Does your website use third-party services? Get GDPR compliant in minutes.

SalesCandy

What does SalesCandy do?

SalesCandy is a Malaysian lead distribution and CRM platform that pushes new leads instantly to the right sales agent via a mobile application. It collects leads from Facebook Lead Ads, Google Forms, TikTok, web forms and call tracking numbers, and tracks contact attempts, responses and conversions. Because SalesCandy hosts data in Malaysia and APAC, and uses third party cookies, GDPR compliance requires explicit consent and a documented data transfer chain.

What is SalesCandy

SalesCandy is a lead distribution and CRM platform built in Malaysia and used by real estate developers, insurance providers, banks, education and B2B service firms across South East Asia. It pushes new leads from advertising channels (Facebook Lead Ads, TikTok Lead Generation Ads, Google Forms, landing pages, web forms) instantly to the right sales agent through a mobile application, tracks every contact attempt and measures conversion in real time.

What data does SalesCandy collect

SalesCandy collects lead contact details (name, phone, email, address, custom fields), the source channel and creative, contact attempt logs (time, duration, outcome), call recordings when enabled, agent geolocation when the mobile app is active, behavioural data such as ad clicks and form completion, and conversion or sale data.

GDPR and ePrivacy implications

SalesCandy is a third party processor. Its tracking cookies are not strictly necessary and require consent under Art. 5(3) ePrivacy. Behavioural scoring and marketing automation rely on consent under Art. 6(1)(a) GDPR. Call recordings require explicit notice to both parties and a defined retention rule. Agent geolocation may trigger employee monitoring obligations under national labour law and Art. 88 GDPR.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

Block SalesCandy trackers behind a CMP, present a clear privacy notice on the lead forms, deliver a call recording disclosure before phone conversations, and configure granular consent for marketing follow up versus transactional updates.

Data transfers outside the EU

SalesCandy processes data in Malaysia and other APAC regions. None of these countries currently benefits from an EU adequacy decision. Operators must rely on Standard Contractual Clauses and document a Transfer Impact Assessment evaluating Malaysian and Singaporean surveillance laws.

Practical compliance steps

Sign the SalesCandy DPA and SCCs, complete a Transfer Impact Assessment, gate marketing tags behind a CMP, deploy call recording disclosure, restrict agent geolocation to working hours and the strict minimum, define retention rules for leads and recordings, and document SalesCandy in your Article 30 register.

GDPR consent category

Marketing

Websites using SalesCandy must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) is required for the tracking cookies and the behavioural follow up. Performance of a contract (Art. 6(1)(b)) applies once a lead is converted into a customer. Legitimate interest (Art. 6(1)(f)) is constrained for marketing automation.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, TDDDG, LSSI CE, Malaysian Personal Data Protection Act 2010, Schrems II, Standard Contractual Clauses

DPIA considerations

A DPIA is recommended when SalesCandy is used at scale, when it is combined with Facebook Lead Ads or TikTok Lead Generation Ads, or when call recordings and sensitive financial data are stored alongside the lead profile.

Sample consent text

We use SalesCandy, a Malaysian lead distribution and CRM platform, to allocate your enquiry to the right sales representative, follow up on your interest and measure conversion. This involves transferring your personal data outside the European Union under Standard Contractual Clauses.

Technical details

Tracking methodClient side JavaScript snippet for lead capture, third party tracking cookies, server side API for lead distribution to agents, mobile applications for sales reps, and integrations with Facebook Lead Ads, Google Forms, TikTok and other lead sources.

Server locationMalaysia. SalesCandy is operated by SalesCandy Sdn Bhd from Kuala Lumpur with cloud infrastructure on AWS regions in Asia Pacific (Singapore, Mumbai), with optional US regions for global accounts.

Data transferred outside the EUPersonal data is transferred to Malaysia and other APAC regions, none of which currently benefits from an EU adequacy decision. Operators must rely on Standard Contractual Clauses and document a Transfer Impact Assessment that addresses Malaysian and Singaporean surveillance laws.

Third-party domains contacted

salescandy.comapp.salescandy.comapi.salescandy.com

Cookies placed

Name	Type	Duration	Purpose
sc_uid	Marketing	1 year	SalesCandy visitor identifier used for lead attribution and journey tracking.
sc_session	Strictly Necessary	Session	Maintains the admin and agent session in the SalesCandy back office.
sc_form	Marketing	30 days	Stores partial form submissions and UTM parameters for incoming campaigns.

SalesCandy places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does SalesCandy set?

SalesCandy sets a marketing visitor identifier for lead attribution, a strictly necessary session cookie for the admin and agent back office, and a marketing cookie that stores partial form submissions and UTM parameters. The marketing cookies require prior consent.

Is consent required to deploy SalesCandy on a European website?

Yes for marketing tracking, advertising integrations and behavioural follow up. The strictly necessary session cookie is exempt. Call recording requires explicit notice to both parties before the call.

What is the legal basis for processing through SalesCandy?

Consent (Art. 6(1)(a) GDPR) for marketing tracking and behavioural follow up. Performance of a contract (Art. 6(1)(b)) once a lead becomes a customer. Legitimate interest (Art. 6(1)(f)) for fraud prevention with a balancing test. Agent geolocation often falls under Art. 88 GDPR with national specifics.

Does SalesCandy transfer data outside the European Union?

Yes. SalesCandy is operated from Malaysia and uses AWS APAC regions. Operators must rely on Standard Contractual Clauses and document a Transfer Impact Assessment evaluating Malaysian and Singaporean surveillance laws.

Is a DPIA required when integrating SalesCandy?

A DPIA is recommended when SalesCandy is combined with Facebook Lead Ads or TikTok Lead Generation Ads, when call recordings and financial data are stored, or when behavioural scoring drives automated agent allocation.

How do I implement SalesCandy in a GDPR compliant way?

Sign the SalesCandy DPA and SCCs, document a Transfer Impact Assessment, gate marketing tags through a CMP, configure call recording disclosures, restrict agent geolocation to working hours, define retention rules, and document SalesCandy in your Article 30 register.

Are there European alternatives to SalesCandy?

Yes. Salesforce Sales Cloud (in EU regions), Pipedrive (Estonia), HubSpot (with EU data residency), Zoho CRM (with EU servers) and Sellsy (France) offer comparable lead distribution and CRM features with EU data residency.

How do I update my cookie policy after enabling SalesCandy?

List sc_uid and sc_form as marketing cookies and sc_session as strictly necessary. Disclose SalesCandy Sdn Bhd as a sub processor in Malaysia, mention the APAC infrastructure and re trigger the consent banner so existing visitors can review the updated processing chain.

Get compliant — Try FlowConsent free

Free plan · 10-min setup