Duolingo keeps your personal data for as long as it is needed for the purposes it was collected, without specifying exact timeframes.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify fixed retention periods for different categories of data, which under GDPR requires that retention periods or criteria be communicated to users; the absence of specific timeframes creates ambiguity about how long learning and behavioral data is retained.
Interpretive note: The policy does not specify category-specific retention periods, and the criteria-based approach may or may not satisfy GDPR transparency requirements depending on regulatory interpretation.
The updated privacy policy no longer contains explicit language stating that Duolingo uses cookies to enhance user experience and analyze performance, or that it shares user information with social media, advertising, and analytics partners. The policy also no longer displays a 'Do Not Sell My Personal Information' button. These removals may affect the transparency of Duolingo's practices as disclosed in the policy document itself, though actual data practices may remain unchanged. Users should review the complete updated privacy policy to understand current disclosures about data collection and sharing.
View change record →The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →Expanded to detail specific factors considered for retention (amount, nature, sensitivity, risk of harm) and added 'legal, accounting, or reporting requirements' but excerpt appears incomplete/truncated.
View full change record →The policy states data is retained as long as necessary for stated purposes, without specifying maximum retention periods for categories such as learning activity, device identifiers, or payment information, which means data may be retained for extended periods.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.— Excerpt from Duolingo's Duolingo Privacy Policy
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary, and Articles 13 and 14 require that retention periods or the criteria used to determine them be disclosed to users. CCPA and CPRA require disclosure of the length of time personal information will be retained or, if not possible, the criteria used. The policy's reliance on general criteria without category-specific timeframes may create tension with these requirements. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods in the policy is common in consumer privacy policies but creates compliance risk under GDPR's transparency requirements. Regulators in the EU have scrutinized overly vague retention provisions. JURISDICTION FLAGS: EU and UK users have the highest exposure given GDPR Article 5 and transparency requirements. California users may rely on CPRA's retention disclosure requirements. Users in other jurisdictions may have limited recourse. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers requiring specific retention schedules for compliance or contractual reasons should request supplementary documentation from Duolingo specifying retention periods by data category. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that internal retention schedules exist and are enforced for each category of personal data, and consider whether category-specific retention periods can be published in the policy or a supplementary retention schedule to satisfy GDPR transparency requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify fixed retention periods for different categories of data, which under GDPR requires that retention periods or criteria be communicated to users; the absence of specific timeframes creates ambiguity about how long learning and behavioral data is retained.
The policy states data is retained as long as necessary for stated purposes, without specifying maximum retention periods for categories such as learning activity, device identifiers, or payment information, which means data may be retained for extended periods.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.