Privacy Policy
We take your privacy seriously. This policy explains what data we collect, why, and how you can control it.
Effective date: 1 January 2026 · Last updated: 21 April 2026
1. Who We Are (Data Controller)
Controller: Lingora
Contact: vasylkolodi@gmail.com
Telegram: @VasW1nr
Jurisdiction: Czech Republic, European Union
For all data protection enquiries, please contact us at the email above. We aim to respond within 5 business days.
2. Data We Collect
2.1 Data You Provide Directly
| Data | When collected | Purpose |
|---|---|---|
| Email address | Waitlist signup / account registration | Send launch notifications, account communications, transactional emails |
| Payment information | Premium subscription checkout | Processed by Stripe — we do not store card numbers or full payment details |
| Feedback / bug reports | When you contact us voluntarily | Improving the service |
2.2 Data Collected Automatically
| Data | When collected | Purpose |
|---|---|---|
| Learning progress, streaks, XP, settings | During app usage | Stored only in your browser's localStorage — never sent to our servers |
| IP address, approximate location, browser/OS type | Every request to our servers | Security, fraud prevention, analytics — via Cloudflare (see §5) |
| Advertising cookies and identifiers | Free tier users only | Personalised advertising via Google AdSense (see §6) |
2.3 Data We Do Not Collect
- We do not collect your full name unless you voluntarily provide it.
- We do not record audio or video.
- We do not track your behaviour across other websites (other than through Google AdSense on the free tier).
- All learning progress data lives exclusively in your browser's
localStorageand is not transmitted to us.
3. Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Sending waitlist / launch emails | Consent (Art. 6(1)(a)) — you tick a box or submit the form voluntarily |
| Processing Premium payments | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention, server logs | Legitimate interests (Art. 6(1)(f)) |
| Personalised advertising (free tier) | Consent (Art. 6(1)(a)) — via cookie consent banner |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
We use the data we collect to:
- notify you when Lingora launches and send service-related communications;
- process and manage Premium subscriptions;
- improve the quality of our language content and application features;
- detect, investigate, and prevent fraudulent or abusive activity;
- comply with legal obligations under EU and Czech law;
- serve contextual or personalised advertisements to free-tier users (with your consent).
We do not sell your personal data to third parties. We do not use your data for automated decision-making with legal or similarly significant effects.
5. Data Sharing and Third-Party Processors
We share personal data only with processors that are necessary to operate the service, all of whom are contractually bound to handle data in compliance with GDPR:
| Processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DDoS protection, server-side functions | USA (EU SCCs apply) | cloudflare.com/privacypolicy |
| Stripe, Inc. | Payment processing | USA (EU SCCs apply) | stripe.com/privacy |
| Google LLC (AdSense) | Advertising (free tier users only) | USA (EU SCCs apply) | policies.google.com/privacy |
| Google LLC (Analytics) | Usage analytics — only activated after cookie consent | USA (EU SCCs apply) | policies.google.com/privacy |
| Google LLC (Fonts) | Web font delivery (Syne, DM Sans) — Google receives your IP address when fonts load | USA (EU SCCs apply) | policies.google.com/privacy |
Where processors are located outside the EEA (e.g. USA), data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR.
We may also disclose personal data if required by law, court order, or competent public authority.
6. Cookies and Tracking Technologies
6.1 Essential Cookies
We use browser localStorage (not cookies) to store your in-app learning progress and settings locally on your device. This data never leaves your device and does not require consent.
6.2 Advertising Cookies (Free Tier Only)
Google AdSense may set cookies to serve and personalise advertisements. These cookies may track your browsing behaviour across websites. We request your consent before enabling AdSense cookies, via a cookie consent banner displayed on your first visit.
You can opt out of personalised advertising at any time via:
- Google Ads Settings
- Your Online Choices (EU)
- Your browser's cookie settings
Premium subscribers are not shown advertisements and no advertising cookies are set for them.
7. Data Retention
| Data type | Retention period |
|---|---|
| Waitlist email addresses | Until you unsubscribe or request deletion, or 3 years from collection, whichever is sooner |
| Payment records (Stripe) | 7 years (Czech accounting law requirement) |
| Server / access logs | Up to 90 days (Cloudflare) |
| Local learning data (localStorage) | Stored on your device until you clear browser data or uninstall the app |
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights. To exercise any of them, contact us at vasylkolodi@gmail.com. We will respond within 30 days.
- Right of access (Art. 15) — request a copy of your personal data we hold.
- Right to rectification (Art. 16) — request correction of inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data where there is no overriding legal basis to retain it.
- Right to restriction of processing (Art. 18) — request that we limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests (e.g. analytics).
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting lawfulness of prior processing.
- Right to lodge a complaint — you have the right to lodge a complaint with the Czech Data Protection Authority (ÚOOÚ): uoou.cz, or with the supervisory authority in your EU member state.
Unsubscribing from marketing emails does not delete your account or all personal data. To request full deletion, please email us explicitly.
9. Children's Privacy
Lingora is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data in transit;
- access controls limiting who can access personal data;
- use of Cloudflare's DDoS protection and WAF;
- Stripe's PCI-DSS-compliant payment processing (we never see or store your card details).
No system is 100% secure. In the event of a personal data breach that poses a high risk to your rights, we will notify you without undue delay as required by GDPR Art. 34.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by email (if you are on our waitlist) or via an in-app notice, at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
12. Contact and Complaints
For any privacy-related questions, requests, or complaints:
- Email: vasylkolodi@gmail.com
- Telegram: @VasW1nr
Czech Data Protection Authority (ÚOOÚ):
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Web: uoou.cz