Duolingo transfers your personal data to the United States for processing, regardless of where you are located, meaning your data may be subject to US laws rather than the stronger protections of your home country.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the geographic scope of data processing operations and notifies users that their information will be subject to the legal and regulatory frameworks of the jurisdiction where servers are located, rather than remaining under their home jurisdiction's data protection regime.
Interpretive note: The policy does not specify which GDPR-approved transfer mechanism Duolingo relies upon for EU-US data flows, creating uncertainty about the legal basis and whether full GDPR Article 13 disclosure requirements are satisfied.
The updated privacy policy no longer contains explicit language stating that Duolingo uses cookies to enhance user experience and analyze performance, or that it shares user information with social media, advertising, and analytics partners. The policy also no longer displays a 'Do Not Sell My Personal Information' button. These removals may affect the transparency of Duolingo's practices as disclosed in the policy document itself, though actual data practices may remain unchanged. Users should review the complete updated privacy policy to understand current disclosures about data collection and sharing.
View change record →The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →If you use Duolingo from outside the United States, your personal data including learning behavior and voice recordings will be transferred to and stored in the US, where data protection standards differ from those in your country. EU and UK users should be aware that US government access to data transferred under certain frameworks remains a contested legal area.
How other platforms handle this
Epic Games, Inc. is headquartered in Cary, North Carolina. We and our subsidiaries have offices and operations located around the world that help create and deliver some of your favorite products and services, including games like Fortnite and developer tools like Unreal Engine.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, please note that we transfer your personal data to countries outside of these regions, including the United States, which may not provide the same level of data protection as your home country. We rely on app...
Canva is headquartered in Australia, and the Service is operated from Australia. If you are located in the European Economic Area, the United Kingdom, or other regions with laws governing data collection and use, please note that your information may be transferred to and processed in countries that...
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the data to the United States and process it there.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: Cross-border data transfers from the EEA to the US are governed by GDPR Chapter V, requiring either an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved mechanism. The EU-US Data Privacy Framework (DPF) adopted in 2023 provides a transfer mechanism for certified US entities. The policy does not specify which transfer mechanism Duolingo relies upon, which is a disclosure gap relative to GDPR transparency requirements. The UK ICO has adopted a separate International Data Transfer Agreement (IDTA) framework for UK-US transfers. (2) GOVERNANCE EXPOSURE: Medium. The failure to specify the transfer mechanism in the policy text creates transparency exposure under GDPR Article 13(1)(f), which requires disclosure of the transfer mechanism or basis. If Duolingo relies on SCCs, the Schrems II ruling requires a transfer impact assessment to evaluate the risk of US government access to transferred data. If relying on DPF certification, the certification must be current and verifiable. (3) JURISDICTION FLAGS: EU/EEA (GDPR Chapter V), UK (UK GDPR and IDTA framework), Switzerland (Swiss FDPA transfer requirements). Non-EEA countries with data localization requirements (e.g., Russia, China, India) may create additional compliance obligations for Duolingo's global user base. (4) CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with US-based vendors processing EEA or UK user data must include appropriate transfer mechanism documentation (SCCs or DPF reliance). Transfer impact assessments should be maintained for all transfers to the US where SCCs are the relied-upon mechanism. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Duolingo's EU-US data transfer mechanism is documented, current, and disclosed in the privacy policy or supplementary documentation. If relying on DPF, certification status should be verified at https://www.dataprivacyframework.gov. Transfer impact assessments should be maintained and reviewed following any changes in US surveillance law or DPF legal status.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the geographic scope of data processing operations and notifies users that their information will be subject to the legal and regulatory frameworks of the jurisdiction where servers are located, rather than remaining under their home jurisdiction's data protection regime.
If you use Duolingo from outside the United States, your personal data including learning behavior and voice recordings will be transferred to and stored in the US, where data protection standards differ from those in your country. EU and UK users should be aware that US government access to data transferred under certain frameworks remains a contested legal area.
ConductAtlas has identified this type of provision across 84 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.