrative communications;
  • Provide customer support;
  • Monitor for and enforce compliance with our Terms of Service;
  • Comply with legal obligations;
  • Generate aggregated, de-identified analytics to improve the Platform.

4.2 Caller Data

We process Caller data on behalf of Business Customers for:

  • Real-time speech recognition and natural language processing to enable the Agent to respond (processed via AI Processing Services described in Section 6);
  • Generating call transcripts and interaction logs accessible to the Business Customer through the Kori dashboard;
  • Analyzing call transcripts using our own code and Canadian-hosted AI models to generate: sentiment analysis, call outcomes, call summaries, and business analytics reporting — all processed in Canada;
  • Detecting the language of transcripts to support customer experience features such as follow-up outreach (for example, sending requested SMS links in the appropriate language) — processed in Canada;
  • Detecting and preventing fraud, abuse, and prohibited Platform use;
  • Troubleshooting technical issues, on a limited-access, need-to-know basis by authorized EMAK Telecom personnel;
  • Playing back call recordings to authorized Business Customer users through the Kori dashboard, where the Call Recording feature has been enabled;
  • Complying with CRTC and other legal obligations.

We do not currently use Call Data — including recordings, transcripts, or interaction logs — for AI model training. If we implement an AI training program in the future, we will update this Privacy Policy, notify Business Customers with advance notice, and provide an opportunity to opt out before any such use begins.

5. Legal Basis for Processing

  • Contract performance: processing necessary to provide the Kori Platform pursuant to our Terms of Service;
  • Legitimate interests: security monitoring, fraud prevention, troubleshooting, and Platform analytics, where our interests are not overridden by your privacy interests;
  • Legal obligation: where required by Applicable Law, including CRTC regulations.

6. Third-Party AI Processing Services and Cross-Border Transfers

6.1 Why Data Leaves Canada

The AI voice processing that powers Kori Voice Agents — speech recognition and natural language understanding — requires transmission of real-time audio to AI inference endpoints. These endpoints are operated by third-party AI Processing Services whose infrastructure is in the United States. This is a technical necessity: real-time AI voice processing cannot function without transmitting the audio stream to the AI model.

Only the real-time audio stream is transmitted cross-border during an active call. All other data — transcripts, call metadata, recordings, and account data — is stored in Canada.

6.2 Current AI Processing Services

As of the effective date of this policy, we use the following AI Processing Service:

Google LLC (Google Cloud / Gemini AI services) — Real-Time Voice Inference

  • What is processed: real-time voice audio stream and in-session conversational context
  • Processing location: United States (technical necessity for real-time inference)
  • Governing agreement: Google Cloud Data Processing Addendum (CDPA)
  • Data retention by Google: audio processed in real time, held only in short-lived in-memory cache (maximum 24-hour TTL); no persistent at-rest storage of audio by Google

Google LLC (Google Cloud / Vertex AI — Canadian region) — Transcript Processing

  • What is processed: call transcripts (text only) for post-call analytics including sentiment analysis, call outcomes, summaries, and language detection
  • Processing location: Canada (Vertex AI northamerica-northeast1 region — no cross-border transfer)
  • Governing agreement: Google Cloud Data Processing Addendum (CDPA) — same instrument as above
  • Google does not use this data to train its own AI models

We maintain a current list of AI Processing Services in Schedule A of our Terms of Service and on our website. We will provide at least 30 days' advance notice before adding a new AI Processing Service that materially changes this data processing arrangement.

We may in the future use additional providers such as voice synthesis services or alternative language processing providers (for example, services such as OpenAI or ElevenLabs). Any material addition will be disclosed in advance.

6.3 Law 25 Cross-Border Transfer Compliance

We have addressed the cross-border transfer requirements under Law 25 as follows:

  • We have conducted a Privacy Impact Assessment (PIA) of the transfer to Google's US infrastructure, assessing the sensitivity of the data, the purposes of processing, the contractual safeguards in place, and the applicable legal framework in the US;
  • We have accepted Google's CDPA, which provides contractual privacy protections substantially equivalent to those required under Quebec law;
  • We apply data minimization — only the minimum data necessary for real-time inference is transferred;
  • We maintain a documented record of this transfer and review it annually.

7. Disclosure of Personal Information

7.1 Service Providers

We share personal information with trusted service providers who help us operate the Kori Platform, including AI Processing Services (as described above), Canadian-hosted cloud infrastructure providers, PCI-DSS compliant payment processors, and operational tools. All service providers are contractually bound to process personal information only on our instructions and with appropriate safeguards.

7.2 CRTC Obligations and Legal Disclosure

As a telecommunications service provider, EMAK Telecom treats all call-related customer information as Customer Confidential Information (CCI) under CRTC rules. We will not disclose CCI without express consent or lawful authority. We may disclose personal information where required by law, court order, or valid demand from a government authority with appropriate legal authority.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may transfer as part of that transaction. We will provide notice and describe the privacy commitments that apply.

7.4 No Sale of Personal Information

We do not sell personal information to third parties. We do not disclose personal information to advertisers or data brokers. The Kori Platform is not used for targeted advertising.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The appropriate retention period for each category of data is determined by factors including the sensitivity of the information, the purpose of collection, applicable legal requirements, and legitimate business needs.

Call recordings (where enabled) are subject to the retention period configured in the Business Customer's account settings, subject to a default period specified in the Business Customer's Order Form or account agreement. Business Customers may request shorter retention periods. We do not retain personal information for longer than is necessary for the purposes described in this policy.

Upon account termination, we will make Account Data available to you for export for a reasonable period, after which we will securely delete or anonymize it in accordance with our data retention practices. We will provide specific retention period information to Business Customers in their Order Form or on request by contacting privacy@callkori.ai.

9. Your Privacy Rights

9.1 Rights of Business Customers

Under Law 25, you have the right to:

  • Access the personal information we hold about you;
  • Request correction of inaccurate or incomplete information;
  • Request deletion of your personal information, subject to legal retention obligations;
  • Request your information in a structured, portable format;
  • Request human review of significant automated decisions affecting you.

9.2 Rights of Callers

Callers who interacted with a Kori Voice Agent may have privacy rights under Law 25. Because the Business Customer is the responsible party for Caller data, Callers should first direct requests to the business they called. Callers may also contact us directly and we will facilitate their rights in coordination with the relevant Business Customer.

To help us locate your data, please provide: the date and approximate time of your call, the phone number you called from, and the business you called. Contact: privacy@callkori.ai

9.3 How to Submit a Request

Contact our Privacy Officer at privacy@callkori.ai. We respond within 30 days. We may need to verify your identity. If unsatisfied with our response, you may complain to:

  • Commission d'accès à l'information (CAI) du Québec: www.cai.quebec.ca | 1-888-528-7741
  • Office of the Privacy Commissioner of Canada: www.priv.gc.ca | 1-800-282-1376

10. Security

We implement appropriate technical, administrative, and organizational security measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our measures include:

  • SSL-encrypted connections between our application servers and database;
  • Server-side encryption (AES-256) for call recordings stored in AWS S3;
  • Encrypted transmission of data to and from our AI processing services;
  • Role-based access controls and least-privilege access principles;
  • Confidentiality obligations for all personnel who access Call Data;
  • Regular security reviews;
  • Incident response and breach notification procedures.

In the event of a privacy breach involving risk of serious injury, we will notify the CAI and affected individuals as required by Law 25, and will notify affected Business Customers of breaches involving their data.

11. Automated Decision-Making

Kori Voice Agents use AI to handle calls and perform tasks. In accordance with Law 25:

  • Kori Voice Agents are AI-powered systems performing automated processing;
  • Kori provides a default opening greeting that identifies the agent as a virtual agent. Business Customers may customize this greeting. If a Business Customer replaces the default greeting, that Business Customer is solely responsible for ensuring Callers are appropriately informed that they are interacting with an automated AI system;
  • Business Customers must not configure any Agent to deny being AI-powered when directly asked by a Caller;
  • Where an Agent action materially affects a Caller (such as a booking or denial of service), Business Customers should provide a mechanism for Callers to seek human review;
  • Callers may contact us to request information about automated processing that affected them.

12. Children's Privacy

The Kori Platform is designed for business use. We do not knowingly collect personal information from individuals under 18. Business Customers are responsible for ensuring their Agent configurations are appropriate for the audiences they serve.

13. Changes to This Policy

We will post updated versions of this policy on our website and provide Business Customers with at least 30 days' notice of material changes. Continued use of the Platform after the effective date of changes constitutes acceptance. If you do not accept a change, you may terminate your account pursuant to the Terms of Service.

14. Contact

Privacy Officer — Kori by EMAK Telecom

10330 Côte-de-Liesse, Suite 130, Montréal, QC, H8T 1A3, Canada

Email: privacy@callkori.ai | Website: https://callkori.ai

Resources
Early accessPartners
Legal
Terms of ServicePrivacy policy
© 2026 kori by emak. All rights reserved.