If you use Duolingo from Europe or the UK, you have GDPR rights to access, correct, delete, and move your personal data, and to object to how it is being used.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the operational framework through which Duolingo acknowledges and implements statutory data subject rights mandated by GDPR and UK data protection law, creating documented procedures for users to exercise legal entitlements regarding their personal data.
The updated privacy policy no longer contains explicit language stating that Duolingo uses cookies to enhance user experience and analyze performance, or that it shares user information with social media, advertising, and analytics partners. The policy also no longer displays a 'Do Not Sell My Personal Information' button. These removals may affect the transparency of Duolingo's practices as disclosed in the policy document itself, though actual data practices may remain unchanged. Users should review the complete updated privacy policy to understand current disclosures about data collection and sharing.
View change record →The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →EU and UK Duolingo users can exercise legally binding rights to access all data held about them, have it deleted, corrected, or transferred, and can object to processing for direct marketing or automated decision-making. These rights are enforceable through national data protection authorities if Duolingo fails to respond appropriately.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection law, including the right to access, correct, update, or request deletion of your personal information. You also have the right to object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information.— Excerpt from Duolingo's Duolingo Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR (Regulation 2016/679) and the UK GDPR as retained in UK law post-Brexit. Applicable enforcement authorities include national data protection authorities in each EU member state, the Irish Data Protection Commission (likely Duolingo's EU lead supervisory authority given US headquarters), and the UK ICO. Key GDPR articles engaged include Articles 15-22 (data subject rights) and Article 77 (right to lodge a complaint with a supervisory authority). (2) GOVERNANCE EXPOSURE: Medium. The disclosure of GDPR rights is legally required and the policy's inclusion is a positive compliance indicator. Operational exposure exists around response times (GDPR requires response within one month, extendable to three), the adequacy of identity verification processes that do not create excessive barriers to rights exercise, and the legal basis stated for each processing activity. If Duolingo relies on legitimate interests as a legal basis for behavioral advertising in the EEA, this may face challenge under GDPR's balancing test. (3) JURISDICTION FLAGS: All EU member states and the UK. The Irish DPC is the likely lead supervisory authority under the GDPR one-stop-shop mechanism. Post-Brexit UK users are governed by UK GDPR and the ICO, which may diverge from EU standards over time. Cross-border data transfers from the EU to the US must rely on an approved transfer mechanism such as the EU-US Data Privacy Framework or Standard Contractual Clauses. (4) CONTRACT AND VENDOR IMPLICATIONS: Data Processing Agreements with all processors handling EEA or UK user data must comply with GDPR Article 28 requirements. Transfer mechanisms for data flows to US-based advertising technology vendors should be documented and maintained current, given ongoing legal developments in this area. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that a valid and documented legal basis exists for each category of processing described in the policy, particularly for behavioral advertising and voice data processing. The Data Protection Impact Assessment (DPIA) requirement under GDPR Article 35 should be evaluated for high-risk processing activities including voice recording and AI model training. Rights request workflows should be tested for compliance with GDPR's response time and format requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the operational framework through which Duolingo acknowledges and implements statutory data subject rights mandated by GDPR and UK data protection law, creating documented procedures for users to exercise legal entitlements regarding their personal data.
EU and UK Duolingo users can exercise legally binding rights to access all data held about them, have it deleted, corrected, or transferred, and can object to processing for direct marketing or automated decision-making. These rights are enforceable through national data protection authorities if Duolingo fails to respond appropriately.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.