Skip to main content

MyLex by LegalByte Privacy Policy

Last Updated: December 2024

Effective Date: December 2024

1. Introduction

LegalByte Sdn Bhd ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal and legal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use MyLex, our AI-powered legal research and document management platform.

This policy complies with the Malaysian Personal Data Protection Act 2010 (PDPA) and related regulations.

2. Information We Collect

2.1 Personal Information

  • Registration Data: Name, email address, bar council ID (for lawyers), organization details
  • Authentication Data: Passwords (encrypted), session tokens, authentication logs
  • Profile Information: Professional details, practice areas, jurisdiction preferences

2.2 Legal Documents and Content

  • Uploaded Documents: Legal documents, templates, and files you upload
  • Generated Artifacts: Legal documents, contracts, and agreements generated through our platform
  • Conversation Data: Chat messages with our AI assistant, including legal queries and responses
  • Research History: Legal queries, search history, and research activities

2.3 Usage Information

  • Activity Logs: Feature usage, document access, API calls (with sensitive data sanitized)
  • Technical Data: IP addresses, browser type, device information, access times
  • Performance Data: System performance metrics, error logs (with sensitive data redacted)

3. How We Use Your Information

3.1 Primary Uses

  • Legal Research: Process queries and provide AI-powered legal research
  • Document Management: Store, process, and generate legal documents
  • Platform Services: Deliver core functionality including templates, artifacts, and conversations
  • Security: Authenticate users, prevent fraud, and protect against unauthorized access

3.2 Secondary Uses

  • Service Improvement: Analyze usage patterns to enhance platform features
  • Support: Provide customer support and resolve technical issues
  • Compliance: Meet legal obligations under Malaysian law
  • Communications: Send service updates, security alerts, and important notices

4. Data Encryption and Security

4.1 Encryption at Rest

We encrypt sensitive client data using Fernet (AES-128) encryption:

Encrypted Content:

  • Generated legal documents (artifacts) containing client case details
  • Structured data within legal documents
  • Sensitive user-generated content

Encryption Standards:

  • AES-128 symmetric encryption
  • Unique encryption keys per environment
  • Keys managed via AWS ECS task definitions (production)
  • Encryption version tracking for key rotation

4.2 Encryption in Transit

  • All data transmission uses TLS 1.2 or higher
  • API communications encrypted via HTTPS
  • Database connections use encrypted channels

4.3 Platform Documents vs User Documents

Platform Documents (Not Encrypted):

  • Malaysian legal acts, cases, and constitutional documents
  • Public legal knowledge base and research materials
  • System templates (pre-designed document templates)

User Documents (Encrypted):

  • Generated artifacts with client case details
  • User-uploaded templates
  • Personal legal documents and conversations

4.4 Access Control

  • Multi-tenancy: Organization-based data isolation
  • User Ownership: Strict validation that users can only access their own documents
  • Template Sharing: Tenant-wide template sharing with access control
  • Share Links: Authenticated document sharing with expiration and access limits

5. Document Sharing Features

5.1 Share Links

We provide secure document sharing via authenticated share links:

Features:

  • Authentication Required: Recipients must log in to access shared documents
  • Expiration: Optional expiration dates for time-limited access
  • Access Limits: Optional maximum access count limits
  • Decryption On-the-Fly: Encrypted documents are decrypted securely when accessed
  • Audit Trail: Complete logging of who accessed shared documents and when

Audit Information Logged:

  • User ID of accessor
  • Access timestamp
  • IP address
  • User agent (browser/device)

5.2 Revoking Shares

  • Document owners can revoke share links at any time
  • Revoked links immediately become inaccessible
  • Audit trail maintained for compliance

6. Data Storage and Location

6.1 Database Infrastructure

MongoDB Atlas (Application and RAG Database):

  • Region: Singapore (ap-southeast-1) or Malaysia-compliant region
  • Encryption: Atlas encryption at rest enabled
  • Backup: Automated backups with point-in-time recovery
  • Access: IP whitelist and VPC peering for production

Neo4j AuraDB (Knowledge Graph):

  • Region: Singapore or Malaysia-compliant region
  • Encryption: AuraDB encryption at rest and in transit
  • Access: Restricted to application servers only

6.2 File Storage

  • Artifacts: Encrypted PDF and document files
  • Templates: Secure file storage with access control
  • Retention: Files retained according to user account status

7. Data Retention

7.1 Active Accounts

  • All data retained while account is active
  • Users can delete artifacts and documents at any time (soft delete with audit trail)

7.2 Account Closure

  • User data retained for 30 days after account closure for recovery
  • After 30 days, all personal data and documents permanently deleted
  • Audit logs retained for 7 years for legal compliance (with personal identifiers removed)

7.3 Legal Hold

Data may be retained longer if required by:

  • Legal proceedings or investigations
  • Regulatory requirements
  • PDPA compliance obligations

8. Data Sharing and Disclosure

8.1 We DO Share

  • With Your Consent: When you explicitly authorize sharing via share links
  • Service Providers: Cloud hosting (AWS), database providers (MongoDB, Neo4j)
  • Legal Requirements: When required by Malaysian law or court order
  • Business Transfers: In case of merger, acquisition, or sale (with notification)

8.2 We DO NOT Share

  • Third-Party Marketing: We never sell or rent your data
  • Unauthorized Access: Strict access controls prevent unauthorized disclosure
  • Cross-Border: No data transfers outside Malaysia unless required for cloud services with adequate protection

9. Your Rights Under PDPA

9.1 Right to Access

  • Request copies of your personal data
  • View all documents and artifacts you've created

9.2 Right to Correction

  • Update your profile information at any time
  • Correct inaccurate or incomplete data

9.3 Right to Deletion

  • Delete individual documents and artifacts
  • Request complete account deletion
  • Soft delete maintains audit trail for compliance

9.4 Right to Data Portability

  • Export your documents in standard formats
  • Download your legal research history

9.5 Right to Withdraw Consent

  • Revoke share links at any time
  • Opt out of non-essential communications

9.6 Right to Complain

  • File complaints with the Personal Data Protection Commissioner
  • Contact our Data Protection Officer for concerns

10. Security Measures

10.1 Technical Safeguards

  • Encryption: AES-128 for sensitive data at rest, TLS 1.2+ in transit
  • Access Control: Role-based access control (RBAC) and multi-factor authentication
  • Rate Limiting: API rate limiting to prevent abuse
  • Intrusion Detection: Monitoring and alerting for suspicious activity
  • Logging: Structured JSON logging with sensitive data sanitization

10.2 Sanitized Logging

Our logs automatically redact:

  • Passwords and API keys
  • Email addresses (partial)
  • Malaysian IC numbers
  • Phone numbers
  • Credit card numbers
  • JWT tokens

10.3 Operational Safeguards

  • Security Audits: Regular security assessments
  • Incident Response: Breach notification within 24 hours
  • Employee Training: Staff trained on data protection
  • Vendor Management: Third-party security assessments

11. Cookies and Tracking

11.1 Essential Cookies

  • Session management
  • Authentication tokens
  • Security preferences

11.2 Analytics (Optional)

  • Usage analytics (anonymized)
  • Performance monitoring
  • Error tracking

You can disable non-essential cookies in your browser settings.

12. Children's Privacy

LegalByte is not intended for users under 18 years old. We do not knowingly collect personal information from children.

13. International Data Transfers

When using cloud services (AWS, MongoDB Atlas), your data may be processed in:

  • Singapore (AWS ap-southeast-1, MongoDB Atlas Singapore)
  • Malaysia (preferred for production)

All transfers comply with PDPA requirements and use standard contractual clauses.

14. Updates to This Policy

We may update this Privacy Policy to reflect:

  • Changes in Malaysian law (PDPA amendments)
  • New features or services
  • Security enhancements

Notification: We will notify you of material changes via:

  • Email to registered address
  • In-app notification
  • Updated "Last Updated" date on this page

15. Contact Us

Data Protection Officer

Email: privacy@mylex.my Address: Malaysia Response Time: Within 14 days for PDPA requests

General Inquiries

Support Email: support@mylex.my Website: https://mylex.my

16. Consent

By using LegalByte, you consent to:

  • Collection and processing of your personal data as described
  • Storage of your data on cloud infrastructure (AWS, MongoDB, Neo4j)
  • Encryption of sensitive client documents
  • Logging of system activity with sensitive data sanitization
  • Sharing via authenticated share links when you create them

You can withdraw consent at any time by:

  • Deleting your account
  • Revoking share links
  • Contacting our Data Protection Officer

Acknowledgment: By clicking "I Accept" during registration or continuing to use LegalByte after this policy's effective date, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Malaysian Law Compliance: This policy complies with the Personal Data Protection Act 2010 (Act 709) and related regulations.