Skip to main content
© Circle. All rights reserved.
Powered by YOOtheme.

Privacy Policy

Privacy Policy for Sandbots

Last Updated: March 16, 2026

Plain-language summary

This isn’t legally binding — the full policy below controls — but here’s the gist:

  • We collect what we need to run the Service and bill you correctly
  • We don’t sell your personal information
  • We don’t train AI models on your data
  • We use trusted third parties (AI providers, payment processors, hosting) and they’re contractually obligated to handle data appropriately
  • You have rights to access, correct, and delete your information
  • We follow Canadian privacy law (PIPEDA), and offer GDPR/CCPA-equivalent rights to users in those regions
  • Questions? Email privacy@sandbots.ai

1. Introduction

This Privacy Policy describes how Sandbox Media Corporation (“Sandbox Media,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information through the Sandbots™ platform and related services (the “Service”).

We are located at 10 Bronte Street South, Suite 402, Milton, Ontario, L9T 9M2, Canada.

This Policy applies to:

  • Visitors to our websites (including sandbots.ai)
  • Users of the Service
  • Customers and prospective Customers
  • Individuals who contact us

By using the Service, you agree to this Policy. If you do not agree, you must not use the Service.

2. Who we are and our role

2.1 As a service provider

When you use the Service, you (or your Organization) generally act as the data controller (or “primary handler”) of any personal information uploaded or processed within your workspace. Sandbox Media acts as a data processor (or “service provider”), processing that information on your behalf and according to your instructions.

This means:

  • You are responsible for ensuring you have appropriate legal grounds to upload personal information about others (e.g., your customers, prospects)
  • We process such information only as necessary to provide the Service
  • We will not use that information for our own purposes (such as marketing or AI training)

2.2 As a data controller

When we collect information directly from you for our own purposes (such as billing, account management, or marketing), we act as the data controller of that information.

3. Information we collect

3.1 Information you provide directly

When you create an Account, subscribe, or interact with the Service, we may collect:

  • Identity information: name, email address, phone number, job title
  • Organization information: company name, billing address, organization size
  • Account credentials: passwords (stored hashed), security questions, two-factor authentication settings
  • Payment information: billing address, payment method details (processed by our payment processor — see Section 5)
  • Communication preferences: marketing opt-ins, language preferences
  • Customer support information: messages, support ticket contents, recordings of demo calls (with your consent)

3.2 Information you upload to the Service (“Customer Content”)

When you use the Service, you may upload or generate:

  • Brand Blueprint information (brand voice, audience descriptions, products, positioning)
  • Documents and images stored in Cloud Storage
  • Content from websites you scrape using Web Scrapers
  • Prompts and inputs to AI Agents
  • AI-generated Outputs

We treat Customer Content as confidential and process it only as necessary to provide the Service.

3.3 Information collected automatically

When you use the Service, we automatically collect:

  • Usage data: which features you use, when, how often, Credit consumption, Agent interactions
  • Technical data: IP address, browser type, device type, operating system, time zone, language settings
  • Performance data: error logs, latency measurements, system performance metrics
  • Cookies and similar technologies: see our Cookie section (Section 9)

3.4 Information from third parties

We may receive information about you from:

  • Payment processors (transaction confirmations, fraud signals)
  • Authentication providers (if you sign in with Google, Microsoft, or similar — name and email only)
  • Service providers (hosting providers, analytics providers, AI model providers)
  • Public sources (publicly available business information)

4. How we use information

4.1 To provide the Service

  • Authenticate you and manage your Account
  • Process AI Agent requests and generate Outputs
  • Store and retrieve Customer Content
  • Run Web Scrapers and Cloud Storage features
  • Track usage and enforce Subscription limits
  • Provide customer support

4.2 To bill and manage your Subscription

  • Process payments and renewals
  • Send invoices and billing notifications
  • Detect and prevent fraud
  • Handle refunds and disputes

4.3 To improve the Service

  • Analyze aggregated, anonymized usage patterns to improve features
  • Diagnose technical issues
  • Develop new features

We do not train AI models on Customer Content.

4.4 To communicate with you

  • Send service notifications (billing, security, feature updates)
  • Send marketing communications (only with your consent, and you can opt out anytime)
  • Respond to inquiries and support requests
  • Conduct customer research (with your consent)

4.5 To comply with legal obligations

  • Respond to lawful requests from authorities
  • Comply with tax, accounting, and corporate law requirements
  • Investigate violations of our Terms of Service or Acceptable Use Policy
  • Protect against fraud, abuse, or security threats

4.6 Legal bases (for users in jurisdictions requiring this disclosure)

Where applicable (e.g., for users in the European Economic Area or United Kingdom), our legal bases for processing personal information include:

  • Contractual necessity: to provide the Service you’ve subscribed to
  • Legitimate interests: to improve the Service, prevent fraud, secure our systems
  • Consent: for optional marketing communications and certain cookies
  • Legal obligation: to comply with applicable laws

5. How we share information

We do not sell personal information. We share information only in the following circumstances:

5.1 Service providers

We share information with trusted third parties who help us deliver the Service, including:

  • AI model providers: OpenAI, Anthropic, Google, and similar providers process Agent inputs to generate Outputs. These providers are contractually obligated to handle data appropriately and not retain it for training (where opt-out is available).
  • Hosting and infrastructure: Vercel, AWS, Google Cloud, and similar providers host the Service and store Customer Content.
  • Payment processors: Stripe processes payments and stores payment information securely. Sandbox Media does not directly store full credit card numbers.
  • Email and communication: SendGrid, Postmark, or similar services to send service emails.
  • Analytics: Google Analytics, PostHog, or similar tools to understand Service usage in aggregate.
  • Customer support: Help desk and live chat tools to respond to inquiries.

These providers act as our subprocessors and are contractually obligated to protect personal information.

5.2 Within your Organization

If you are a User of an Organization Account, your activity within that Organization may be visible to:

  • Your Organization Admin and other authorized administrators
  • Other Users of the same Organization (depending on permissions)

Sandbox Media is not responsible for how your Organization manages internal access to your activity.

5.3 With your consent

We may share information for other purposes with your explicit consent.

5.4 Legal requirements

We may disclose information when required by law, including in response to:

  • Court orders, subpoenas, or legal process
  • Government requests for national security or law enforcement purposes
  • Investigations into violations of our Terms or applicable law

We will, where lawful, attempt to notify the affected Customer of such disclosure requests.

5.5 Business transfers

If Sandbox Media is involved in a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to the protections of this Policy.

5.6 Aggregated and anonymized data

We may share aggregated or anonymized data that cannot reasonably be used to identify any individual.

6. AI processing and data handling

Because Sandbots is an AI platform, certain disclosures about AI data handling are important:

6.1 What happens to your inputs

When you (or your Users) interact with an Agent, the input is sent to the AI model assigned to that Agent (e.g., a Claude, GPT, or Gemini model). The AI provider processes the input and returns an Output, which we then deliver to you.

6.2 Retention by AI providers

We use AI providers that contractually agree not to retain or train on inputs sent through API access (subject to standard abuse-monitoring retention, typically 30 days or less). Specific provider terms:

  • Anthropic: API data is not used to train models
  • OpenAI: API data is not used to train models (with opt-out controls)
  • Google: API data handling per Google Cloud Terms

6.3 Web Scrapers and personal information

When you use Web Scrapers, you are responsible for ensuring you have the right to access the scraped content. If scraped content contains personal information, you are responsible for ensuring you have a lawful basis to process that personal information.

6.4 Brand Blueprint and embeddings

To make Brand Blueprint information available to Agents, we may convert that information into vector embeddings stored in our infrastructure. These embeddings are treated as Customer Content and are subject to the same protections.

7. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy, or as required by law.

7.1 Account information

Account information is retained while your Account is active. Upon Account closure, we will delete or anonymize Account information within 60 days, except as required by law.

7.2 Customer Content

Customer Content is retained while your Account is active. Upon Account closure, Customer Content is deleted within 60 days. You may request export of Customer Content within 30 days of Account closure.

7.3 Billing records

We retain billing records for at least 7 years as required by Canadian tax law.

7.4 Logs and analytics

Technical logs and aggregated analytics are typically retained for 12-24 months.

7.5 Backups

Data may persist in backups for up to 90 days after deletion from primary systems.

8. Your rights

Depending on your jurisdiction, you may have the following rights:

8.1 Access

You have the right to request a copy of personal information we hold about you.

8.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

8.3 Deletion

You have the right to request deletion of your personal information, subject to exceptions for legal obligations or legitimate business needs.

8.4 Portability

You have the right to receive a copy of personal information you provided to us in a structured, machine-readable format.

8.5 Restriction and objection

You may request that we restrict processing of your personal information or object to certain processing activities.

8.6 Withdrawing consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8.7 Marketing opt-out

You can opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us.

8.8 How to exercise your rights

To exercise these rights, contact us at privacy@sandbots.ai. We will respond within 30 days, subject to any extensions permitted by applicable law. We may need to verify your identity before processing your request.

If you are a User of an Organization Account, certain rights may need to be directed to your Organization Admin, who controls your Account.

8.9 Right to complain

You have the right to file a complaint with your local privacy regulator if you believe we have violated your rights. In Canada, this is the Office of the Privacy Commissioner of Canada (priv.gc.ca). EU residents may complain to their national data protection authority. California residents have rights under the CCPA.

9. Cookies and tracking

9.1 What we use

We use cookies and similar technologies to:

  • Keep you logged in (essential)
  • Remember your preferences (essential)
  • Measure how the Service is used (analytics)
  • Detect and prevent fraud (security)

9.2 Cookie consent

In jurisdictions requiring cookie consent (such as the EU), we present a cookie banner allowing you to manage non-essential cookies.

9.3 Do Not Track

We do not currently respond to “Do Not Track” browser signals, but you can manage cookies through your browser settings.

10. International data transfers

We are based in Canada, and our service providers operate in Canada, the United States, and other jurisdictions. By using the Service, you consent to the transfer of your information to these jurisdictions.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses or recognized adequacy decisions.

11. Security

We implement reasonable technical and organizational measures to protect personal information, including:

  • Encryption in transit (TLS) and at rest (AES-256 or equivalent)
  • Access controls and authentication requirements
  • Regular security reviews and updates
  • Incident response procedures

However, no system is 100% secure. You are responsible for maintaining the security of your Account credentials. If you believe your Account has been compromised, contact us immediately at security@sandbots.ai.

12. Children’s privacy

The Service is not directed to individuals under 18 years of age (or the age of majority in their jurisdiction, whichever is greater). We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us at privacy@sandbots.ai and we will delete it.

13. Region-specific disclosures

13.1 Canada (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Our designated Privacy Officer can be reached at privacy@sandbots.ai.

13.2 European Economic Area, United Kingdom, Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent UK/Swiss laws. Sandbox Media is the data controller for personal information we collect directly. Contact us at privacy@sandbots.ai to exercise your rights.

13.3 California (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete, and the right to opt out of sale (we do not sell personal information). Contact us at privacy@sandbots.ai to exercise your rights.

13.4 Other regions

If you are subject to other privacy laws, similar rights may apply. Contact us with any questions.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product notification at least 30 days before taking effect. The “Last updated” date at the top of this Policy reflects the most recent revision.

Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

15. Contact us

For privacy questions, requests, or concerns, contact us at:

Privacy Officer Sandbox Media Corporation 10 Bronte Street South, Suite 402 Milton, Ontario, L9T 9M2, Canada Email: privacy@sandbots.ai