Skip to content
Back to home

Privacy Policy

Last updated: 2026-03-28

At lingaly, we are committed to protecting your privacy. This policy explains how we collect, use, and protect your personal information in accordance with the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPD-GDD).

1. Data controller

The data controller for your personal data is lingaly (Tax ID pending sole trader registration), with registered address in Madrid, Spain. You can contact us at privacy@lingaly.com for any questions regarding the protection of your data.

2. Data we collect

We collect the following personal data:

  • Registration data: name, email address, and encrypted password.
  • Usage data: completed exercises, scores, learning progress, and language preferences.
  • Technical data: IP address, browser type, device, and access data.
  • Payment data: securely processed by Stripe. We do not store card numbers.

3. Legal basis for processing

We process your data based on:

  • Contract performance: to provide you with the exam preparation service you have subscribed to.
  • Consent: for sending marketing communications and the use of non-essential cookies.
  • Legitimate interest: to improve our service, prevent fraud, and ensure security.
  • Legal obligation: to comply with tax and data retention requirements.

4. Purposes of processing

We use your data to:

  • Manage your account and provide you with access to the platform.
  • Personalize your learning experience through our adaptive AI engine.
  • Process payments and manage your subscription.
  • Send you communications about your progress and service updates.
  • Improve our algorithms and the quality of educational content.
  • Comply with legal obligations and prevent fraudulent activities.

5. Data recipients

We share your data only with the following service providers, under data processing agreements:

  • Supabase (infrastructure and database) — EU/US, standard contractual clauses.
  • Stripe (payment processing) — PCI DSS Level 1 certified.
  • OpenAI and Anthropic (AI processing) — pseudonymized data, no retention.
  • Vercel (web hosting) — global infrastructure with encryption in transit.
  • Sentry (error monitoring) — EU, pseudonymized technical data for error diagnostics.
  • PostHog (analytics) — only with explicit user consent. Pseudonymized usage data.
  • Better Stack (log aggregation) — server-side technical logs, no personally identifiable data.
  • LangSmith (AI observability) — language model performance traces, no user content.
  • Resend (email delivery) — transactional and notification email processing.
  • Upstash (rate limiting) — Redis service for abuse protection, no personal data stored.
Writing exercise processing: When you complete writing exercises, your text is sent to AI services (OpenAI) for correction and evaluation. This processing is necessary for the provision of the contracted service. Texts are not stored by the AI provider and are not used for model training.

6. International transfers

Some of our providers operate outside the European Economic Area. In these cases, we ensure the protection of your data through standard contractual clauses approved by the European Commission or valid adequacy decisions.

7. Automated decisions

lingaly uses artificial intelligence algorithms to personalize your learning experience. Specifically:

  • Adaptive engine (BKT + IRT + Monte Carlo): selects exercises and estimates your preparation level based on your response history. It does not produce legal effects; it only determines which exercise you practice next.
  • Automatic writing correction: evaluates your texts according to predefined Cambridge rubrics. The score is indicative and does not constitute an official grade.
  • Result prediction: statistically estimates your probability of reaching your goal. It is an estimate, not a guarantee.

These automated decisions do not produce legal effects or similarly significantly affect you. You may request human review of any automated decision by contacting privacy@lingaly.com.

8. Your rights

As a user, you have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request the deletion of your data ("right to be forgotten").
  • Restriction: restrict the processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: withdraw your consent at any time.

You can exercise these rights by emailing privacy@lingaly.com. You can also export and delete your data from your account settings. You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

9. Data retention

We retain your data for as long as your account is active. If you request account deletion, we will delete your personal data within 30 days, except for data we are legally required to retain (tax data: 5 years).

When you delete your account, we also request deletion of your data from third-party services that process it (Sentry, PostHog). Data in these services is deleted according to their retention policies, typically within 30 to 90 days.

10. Minors

lingaly is intended for users aged 16 and over. We do not knowingly collect data from minors under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@lingaly.com.

11. Security measures

We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, row-level security (RLS) policies in the database, and regular security audits.

12. Changes to this policy

We may update this policy periodically. We will notify you of any significant changes through the platform or by email. The date of the last update is shown at the top of this document.