Duolingo keeps your personal data for as long as it is needed for the purposes it was collected, without specifying exact timeframes.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause operationalizes Duolingo's data lifecycle management by establishing criteria for when personal information may be deleted or anonymized. It creates a documented standard that ties retention decisions to specific business and legal purposes rather than indefinite storage.
Interpretive note: The policy does not specify category-specific retention periods, and the criteria-based approach may or may not satisfy GDPR transparency requirements depending on regulatory interpretation.
The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →The policy states data is retained as long as necessary for stated purposes, without specifying maximum retention periods for categories such as learning activity, device identifiers, or payment information, which means data may be retained for extended periods.
How other platforms handle this
We store information until it is no longer necessary to provide our services and WhatsApp Products, or until your account is deleted or becomes inactive, whichever comes first. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and pro...
You may request deletion of your account at any time. When you request account deletion, we will delete or anonymize your personal information unless we are required to retain it by law, or unless we need to retain it for legitimate business purposes such as resolving disputes, enforcing our agreeme...
We'll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of...
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.— Excerpt from Duolingo's Duolingo Privacy Policy
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary, and Articles 13 and 14 require that retention periods or the criteria used to determine them be disclosed to users. CCPA and CPRA require disclosure of the length of time personal information will be retained or, if not possible, the criteria used. The policy's reliance on general criteria without category-specific timeframes may create tension with these requirements. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods in the policy is common in consumer privacy policies but creates compliance risk under GDPR's transparency requirements. Regulators in the EU have scrutinized overly vague retention provisions. JURISDICTION FLAGS: EU and UK users have the highest exposure given GDPR Article 5 and transparency requirements. California users may rely on CPRA's retention disclosure requirements. Users in other jurisdictions may have limited recourse. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers requiring specific retention schedules for compliance or contractual reasons should request supplementary documentation from Duolingo specifying retention periods by data category. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that internal retention schedules exist and are enforced for each category of personal data, and consider whether category-specific retention periods can be published in the policy or a supplementary retention schedule to satisfy GDPR transparency requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause operationalizes Duolingo's data lifecycle management by establishing criteria for when personal information may be deleted or anonymized. It creates a documented standard that ties retention decisions to specific business and legal purposes rather than indefinite storage.
The policy states data is retained as long as necessary for stated purposes, without specifying maximum retention periods for categories such as learning activity, device identifiers, or payment information, which means data may be retained for extended periods.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.