Privacy Policy
Effective date: April 20, 2026
Lingua-e(“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding it. It applies to all users of the Lingua-e platform at lingua-e.com(the “Service”).
If you are located in the European Economic Area (EEA) or the United Kingdom, your rights are also governed by the General Data Protection Regulation (GDPR). If you are a California resident, additional rights apply under the California Consumer Privacy Act (CCPA).
1. Data Controller
The data controller responsible for your personal data is Roxana Lafuente, operating under the Lingua-e brand, reachable at info@roxanalafuente.com.
2. Data We Collect
2.1 Account and identity data
When you register or sign in, we collect:
- Email address
- Name (optional, may be provided by your OAuth provider)
- Password (stored as a bcrypt hash — we never store your plain-text password)
- OAuth provider identifier (Google or Microsoft account ID) if you sign in via OAuth
- Account creation and last login timestamps
2.2 Learning and usage data
- Lessons completed and your score per lesson
- Individual exercise attempts, including your answers and whether they were correct
- Your CEFR level, learning score, and daily practice streak
- Your preferred language setting and native language
- Last practice date
2.3 Subscription and payment data
- Subscription status (free, trial, active, cancelled)
- Subscription start and end dates
- PayPal subscription ID and transaction IDs
- Payment amounts and currency
We do not store credit card numbers or bank details. All payment processing is handled by PayPal.
2.4 Feedback and testimonials
- Ratings and written feedback you submit voluntarily
- Testimonials, including your consent for publication
2.5 Referral data
- Your unique referral code
- The referral code you used when signing up (if any)
2.6 Analytics data (collected by third parties)
We use the following third-party analytics tools that collect data automatically:
- Google Analytics: collects pageviews, session duration, device type, approximate location (derived from IP), and interaction events. Data is processed by Google LLC. See Google's Privacy Policy.
- Microsoft Clarity: records anonymized session replays and heatmaps to help us understand how users interact with the Service. Data is processed by Microsoft. See Microsoft's Privacy Statement.
3. How We Use Your Data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Service | Contract performance |
| Authenticate your identity | Contract performance |
| Track your learning progress and personalize your experience | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Manage the referral program | Legitimate interest |
| Show your position on the leaderboard | Legitimate interest |
| Analyze usage to improve the Service | Legitimate interest |
| Detect and prevent fraud or abuse | Legitimate interest / Legal obligation |
| Comply with legal obligations | Legal obligation |
| Publish testimonials (only with your explicit consent) | Consent |
4. Data Sharing and Third Parties
We do not sell your personal data. We share data only as follows:
- PayPal: to process subscription payments and verify transactions. PayPal acts as an independent data controller for payment data.
- Google: for analytics (Google Analytics) and OAuth authentication if you sign in with Google.
- Microsoft: for analytics (Microsoft Clarity) and OAuth authentication if you sign in with Microsoft.
- Railway: our cloud hosting provider where the Service and database run. Data is stored on servers in the United States.
- Legal requirements: we may disclose your data if required by law, court order, or to protect the rights, property, or safety of Lingua-e, our users, or others.
5. International Data Transfers
Your data is stored and processed in the United States (via Railway). If you are located in the EEA, UK, or Switzerland, your data is transferred outside your jurisdiction. Where required, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards approved under GDPR.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, all your personal data (including progress, attempts, and payment history) is permanently deleted from our systems. Anonymized, aggregated data may be retained for analytics.
Access tokens expire after 7 days. Session cookies follow browser defaults.
7. Cookies
We use the following cookies:
- Authentication cookies: set by NextAuth to maintain your session. These are strictly necessary and cannot be disabled.
- Analytics cookies: set by Google Analytics and Microsoft Clarity to collect usage data. You can opt out via your browser settings or browser extensions such as Google Analytics Opt-out.
8. Your Rights
All users
- Delete your account: you can permanently delete your account and all associated data from your account settings.
- Update your information: you can update your name and preferences from your account settings.
EEA and UK users (GDPR)
You also have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data (“right to be forgotten”).
- Portability: receive your data in a structured, machine-readable format.
- Restriction: request that we restrict processing of your data.
- Object: object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, withdraw it at any time.
- Lodge a complaint: with your local data protection authority.
California residents (CCPA)
You have the right to:
- Know what personal information we collect and how it is used.
- Request deletion of your personal information.
- Opt out of the sale of personal information (we do not sell personal data).
- Non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at info@roxanalafuente.com. We will respond within 30 days (or sooner if required by law).
9. Security
We take reasonable technical and organizational measures to protect your personal data, including:
- Passwords are stored using bcrypt hashing.
- All data is transmitted over HTTPS.
- Access tokens expire after 7 days.
- Database access is restricted to internal services.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we will notify you of any breach affecting your data as required by applicable law.
10. Children's Privacy
The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with data, please contact us at info@roxanalafuente.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. If the changes are material, we will notify you by email or through a prominent notice in the Service at least 14 days before they take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
12. Contact
If you have any questions, requests, or complaints about this Privacy Policy or how we handle your data, please contact us at info@roxanalafuente.com.