Last updated: March 2026
The data controller for your personal data is lingaly, operated by [name pending fiscal registration], with registered address in Madrid, Spain (Tax ID pending fiscal registration). You can contact us at privacy@lingaly.com for any questions regarding the protection of your data.
We collect the following personal data: - Registration data: name, email address, and encrypted password. - Usage data: completed exercises, scores, learning progress, and language preferences. - Technical data: IP address, browser type, device, and access data. - Payment data: securely processed by Stripe. We do not store card numbers.
We process your data based on: - Contract performance: to provide you with the exam preparation service you have subscribed to. - Consent: for sending marketing communications and the use of non-essential cookies. - Legitimate interest: to improve our service, prevent fraud, and ensure security. - Legal obligation: to comply with tax and data retention requirements.
We use your data to: - Manage your account and provide you with access to the platform. - Personalize your learning experience through our adaptive AI engine. - Process payments and manage your subscription. - Send you communications about your progress and service updates. - Improve our algorithms and the quality of educational content. - Comply with legal obligations and prevent fraudulent activities.
We share your data only with the following service providers, under data processing agreements: - Supabase (infrastructure and database) — EU/US, standard contractual clauses. - Stripe (payment processing) — PCI DSS Level 1 certified. - OpenAI and Anthropic (AI processing) — pseudonymized data, no retention. - Vercel (web hosting) — global infrastructure with encryption in transit. - Sentry (error monitoring) — EU, pseudonymized technical data for diagnostics. - PostHog (analytics) — only with explicit consent, pseudonymized usage data. - Better Stack (log aggregation) — server-side technical logs. - LangSmith (AI observability) — language model performance traces. - Resend — Transactional email provider (EU/US). Receives your email address for service notifications. - Upstash — Redis cache service (EU). Processes user identifiers ephemerally for request rate limiting. Writing exercise processing: When you complete writing exercises, your text is sent to AI services (OpenAI) for correction and evaluation. This processing is necessary for the provision of the contracted service. Texts are not stored by the AI provider and are not used for model training.
Some of our providers operate outside the European Economic Area. In these cases, we ensure the protection of your data through standard contractual clauses approved by the European Commission or valid adequacy decisions.
lingaly uses an adaptive learning engine that makes automated decisions to personalize your experience: - Exercise selection: The system analyzes your mastery level in each linguistic competency to recommend the most suitable exercises. - Difficulty level: Difficulty adjusts automatically based on your estimated performance. - Exam simulation: A statistical model (Monte Carlo) estimates your probability of passing based on your current progress. - Mock exam recommendations: The system suggests when to take a full practice exam. These decisions are based on statistical models (Bayesian Knowledge Tracing, Item Response Theory) and do not produce legal effects or similarly significantly affect you. Their sole purpose is to optimize your preparation. You can request additional information about the logic applied by contacting privacy@lingaly.com.
As a user, you have the right to: - Access: request a copy of your personal data. - Rectification: correct inaccurate or incomplete data. - Erasure: request the deletion of your data ("right to be forgotten"). - Restriction: restrict the processing of your data in certain circumstances. - Portability: receive your data in a structured, machine-readable format. - Objection: object to processing based on legitimate interest. - Withdrawal of consent: withdraw your consent at any time. You can exercise these rights by emailing privacy@lingaly.com. You can also export and delete your data from your account settings. You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
We retain your data for as long as your account is active. If you request account deletion, we will delete your personal data within 30 days, except for data we are legally required to retain (tax data: 5 years). When you delete your account, we also request deletion of your data from third-party services that process it (Sentry, PostHog). Data in these services is deleted according to their retention policies, typically within 30 to 90 days.
lingaly is intended for users aged 16 and over. We do not knowingly collect data from minors under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@lingaly.com.
We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, row-level security (RLS) policies in the database, and regular security audits.
We may update this policy periodically. We will notify you of any significant changes through the platform or by email. The date of the last update is shown at the top of this document.