Privacy Policy

Company: Sandboxco Sdn Bhd (1346132-K)
Registered Address: 22-1 Jalan Radin Bagus 3, Sri Petaling, 57000 Kuala Lumpur, Malaysia
Operating Locations: Bandar Sunway & Sri Petaling, Kuala Lumpur
Contact for PDPA matters: hello@sandboxco.space | +60 12-326 7533

Sandboxco Sdn Bhd (“Sandbox”, “we”, “our”, “us”) is committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) and the principles of Notice & Choice, Disclosure, Security, Retention, Data Integrity and Access. This Privacy Policy explains what we collect, how we use and share it, and your rights.

1) What we collect

Depending on how you interact with us (enquiry, tour booking, membership, event/meeting room booking, Wi-Fi login, payments), we may collect:

  • Identity & contact: name, NRIC/passport (when required for access control), photo (for access ID), company, job title, phone, email, address.

  • Transactional: plan type, booking details, invoices, payment status, deposits, refunds/credits.

  • Access & IT: access card/door logs, Wi-Fi device identifiers (MAC), network telemetry (security purposes), CCTV in common areas (safety & security).

  • Support & comms: emails, WhatsApp/social messages, support tickets, survey responses.

  • Website & cookies: pages viewed, referral info, session data; see Cookies below.

If you provide us others’ personal data (e.g., teammates/guests), you confirm you’re authorised to do so and have informed them of this Policy.

2) Why we collect and how we use your data (purposes)

We process personal data to:

  • Provide services: evaluate enquiries, onboard members, manage plans, meeting rooms, podcast & event bookings, issue access cards, operate facilities (24/7).

  • Billing & payments: generate invoices, process payments/FPX/card transactions, manage deposits, refunds and credits; prevent fraud and resolve disputes.

  • Operate & secure the space/IT: Wi-Fi access, network security, CCTV, incident response, visitor management, asset protection.

  • Customer support & comms: respond to requests, service notifications, operational updates.

  • Marketing (opt-out anytime): send event updates, promotions, newsletters relevant to Sandbox services.

  • Legal & compliance: record-keeping, audits, regulatory requests, enforcement of house rules and contracts.

We will not use your data for incompatible purposes without your consent, consistent with PDPA principles. (PDP)

3) Whether providing data is obligatory and consequences of not providing

Where data is required for (i) access control/safety, (ii) billing/payment, or (iii) fulfilling a booking/membership, failure to supply it may mean we cannot provide the requested service or access. This disclosure forms part of PDPA “notice & choice.”

4) Disclosures to third parties

We may share personal data with:

  • Payment & payout processors / banks (to charge and refund payments, prevent fraud).

  • IT & cloud providers (hosting, email, CRM/support, booking systems, access control, Wi-Fi).

  • Professional advisors (accounting, legal, audit).

  • Event partners/service vendors only as needed to deliver a booked service.

  • Authorities/regulators where required by law.

We require processors to implement appropriate security measures and process data only on our instructions, as PDPA expects of data controllers engaging processors.

5) Cross-border transfers

Some providers may process data outside Malaysia. Where this occurs, we implement safeguards permitted by Section 129 PDPA—for example, obtaining your consent, using contractual protections, or ensuring the transfer is necessary to perform a contract you request (e.g., payment processing), consistent with the PDPC’s 2025 Cross-Border Transfer Guidelines.

6) Retention

We keep personal data only as long as necessary for the purposes above and legal/accounting requirements, after which we securely delete or anonymise it, in line with the PDPA Retention Principle.

7) Security

We apply appropriate technical and organisational measures (role-based access, encryption in transit where applicable, network security, logging, staff training, vendor due diligence). While no system is perfect, we work to maintain confidentiality and integrity of personal data, as emphasised by Malaysian regulators.

8) Your rights

Under the PDPA you can:

  • Access personal data we hold about you;

  • Correct inaccurate, incomplete or outdated data; and

  • Withdraw consent (including to direct marketing) at any time; this may affect our ability to provide some services.

To exercise these rights or to make a complaint, contact hello@sandboxco.space. We will respond in accordance with PDPA requirements.

9) Direct marketing choices

You may opt out of Sandbox promotional emails/SMS/WhatsApp at any time via unsubscribe links or by contacting us. We will still send service or transactional notices (e.g., invoices, access alerts).

10) Cookies & analytics

Our website may use cookies and similar technologies to operate the site, remember preferences, analyse traffic, and measure campaigns. You can control cookies via your browser settings. Some features may not function properly without certain cookies. A separate Cookies Notice can provide more detail if needed.

11) Updates

We may update this Policy from time to time. Material changes will be notified on our website or by email where appropriate. Please check this page for the latest version.