Duolingo keeps your personal data for as long as it decides is necessary for its services, with no specific time limits stated, unless law requires otherwise.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language gives Duolingo broad discretion over how long it keeps your learning data, voice recordings, usage history, and other personal information, which may conflict with GDPR's storage limitation principle requiring data be kept no longer than necessary for its stated purpose.
The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duoli…
Duolingo does not commit to a specific retention period for most categories of personal data, meaning your voice recordings, learning history, and behavioral data may be kept indefinitely as long as Duolingo determines there is a service-related purpose. EU users may have stronger rights to challenge retention duration under GDPR.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Article 5(1)(e) establishes the storage limitation principle, requiring that personal data be kept no longer than necessary for the purposes for which it is processed. The policy's open-ended retention formulation may be insufficient to satisfy GDPR's requirement that retention periods (or criteria used to determine them) be communicated to data subjects under Article 13(2)(a) and Article 14(3)(a). The UK ICO and EU supervisory authorities have issued enforcement decisions against open-ended retention policies. (2) GOVERNANCE EXPOSURE: Medium. While open-ended retention language is common across the industry, GDPR enforcement bodies have increasingly scrutinized vague retention disclosures. For sensitive data categories such as voice recordings and behavioral profiles, the absence of specific retention periods creates both regulatory and reputational exposure. California's CPRA also requires that businesses disclose retention periods for each category of personal information collected. (3) JURISDICTION FLAGS: EU/EEA (GDPR storage limitation principle, supervisory authority enforcement), California (CPRA retention period disclosure requirements). The combination of these two frameworks creates a documentation requirement that the current policy language does not clearly satisfy. (4) CONTRACT AND VENDOR IMPLICATIONS: If Duolingo shares data with third-party processors, data processing agreements should specify consistent retention and deletion schedules. Open-ended retention at the controller level may result in inconsistent processor retention practices if not contractually constrained. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should develop and document specific retention schedules for each category of personal data collected (voice recordings, usage data, account data, payment data), and update policy disclosures to reflect these schedules as required by CPRA and GDPR. A data retention and deletion audit should be conducted to verify that operational practices align with stated policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language gives Duolingo broad discretion over how long it keeps your learning data, voice recordings, usage history, and other personal information, which may conflict with GDPR's storage limitation principle requiring data be kept no longer than necessary for its stated purpose.
Duolingo does not commit to a specific retention period for most categories of personal data, meaning your voice recordings, learning history, and behavioral data may be kept indefinitely as long as Duolingo determines there is a service-related purpose. EU users may have stronger rights to challenge retention duration under GDPR.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.