Duolingo keeps your personal data for as long as it decides is necessary for its services, with no specific time limits stated, unless law requires otherwise.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause allocates discretion to Duolingo to determine retention duration based on operational necessity and legal compliance obligations. It establishes a standards-based retention framework rather than specifying defined retention windows, which affects how long user data remains in the company's systems.
The updated privacy policy no longer contains explicit language stating that Duolingo uses cookies to enhance user experience and analyze performance, or that it shares user information with social media, advertising, and analytics partners. The policy also no longer displays a 'Do Not Sell My Personal Information' button. These removals may affect the transparency of Duolingo's practices as disclosed in the policy document itself, though actual data practices may remain unchanged. Users should review the complete updated privacy policy to understand current disclosures about data collection and sharing.
View change record →The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →Duolingo does not commit to a specific retention period for most categories of personal data, meaning your voice recordings, learning history, and behavioral data may be kept indefinitely as long as Duolingo determines there is a service-related purpose. EU users may have stronger rights to challenge retention duration under GDPR.
How other platforms handle this
We retain personal data for as long as necessary to provide our services, fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period for each category of personal data depends on the purpose fo...
We retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law. We may also retain and use your information to comply with our legal obligations, resolve disputes, and enforce our ...
Please note there are situations where Spotify is unable to delete your data, for example when: it's still necessary to process the data for the purpose we collected it for; we have an overriding interest in continuing to process the data, for example where we need the data to protect our services f...
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Article 5(1)(e) establishes the storage limitation principle, requiring that personal data be kept no longer than necessary for the purposes for which it is processed. The policy's open-ended retention formulation may be insufficient to satisfy GDPR's requirement that retention periods (or criteria used to determine them) be communicated to data subjects under Article 13(2)(a) and Article 14(3)(a). The UK ICO and EU supervisory authorities have issued enforcement decisions against open-ended retention policies. (2) GOVERNANCE EXPOSURE: Medium. While open-ended retention language is common across the industry, GDPR enforcement bodies have increasingly scrutinized vague retention disclosures. For sensitive data categories such as voice recordings and behavioral profiles, the absence of specific retention periods creates both regulatory and reputational exposure. California's CPRA also requires that businesses disclose retention periods for each category of personal information collected. (3) JURISDICTION FLAGS: EU/EEA (GDPR storage limitation principle, supervisory authority enforcement), California (CPRA retention period disclosure requirements). The combination of these two frameworks creates a documentation requirement that the current policy language does not clearly satisfy. (4) CONTRACT AND VENDOR IMPLICATIONS: If Duolingo shares data with third-party processors, data processing agreements should specify consistent retention and deletion schedules. Open-ended retention at the controller level may result in inconsistent processor retention practices if not contractually constrained. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should develop and document specific retention schedules for each category of personal data collected (voice recordings, usage data, account data, payment data), and update policy disclosures to reflect these schedules as required by CPRA and GDPR. A data retention and deletion audit should be conducted to verify that operational practices align with stated policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause allocates discretion to Duolingo to determine retention duration based on operational necessity and legal compliance obligations. It establishes a standards-based retention framework rather than specifying defined retention windows, which affects how long user data remains in the company's systems.
Duolingo does not commit to a specific retention period for most categories of personal data, meaning your voice recordings, learning history, and behavioral data may be kept indefinitely as long as Duolingo determines there is a service-related purpose. EU users may have stronger rights to challenge retention duration under GDPR.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.