Privacy

How we handle your data.

This policy applies to lygge.com, our Maya voice agent product, and any data we process on your behalf. Last updated 2026-04-22.

Lygge ("we", "us") builds Maya, a voice agent that answers phone calls for businesses. We act as a data processor for the personal data of callers processed through Maya, and as a data controller for the account and marketing data of our direct customers.

1. What we collect

  • Caller data (processor): audio recordings, transcripts, phone numbers, conversation metadata, and any information the caller shares with Maya during a call. We process this on behalf of our customer (the business who deployed Maya), under their instructions.
  • Customer data (controller): the name, work email, phone number, and company of people who sign up for Maya or request a demo. Billing data is handled by our payment processor — we do not store full card numbers.
  • Site analytics: with your consent, we collect anonymous usage data (page views, session recordings for UX improvement) via Microsoft Clarity.
  • Marketing attribution:when you arrive from an ad, search result, or referral, we capture standard UTM parameters (source, medium, campaign, term, content), the click identifier from your platform of origin (Google, Meta, TikTok, Microsoft, X, LinkedIn), the referring page, and the landing path. This lets us measure which channels send the people we end up working with. The data lives in your browser's storage until you submit the form, at which point it is sent with your demo request and stored against your record only. We do not share it with the originating ad platforms beyond what their pixel already collects on its own.

2. Lawful basis

  • Contract — processing required to deliver the Maya service to you.
  • Legitimate interest — improving the product, spam detection, fraud prevention, and B2B outreach with an easy opt-out.
  • Consent — analytics and session recording tools. You can withdraw consent at any time via the cookie banner.
  • Legal obligation — record retention where a regulator requires it.

3. How long we keep data

  • Call transcripts and recordings: per your tier — 30, 90, or 365 days — then deleted. Customers on Enterprise can request shorter retention.
  • Customer account data — three-stage retention after account deletion:
    • Day 0 — 30 days (recovery window): when you click "Delete account", your subscription is cancelled and your assistant is disabled immediately, but your personal data is retained intact. If you change your mind, signing up again with the same email within 30 days restores your account with full history.
    • Day 30 — Year 7 (tax retention): operational data (phone numbers, IP addresses) is permanently erased. Tax-relevant data (legal name, business name, email used for invoicing) is retained as required by UAE / EU / UK business-tax law for the seven-year statutory period.
    • Year 7+: all personal data is permanently erased. Only non-personal billing identifiers (Stripe customer IDs, subscription event log) are retained beyond this point.
  • Demo requests without a resulting account: deleted after 24 months.
  • Site analytics: aggregated after 90 days, session recordings deleted after 30 days.
  • Marketing attribution data: follows the lifetime of the demo request or customer record it is attached to (24 months for non-converted demo requests, account lifetime + 7 years for customers). Browser-side storage is cleared on each new session for last-touch and persists until you clear cookies for first-touch.

4. Where data lives

Primary storage is in the European Union. We use sub-processors for telephony, transcription, synthesis, and language modelling — all under data processing agreements with Standard Contractual Clauses where relevant. The full sub-processor list is available on request for enterprise due diligence.

5. Your rights

Depending on where you are, you have the right to:

  • Access a copy of the data we hold about you.
  • Correct or update inaccurate data.
  • Erase your data (subject to retention obligations).
  • Restrict or object to processing.
  • Portable export of your data.
  • Withdraw consent for analytics.
  • Lodge a complaint with your national data protection authority.

To exercise any of these, use the form at lygge.com/demowith subject "DPO / legal". We respond within 30 days and do not require proof of identity beyond confirmation via the email on file.

6. Regional specifics

GDPR (EU / UK): We rely on Article 6(1)(b) and 6(1)(f). DPO correspondence is handled via our form. Cross-border transfers use SCCs.

CCPA (California): We do not sell personal data. Californian residents can submit Do Not Sell and Deletion requests via our form.

PDPL (UAE / KSA): DPO correspondence via our form; 72-hour breach notification; data-access and rectification rights honoured.

LGPD / POPIA / PIPEDA: equivalent rights handled via the same channel.

7. Security

TLS 1.3 in transit, AES-256 at rest. PII redacted from transcripts before storage. Audit logs on privileged actions. We work toward SOC 2 Type I in H2 2026.

8. Contact

Questions about this policy or your data? Use the formwith subject "DPO / legal". We do not currently publish an email inbox because we want every request to land in a tracked queue with a response SLA.

9. Changes

When we change this policy materially, we will update the date at the top and notify customers of record. Minor edits for clarity will not trigger a notification.