Protecting your privacy while you learn languages
Overall Score
Risk by Category
Duolingo's Privacy Policy outlines how the company collects, uses, shares, and protects user data across its apps and websites. It covers personal information like account details, usage data, device information, and optionally location data. Data is used for personalization, analytics, advertising, and service improvement. Sharing occurs with service providers, affiliates, and third parties for ads and legal compliance. The policy addresses user rights under GDPR, CCPA including access, deletion, and opt-outs. Retention is tied to account lifecycle with some indefinite anonymized data. Security measures include encryption and standard practices, but broad third-party sharing raises concerns.
Data shared with advertisers, analytics providers, and affiliates for marketing purposes.
Precise location collected if enabled, used for features and ads.
Some data retained indefinitely in aggregated form.
Supports GDPR, CCPA rights like access, deletion, and data portability.
Users can opt out of personalized ads and data sharing.
Clear sections on what data is collected and purposes.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Name, email, password, DOB, payment info.
Lesson progress, interactions, time spent.
IP, OS, browser, precise location if permitted.
Handled by third-party processors.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Data used to tailor lessons and recommendations.
Profile used for targeted ads across platforms.
Aggregated data for analytics and bug fixes.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Shared with Google, Facebook for targeted ads.
Google Analytics, Mixpanel for usage insights.
Cloud services (AWS), email (SendGrid).
Shared within Duolingo group companies.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Users can request data copies via settings or email.
Account deletion removes most data, but some retained for legal reasons.
Export options for learning progress.
Controls for ads and third-party sharing.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Data retained as long as account is active.
30-90 days for backups, legal holds longer.
Indefinite retention for aggregated insights.
7 years for compliance.
Security & Transparency
Data encrypted in transit (TLS) and at rest.
Notifies users as required by law.
Complies with SOC 2, regular audits.
Role-based access and monitoring.
Source Text
We collect a wide range of data including precise location and biometric data from voice recording.
Interpretation
Broad collection increases privacy risks.
Source Text
Shares with ad networks and service providers without user consent beyond opt-out.
Interpretation
Extensive sharing for commercial purposes.
Source Text
Details rights to access, delete, opt-out of sales.
Interpretation
Strong legal compliance with actionable rights.
Source Text
Varies by purpose, some indefinite.
Interpretation
Lack of specific timelines for some data.
Source Text
Industry standard security but no specifics on breaches.
Interpretation
Adequate but not exceptional transparency.
Account info, usage data, device details, and optional location and microphone data.