Lega
LEGAL · LAST UPDATED 10 MAY 2026

Privacy Policy

This Privacy Policy explains how Polygon Technology Solutions ("Lega", "we", "us", or "our") collects, uses, stores, and shares information when you use the Lega platform (the "Service") at lega.my and any associated subdomains, mobile interfaces, and APIs.

By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

1. Who We Are

Lega is a multi-channel customer relationship management (CRM) platform operated by Polygon Technology Solutions, a subsidiary of Polygon Synergy, registered in Malaysia. Our registered place of business is Kuala Lumpur, Malaysia. We are a data controller for personal data processed about our account holders, and a data processor for personal data of end customers that account holders process through the Service.

2. Information We Collect

2.1 Account Information

When you sign up for an account, we collect your name, email address, password (stored as a salted hash, never in plain text), organisation name, and any optional profile information you provide.

2.2 Service Data

Through normal use of the Service, we store:

  • WhatsApp messages, contacts, and media exchanged through devices you have paired to the Service
  • Email messages sent and received through inboxes you connect
  • Lead and contact records, tags, notes, and pipeline stage assignments you create
  • Knowledge base documents you upload for AI auto-reply
  • Conversation history, including AI-generated replies

2.3 End Customer Data (Important)

Because the Service relays and stores messages from your customers (third parties who chat with your business), we process personal data about those end customers, including their phone numbers, names where shared, message content, and any media they send. You warrant that you have a lawful basis to collect, store, and process this data through the Service, and that you will provide your end customers with appropriate notice and choice as required by the Personal Data Protection Act 2010 (Malaysia) or any other applicable law.

2.4 Payment Information

Subscription payments are processed by our payment partner CHIP. We do not store or have access to your full card or bank details. We retain only a billing reference and the metadata needed to issue receipts and renewals.

2.5 Technical Data

We log IP addresses, browser type and version, device identifiers, pages viewed, and timestamps for the purposes of security, fraud prevention, and service improvement. These records are retained for up to twelve (12) months unless retention for a longer period is required to investigate an incident.

3. How We Use Information

  • To provide, maintain, and improve the Service
  • To authenticate users, prevent fraud, and protect platform security
  • To process subscription payments and issue receipts and tax invoices
  • To send transactional notifications (e.g. password reset, billing receipts, service alerts)
  • To provide customer support when you contact us
  • To comply with legal obligations and respond to lawful requests from public authorities
  • With your consent, to send you product updates and marketing communications (you may opt out at any time)

4. Artificial Intelligence Processing

Lega offers AI auto-reply, knowledge base assistant, and related AI features under two models — Managed AI(default) and Bring Your Own Key (BYOK).

Under Managed AI, message content is transmitted from our servers to Anthropic via Lega's own API account on your behalf. We meter usage per AI reply against your plan allowance plus any top-up purchases. Anthropic does not train models on API data by default; their data handling is governed by their commercial API terms.

Under BYOK, you supply your own API key for one or more AI providers (currently Anthropic, OpenAI, or Google Gemini). Message content is transmitted directly from our servers to the AI provider you have selected, using your key. BYOK is required for advanced features such as the knowledge base wizard and lead enrichment.

This means:

  • Your BYOK API key is encrypted at rest using AES-256-GCM and is never logged in plain text
  • Message content sent to any AI provider is subject to that provider's privacy policy and data retention rules, which we do not control
  • You should review the privacy practices of the AI provider you choose, or the default Managed AI provider (Anthropic), before sending sensitive content
  • If you revoke or rotate your BYOK key, BYOK AI features will stop until you supply a new one; Managed AI continues to work as long as your plan or top-up balance has replies remaining

5. WhatsApp Connectivity Disclosure

Lega connects to WhatsApp via Baileys, an open-source library that uses WhatsApp's unofficial multi-device protocol. Baileys is not endorsed, licensed, or supported by Meta Platforms, Inc. (the operator of WhatsApp).

You acknowledge and accept that:

  • WhatsApp's Terms of Service prohibit certain automated and bulk-messaging behaviours, and Meta may temporarily or permanently ban any WhatsApp number that violates those terms
  • Lega applies conservative throttling, randomised pacing, and warning systems to reduce ban risk, but cannot guarantee that your number will not be banned
  • You should pair a dedicated business number, not your personal WhatsApp number, with the Service
  • You are responsible for ensuring your use of WhatsApp through the Service complies with WhatsApp's Business Policy and all applicable laws

6. How We Share Information

We do not sell your personal data. We share information only in the following circumstances:

6.1 Service Providers (Sub-Processors)

  • Supabase — managed PostgreSQL hosting and authentication
  • CHIP — subscription billing and payment processing
  • Cloud infrastructure providers — virtual private server hosting, content delivery, and email delivery
  • Anthropic — AI model provider, used either via Lega's Managed AI account or via your own API key (BYOK)
  • OpenAI, Google — AI model providers, only when you have supplied your own API key (BYOK)

6.2 Legal Requirements

We may disclose information if required by law, court order, regulatory authority, or to protect the rights, property, or safety of Lega, our users, or others.

6.3 Business Transfers

If Lega is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

7. Data Retention

  • Account data is retained while your account is active
  • If you cancel your subscription, account and message data is retained for ninety (90) days to allow reactivation, then permanently deleted
  • You may request earlier deletion at any time by emailing hi@lega.my
  • Backups are retained for up to thirty (30) additional days before being overwritten in the rotation
  • Audit logs and security records are retained for up to twelve (12) months

8. Data Security

We apply industry-standard security measures to protect your information, including:

  • TLS 1.2+ encryption for all data in transit
  • AES-256-GCM encryption at rest for sensitive credentials, including BYOK API keys
  • Tenant-isolated database access with row-level security
  • Hashed and salted password storage
  • Restricted administrative access with audit logging
  • Regular dependency security scans and patching

No system can be guaranteed to be 100% secure. If we become aware of a security incident affecting your data, we will notify you without undue delay, in accordance with applicable Malaysian law.

9. Your Rights Under PDPA

Under the Personal Data Protection Act 2010 (Malaysia), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Withdraw consent for processing where consent is the lawful basis
  • Limit how we process your data in certain circumstances
  • Request deletion of your account and associated data

To exercise any of these rights, email hi@lega.my. We will respond within twenty-one (21) days.

10. International Data Transfers

Some of our service providers (e.g. AI providers) operate servers outside Malaysia, primarily in the United States and the European Union. By using the Service, you consent to the transfer of your information to these jurisdictions for the purpose of providing the Service. We rely on standard contractual protections with our providers to ensure adequate data protection.

11. Cookies and Analytics

We use a small number of essential cookies to maintain your session, remember your preferences (language, theme), and measure aggregate usage of the Service. We do not use third-party advertising trackers. You can disable cookies in your browser, but some features may not work correctly.

12. Children's Privacy

The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. We will post the updated version on this page with a revised "Last Updated" date. For material changes, we will notify account holders by email at least fourteen (14) days before the change takes effect.

14. Contact

Questions about this Policy or how we handle your data?

Polygon Technology Solutions
Kuala Lumpur, Malaysia
Email: hi@lega.my

Operated by Polygon Technology Solutions, a subsidiary of Polygon Synergy. Registered in Malaysia. Contact: hi@lega.my