Privacy Policy

Last updated: April 21, 2026

Lingora ("we", "us") operates the language-learning service at lingora.xyz. This policy explains what data we collect, why, how we store it, and the choices you have.

1. Data we collect

  • Account: email, chosen username, bcrypt-hashed password.
  • Learning activity: completed sessions, answers, scores, streaks, vocabulary you mark as known, review schedules, roadmap progress.
  • Preferences: target language, native language, theme, exercise settings you save.
  • Voice input (optional): speech clips are transcribed by our speech service and discarded; transcripts are stored with your session.
  • Payment metadata (if you subscribe): Stripe customer/subscription IDs, plan, period. We do not store card numbers — Stripe does.
  • Operational logs: anonymized request logs for diagnostics, kept up to 30 days.

2. How we use it

  • Deliver the learning experience (generate content, grade answers, track progress).
  • Provide continuity across devices (sync progress, review queue, preferences).
  • Billing and entitlement (verify your subscription with Stripe).
  • Debugging and safety — diagnose bugs, detect abuse, keep the service reliable.
  • We do not sell your personal data. We do not use it to train generic third-party AI models.

3. AI content generation

Exercise content (reading passages, corrections, explanations) is generated on demand by a large language model via OpenAI's API or a compatible provider. Your prompts and completions may be processed by that provider under their data-processing terms. We do not send them account identifiers beyond what is strictly necessary.

If you supply your own OpenAI API key in Settings, it is encrypted at rest with AES-256-GCM and only decrypted server-side to forward your request.

4. Data storage and security

  • Data is stored on managed PostgreSQL (Neon) in the EU.
  • Passwords use bcrypt (cost 12).
  • Sessions use HttpOnly cookies over TLS with SameSite=Lax.
  • Admin actions that affect another user's data are audit-logged.

5. Your rights

Under GDPR / CCPA you can:

  • Access a copy of your personal data.
  • Correct inaccurate data.
  • Delete your account and associated learning data.
  • Export your vocabulary and progress.
  • Withdraw consent for optional processing (e.g. voice features).

Email privacy@lingora.xyz to exercise any of these.

6. Cookies

We use a small number of first-party cookies: the auth session cookie (`token`), a preference cookie (`nativeLang`, `lang`), and a theme cookie. We do not use third-party advertising or tracking cookies.

7. Children

Lingora is not directed at children under 13. If you believe a child under 13 has registered, contact privacy@lingora.xyz and we will remove the account.

8. Changes

We will post material changes to this policy on this page and update the "Last updated" date. If changes affect your rights we will also notify you by email.

9. Contact

Data controller: Lingora.
Contact: privacy@lingora.xyz