Privacy Policy

Last Updated: May 2026
Version: 1.2

This Privacy Policy explains how Eyal Lapid (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use LingoPlace.

Who We Are

Eyal Lapid is the data controller responsible for your personal information.

We are committed to protecting your privacy in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

Information We Collect

Information You Provide

  • Account information: Email address, name, and password (stored securely hashed)
  • Learning data: Your exercise responses, lesson progress, and interactions with our AI tutor
  • Communications: Messages you send to our support team

Information Collected Automatically

  • Usage data: Pages visited, features used, and learning session activity
  • Device information: Browser type, operating system, and device identifiers
  • Log data: IP address and access times in server access logs (retained 90 days for security; see Data Retention). Referring URL is also captured by our visitor analytics — see the Visitor Analytics section for full details.
  • Observability data: Error reports, performance telemetry, request metadata, and
    stack traces used to operate and secure the service. These reports may include limited
    request context needed to diagnose failures. We do not use observability tools to
    intentionally collect lesson, conversation, or practice content.
  • Cookies: Essential cookies for authentication and session management (see Cookies section)

Visitor Analytics

We use Umami — an open-source, privacy-focused analytics tool — to understand how
visitors use LingoPlace. Umami runs on our own EU infrastructure (analytics.joinwith.com);
no third-party analytics provider processes this data. Our infrastructure sub-processors
may process hosting and network traffic as described in our sub-processor list.

What we collect:

  • Page URL (hostname and path; query parameters are discarded)
  • Referrer URL (the page that linked you here)
  • Browser type and version
  • Operating system
  • Device type and screen size
  • Language preference
  • Country, region, and city — derived from IP address; the raw IP address is not stored

How we count returning visitors without tracking you: Umami uses a server-side
hash salt to derive visitor identifiers from request data such as IP address and
user-agent. Raw IP addresses and user-agent strings are not stored in the analytics
database. These identifiers are used only for first-party aggregate analytics and do not
track you across other websites.

No cookies, no cross-site tracking, no advertising profiles. Umami does not set
cookies or persistent identifiers in your browser. We do not share visitor analytics
data with advertising networks or any third party.

Lawful basis:

  • GDPR (EU users): Article 6(1)(f) — legitimate interest in operating, securing, and
    improving our service. We have considered your rights and freedoms in a balancing
    assessment and concluded that this minimized, pseudonymous analytics processing does not
    override them. You have the right to object to this processing at any time (see “Your
    privacy choices” below).
  • Israeli PPL (Israeli users): processing is necessary for the operational provision and improvement of the service. You may opt out at any time (see “Your Privacy Choices” below).
  • CCPA (California users): we honor the Global Privacy Control signal as an opt-out
    request.

Retention: Aggregated visitor analytics data is retained for 24 months, after which it is deleted. This period allows year-over-year comparison of seasonal traffic patterns; aggregated data older than 24 months is deleted because it no longer serves a documented operational purpose.

Mobile App

The LingoPlace Android app (com.lingoplace.mobile) is a wrapper around the same
web service. The same data flows described above apply when you use the app. The
app does not collect any additional data through native Android APIs.

Information from AI Interactions

When you use our AI tutor, conversation practice, translation, explanation, grammar
feedback, or correction features, your conversation messages or other text you ask us
to process and relevant learning context (such as language pair, current lesson,
exercise context, and skill level) are processed by third-party AI providers. We do not
send personal identifiers (name, email) to these providers.

For details on how AI features work, what data is processed, and provider retention policies, see our AI Disclosure.

How We Use Your Information

We use your information to:

  • Provide our service: Operate the platform, track your learning progress, and personalize your experience
  • Communicate with you: Send login links, respond to support requests, and notify you of important updates
  • Process payments: Handle subscriptions and purchases through our payment provider
  • Improve and protect: Analyze usage to improve our service, fix bugs, and ensure security

We process your data based on: our contract with you (providing the service), legitimate interests (security, improvements), and legal obligations (compliance requirements).

What We Don’t Do

  • We do not sell your personal information
  • We do not use your data for third-party advertising
  • We do not make automated decisions that significantly affect you without human oversight

Information Sharing

We do not sell your personal information. We share data only with carefully evaluated
sub-processors to operate the service. The current list, including each sub-processor’s
purpose, location, and legal transfer mechanism, is published at
lingoplace.com/legal/sub-processors.

We may also disclose information when required by law or to protect our rights.

International Data Transfers

Your data is primarily stored in the European Union (DigitalOcean). Some data is
transferred to the United States for processing by sub-processors listed at
lingoplace.com/legal/sub-processors.

These transfers are protected by Standard Contractual Clauses approved by the
European Commission and Data Processing Agreements with each provider.

Data Retention

We keep your data only as long as necessary:

Account data: Retained while your account is active. Deleted within 30 days of account closure.

Learning progress: Deleted with your account.

Consent and payment records: Retained for 7 years as required by law, even after account deletion.

Security logs: Retained for 24 months for security and compliance.

Application logs: Retained for 90 days for service improvement.

When you delete your account, we remove your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently erased.

Your Rights

You have the right to access, correct, export, or delete your personal data. You can manage most settings directly in your account.

For requests we can’t handle through account settings—or if you have concerns about how we handle your data—contact us at privacy@lingoplace.com. We respond within 30 days.

You can also contact your local data protection authority.

Cookies

We use only essential cookies required for the service to function:

  • Session cookie: Keeps you logged in during your visit
  • Extension session cookie: Keeps browser-extension iframe sessions separate from regular web sessions
  • Remember-me cookie: Keeps you logged in between visits (if selected)

These cookies are necessary for the service and do not require consent. We do not use advertising or tracking cookies.

We do use cookieless visitor analytics, which does not set cookies in your browser — see the “Visitor Analytics” section above.

Your Privacy Choices

You can opt out of visitor analytics at any time:

  • Global Privacy Control (GPC): if your browser supports GPC (e.g., Brave, DuckDuckGo, or Firefox with the appropriate extension), we honor the GPC signal as an opt-out request under applicable law (including California’s CCPA).
  • Do Not Track (DNT): if your browser sends the DNT: 1 header, our analytics tracker will not record your visit. Note: DNT support has been removed from current versions of Chrome and Safari; Firefox still exposes the setting.
  • Advanced — per-site browser flag: open the browser console on LingoPlace and run localStorage.setItem('umami.disabled', '1'). Your visits will not be recorded from that browser. Run localStorage.removeItem('umami.disabled') to re-enable.

We are adding a “Privacy preferences” UI toggle so this opt-out can be exercised without the browser console; until that lands, the three mechanisms above are the available paths.

LingoPlace also stores the phx:theme and phx:color-theme local-storage values when
you choose a light/dark/system mode or color theme. These preferences stay in your
browser until you change them or clear site data.

Security

We protect your data with:

  • Encrypted connections (HTTPS) for all data in transit
  • Encrypted storage for sensitive data
  • Secure password hashing
  • Regular security updates and monitoring
  • Access controls limiting who can view your data

No system is 100% secure. If you discover a vulnerability, please contact us at security@lingoplace.com.

Children

LingoPlace is for users 18 and older. We do not knowingly collect data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will delete that data promptly.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or through the app. Continued use after changes constitutes acceptance.

Contact

For privacy-related questions or to exercise your rights:

Email:privacy@lingoplace.com

We aim to respond within 30 days.