If you use Duolingo from Europe or the UK, you have GDPR rights to access, correct, delete, and move your personal data, and to object to how it is being used.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GDPR rights are among the strongest data protection rights globally and are directly enforceable against Duolingo for EEA and UK users, including the right to withdraw consent for data processing at any time, which can affect how your learning data and voice recordings are used.
The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duoli…
EU and UK Duolingo users can exercise legally binding rights to access all data held about them, have it deleted, corrected, or transferred, and can object to processing for direct marketing or automated decision-making. These rights are enforceable through national data protection authorities if Duolingo fails to respond appropriately.
How other platforms handle this
If you are located in the EEA, UK, or Switzerland, you have certain rights with respect to your personal information, including the right to access your personal data, to correct or delete your personal data, to restrict processing of your personal data, to data portability, and to object to process...
If you are located in the EEA or UK, you may have the following rights under applicable data protection law: the right to access your personal data; the right to rectify inaccurate personal data; the right to erasure of your personal data; the right to restrict processing of your personal data; the ...
Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection law, including the right to access, correct, update, or request deletion of your personal information. You also have the right to object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR (Regulation 2016/679) and the UK GDPR as retained in UK law post-Brexit. Applicable enforcement authorities include national data protection authorities in each EU member state, the Irish Data Protection Commission (likely Duolingo's EU lead supervisory authority given US headquarters), and the UK ICO. Key GDPR articles engaged include Articles 15-22 (data subject rights) and Article 77 (right to lodge a complaint with a supervisory authority). (2) GOVERNANCE EXPOSURE: Medium. The disclosure of GDPR rights is legally required and the policy's inclusion is a positive compliance indicator. Operational exposure exists around response times (GDPR requires response within one month, extendable to three), the adequacy of identity verification processes that do not create excessive barriers to rights exercise, and the legal basis stated for each processing activity. If Duolingo relies on legitimate interests as a legal basis for behavioral advertising in the EEA, this may face challenge under GDPR's balancing test. (3) JURISDICTION FLAGS: All EU member states and the UK. The Irish DPC is the likely lead supervisory authority under the GDPR one-stop-shop mechanism. Post-Brexit UK users are governed by UK GDPR and the ICO, which may diverge from EU standards over time. Cross-border data transfers from the EU to the US must rely on an approved transfer mechanism such as the EU-US Data Privacy Framework or Standard Contractual Clauses. (4) CONTRACT AND VENDOR IMPLICATIONS: Data Processing Agreements with all processors handling EEA or UK user data must comply with GDPR Article 28 requirements. Transfer mechanisms for data flows to US-based advertising technology vendors should be documented and maintained current, given ongoing legal developments in this area. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that a valid and documented legal basis exists for each category of processing described in the policy, particularly for behavioral advertising and voice data processing. The Data Protection Impact Assessment (DPIA) requirement under GDPR Article 35 should be evaluated for high-risk processing activities including voice recording and AI model training. Rights request workflows should be tested for compliance with GDPR's response time and format requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GDPR rights are among the strongest data protection rights globally and are directly enforceable against Duolingo for EEA and UK users, including the right to withdraw consent for data processing at any time, which can affect how your learning data and voice recordings are used.
EU and UK Duolingo users can exercise legally binding rights to access all data held about them, have it deleted, corrected, or transferred, and can object to processing for direct marketing or automated decision-making. These rights are enforceable through national data protection authorities if Duolingo fails to respond appropriately.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.