At Lingaly, we are committed to protecting your privacy. This policy explains how we collect, use, and protect your personal information in accordance with the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPD-GDD).
1. Data controller
The data controller for your personal data is Lingaly, with registered address in Madrid, Spain. You can contact us at privacy@lingaly.com for any questions regarding the protection of your data.
2. Data we collect
We collect the following personal data:
- Registration data: name, email address, and encrypted password.
- Usage data: completed exercises, scores, learning progress, and language preferences.
- Technical data: IP address, browser type, device, and access data.
- Payment data: securely processed by Stripe. We do not store card numbers.
3. Legal basis for processing
We process your data based on:
- Contract performance: to provide you with the exam preparation service you have subscribed to.
- Consent: for sending marketing communications and the use of non-essential cookies.
- Legitimate interest: to improve our service, prevent fraud, and ensure security.
- Legal obligation: to comply with tax and data retention requirements.
4. Purposes of processing
We use your data to:
- Manage your account and provide you with access to the platform.
- Personalize your learning experience through our adaptive AI engine.
- Process payments and manage your subscription.
- Send you communications about your progress and service updates.
- Improve our algorithms and the quality of educational content.
- Comply with legal obligations and prevent fraudulent activities.
5. Data recipients
We share your data only with the following service providers, under data processing agreements:
- Supabase (infrastructure and database) — EU/US, standard contractual clauses.
- Stripe (payment processing) — PCI DSS Level 1 certified.
- OpenAI and Anthropic (AI processing) — anonymized data, no retention.
- Vercel (web hosting) — global infrastructure with encryption in transit.
6. International transfers
Some of our providers operate outside the European Economic Area. In these cases, we ensure the protection of your data through standard contractual clauses approved by the European Commission or valid adequacy decisions.
7. Your rights
As a user, you have the right to:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request the deletion of your data ("right to be forgotten").
- Restriction: restrict the processing of your data in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: withdraw your consent at any time.
You can exercise these rights by emailing privacy@lingaly.com. You can also export and delete your data from your account settings. You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
8. Data retention
We retain your data for as long as your account is active. If you request account deletion, we will delete your personal data within 30 days, except for data we are legally required to retain (tax data: 5 years).
9. Minors
Lingaly is intended for users aged 16 and over. We do not knowingly collect data from minors under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@lingaly.com.
10. Security measures
We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, row-level security (RLS) policies in the database, and regular security audits.
11. Changes to this policy
We may update this policy periodically. We will notify you of any significant changes through the platform or by email. The date of the last update is shown at the top of this document.