Duolingo transfers your personal data to the United States for processing, regardless of where you are located, meaning your data may be subject to US laws rather than the stronger protections of your home country.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Cross-border data transfers from the EU and UK to the US require specific legal mechanisms under GDPR to be lawful, and the policy's disclosure that data is transferred to and processed in the US is a material compliance consideration requiring documented transfer basis such as Standard Contractual Clauses or EU-US Data Privacy Framework certification.
Interpretive note: The policy does not specify which GDPR-approved transfer mechanism Duolingo relies upon for EU-US data flows, creating uncertainty about the legal basis and whether full GDPR Article 13 disclosure requirements are satisfied.
The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duoli…
If you use Duolingo from outside the United States, your personal data including learning behavior and voice recordings will be transferred to and stored in the US, where data protection standards differ from those in your country. EU and UK users should be aware that US government access to data transferred under certain frameworks remains a contested legal area.
How other platforms handle this
You will provide personal information directly to our website in the United States. We may also transfer personal information to our partners and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data prote...
Notion is based in the United States and the information we collect is governed by U.S. law. If you are accessing our Services from outside of the United States, please be aware that information collected through the Services may be transferred to, processed, stored, and used in the United States an...
Your personal information may be transferred to and processed in countries other than your country of residence, including Canada and the United States, where our servers are located and our central database is operated. These countries may have data protection laws that are different from those in ...
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the data to the United States and process it there.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: Cross-border data transfers from the EEA to the US are governed by GDPR Chapter V, requiring either an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved mechanism. The EU-US Data Privacy Framework (DPF) adopted in 2023 provides a transfer mechanism for certified US entities. The policy does not specify which transfer mechanism Duolingo relies upon, which is a disclosure gap relative to GDPR transparency requirements. The UK ICO has adopted a separate International Data Transfer Agreement (IDTA) framework for UK-US transfers. (2) GOVERNANCE EXPOSURE: Medium. The failure to specify the transfer mechanism in the policy text creates transparency exposure under GDPR Article 13(1)(f), which requires disclosure of the transfer mechanism or basis. If Duolingo relies on SCCs, the Schrems II ruling requires a transfer impact assessment to evaluate the risk of US government access to transferred data. If relying on DPF certification, the certification must be current and verifiable. (3) JURISDICTION FLAGS: EU/EEA (GDPR Chapter V), UK (UK GDPR and IDTA framework), Switzerland (Swiss FDPA transfer requirements). Non-EEA countries with data localization requirements (e.g., Russia, China, India) may create additional compliance obligations for Duolingo's global user base. (4) CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with US-based vendors processing EEA or UK user data must include appropriate transfer mechanism documentation (SCCs or DPF reliance). Transfer impact assessments should be maintained for all transfers to the US where SCCs are the relied-upon mechanism. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Duolingo's EU-US data transfer mechanism is documented, current, and disclosed in the privacy policy or supplementary documentation. If relying on DPF, certification status should be verified at https://www.dataprivacyframework.gov. Transfer impact assessments should be maintained and reviewed following any changes in US surveillance law or DPF legal status.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Cross-border data transfers from the EU and UK to the US require specific legal mechanisms under GDPR to be lawful, and the policy's disclosure that data is transferred to and processed in the US is a material compliance consideration requiring documented transfer basis such as Standard Contractual Clauses or EU-US Data Privacy Framework certification.
If you use Duolingo from outside the United States, your personal data including learning behavior and voice recordings will be transferred to and stored in the US, where data protection standards differ from those in your country. EU and UK users should be aware that US government access to data transferred under certain frameworks remains a contested legal area.
ConductAtlas has identified this type of provision across 78 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.