Privacy Policy

Effective Date: April 14, 2026 · Last Updated: April 14, 2026

1. Introduction

SandboxOps ("we," "us," or "our") operates the website sandboxops.co and provides marketing automation, lead generation, and AI-powered client operations services to small and mid-sized businesses in Canada. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit our website, interact with our services, or interact with clients we serve.

We are committed to protecting the privacy of our clients, their customers, and website visitors across Canada and comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).

2. Information We Collect

2.1 Directly from you

When you contact us, book a call, or use our services, we collect:

  • Full name
  • Email address
  • Phone number
  • Business name, industry, role
  • Website and social handles
  • Any information you provide in forms or correspondence

2.2 From our clients' end customers (lead data)

As part of our marketing services to clients, we process personal data of leads and customers on behalf of our clients. This data is submitted voluntarily by leads through:

  • Meta (Facebook and Instagram) instant lead forms
  • WhatsApp Business conversations
  • Website forms
  • SMS and email responses

This may include name, email, phone number, property address, budget, timeline, intent, and consent preferences. We act as a service provider to our clients for this data; clients are the data controllers for their leads.

2.3 Automatically collected

When you visit sandboxops.co, we collect:

  • IP address, browser type, device identifiers
  • Pages visited, time on site, referring URL
  • Cookie identifiers
  • Performance and crash data

2.4 Integrations with third-party platforms

With explicit authorization from our clients, we connect to third-party platforms on their behalf. These connections may access data described below.

3. How We Use Your Information

We use information we collect to:

  • Respond to inquiries and deliver requested services
  • Provide lead generation, messaging automation, CRM, and marketing consulting to clients
  • Run and optimize advertising campaigns on behalf of clients
  • Qualify and route leads to our clients for follow-up
  • Communicate with you about services, updates, and promotions (with opt-in)
  • Improve our website, service offerings, and AI models used internally
  • Analyze traffic and usage patterns
  • Comply with legal obligations, enforce our terms, and prevent fraud

4. Third-Party Platforms and Integrations

We use and connect to the following platforms. Each has its own privacy policy governing its use of data:

4.1 Meta Platforms (Facebook, Instagram, WhatsApp, Messenger)

We connect to Meta Platforms via the Meta Business SDK and Graph API under app ID SandboxOps Media (2327431934411947) to:

  • Create, manage, and measure advertising campaigns on clients' ad accounts
  • Read and respond to Messenger and Instagram Direct messages on client Pages
  • Retrieve leads from Meta lead forms
  • Send and receive messages via the WhatsApp Business Platform on behalf of clients
  • Publish content to Pages and Instagram accounts with client authorization
  • Access insights on Pages, Posts, and ads

Data we access via Meta may include Page messages, Instagram messages, WhatsApp messages, ad performance metrics, audience insights, lead form submissions (name, email, phone, custom form answers), Page and Instagram profile information.

We store this data only as long as needed to deliver services and comply with applicable retention requirements. We do not transfer Meta Platform data to any party outside SandboxOps or the authorizing client without explicit consent, except to sub-processors strictly necessary for service delivery (hosting, database, AI inference).

You can request deletion of your Meta Platform data at any time by emailing privacy@sandboxops.co.

4.2 Intuit QuickBooks Online

With client authorization, we connect to QuickBooks Online under Intuit app SandboxOps Paperclip to:

  • Read invoices, estimates, customers, and payments for client accounting workflows
  • Push confirmed orders and customer records from CRM to QuickBooks
  • Reconcile payments and generate financial reports

Data we access via Intuit may include customer names, billing and shipping addresses, invoice and estimate details, payment records, tax identifiers, and company financial summaries.

We do not share QuickBooks data with parties outside SandboxOps or the authorizing client. Data is encrypted in transit and at rest. You can revoke QuickBooks access at any time through your QuickBooks Online "Apps" settings.

4.3 Other integrations

With client authorization, we may connect to:

  • Google Ads and Google Analytics for advertising and analytics
  • Google Sheets and Google Drive for workflow storage
  • Telegram for operational alerts
  • GoHighLevel (GHL) for CRM and voice automation
  • Twilio and Telnyx for SMS and voice
  • Apollo.io for sales intelligence
  • Webflow, Cloudflare, and similar hosting platforms
  • Anthropic (Claude API) for AI qualification and content generation
  • ElevenLabs for voice synthesis
  • OpenAI for select AI features
  • Hetzner and cloud infrastructure providers for hosting

Each provider has its own privacy policy governing the handling of data we pass to them.

5. Cookies and Tracking Technologies

Our website and client-facing landing pages use cookies and similar technologies to:

  • Support site functionality
  • Analyze traffic and usage
  • Attribute conversions from advertising campaigns

You can control cookies through your browser settings. Disabling cookies may affect certain site functionality.

6. Data Retention

  • Contact form submissions: retained for up to 3 years after last interaction
  • Client lead data (processed on behalf of clients): retained per client agreement, typically 2 years active, then archived or deleted
  • WhatsApp and messaging conversation history: retained 2 years active, then archived
  • Financial data from Intuit QuickBooks: retained per client's retention agreement, typically 7 years to meet CRA requirements
  • Meta Platform data: retained per the scope of the active authorization; deleted on revocation request
  • Automatic site analytics: retained for 26 months

We delete or anonymize data when it is no longer needed for the purposes collected or required by law.

7. Data Security

We implement administrative, technical, and physical safeguards including:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest for sensitive fields
  • Role-based access control with audit logging
  • Regular security reviews and dependency updates
  • Principle of least privilege for client data access

No method of transmission or storage is 100 percent secure. We do our best and promptly notify affected parties in the event of a confirmed data incident in accordance with applicable law.

8. Your Rights

Under PIPEDA and applicable provincial law, you have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate or incomplete information
  • Request deletion of your personal information, subject to legal retention requirements
  • Withdraw consent for future communications at any time
  • Request a copy of your data in a portable format
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated

To exercise any of these rights, contact privacy@sandboxops.co. We respond within 30 days.

9. Data Location and International Transfers

SandboxOps operates primarily in Canada. Some of our service providers (for example, Meta, Google, Anthropic, OpenAI, ElevenLabs) may process data in the United States or other jurisdictions. Where data is transferred outside Canada, we require service providers to maintain privacy protections substantially similar to those required under Canadian law.

10. Children

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically. Continued use of our services after an update constitutes acceptance of the changes.

12. Contact Us

SandboxOps

Email: privacy@sandboxops.co Website: https://sandboxops.co

For privacy-specific requests, data deletion, or questions about this policy, email privacy@sandboxops.co. For account or service questions, use the Contact form on sandboxops.co.

This policy is designed to meet PIPEDA, CASL, Meta Platform Terms, Intuit Developer Terms, and standard marketing industry best practices. It is reviewed annually or when integrations change.