What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@duolingo.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'EU and UK users can email privacy@duolingo.com to exercise GDPR rights including access, correction, deletion, restriction, portability, or objection to processing. Specify your request clearly and include your account email address.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': "The FTC has authority over US-based companies' compliance with international privacy representations under the FTC Act, and participates in oversight of EU-US data transfer frameworks.", 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this EU and UK User Rights (GDPR) clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar EU and UK User Rights (GDPR) clauses across approximately 1 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

EU and UK User Rights (GDPR) — Duolingo

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity Duolingo recorded 3 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for Duolingo Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

EU and UK users have the right under GDPR to access, correct, delete, or move their personal data, object to certain processing, and complain to their national data protection authority.

ⓘ

This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The policy confirms that EU and UK users have GDPR rights enforceable by local supervisory authorities, including the right to lodge complaints without needing to take legal action directly against Duolingo.

Recent Activity

This document changed recently

Medium Apr 21, 2026

The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duoli…

Consumer impact (what this means for users)

EU and UK users can contact Duolingo at privacy@duolingo.com to exercise rights including data access, correction, deletion, restriction of processing, data portability, and objection to processing; they can also escalate to their national data protection authority.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

EU and UK users can email privacy@duolingo.com to exercise GDPR rights including access, correction, deletion, restriction, portability, or objection to processing. Specify your request clearly and include your account email address.

How other platforms handle this

Grammarly Medium

If you are located in the EEA, UK, or Switzerland, you have certain rights with respect to your personal information, including the right to access your personal data, to correct or delete your personal data, to restrict processing of your personal data, to data portability, and to object to process...

ADP Medium

If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...

TransUnion Medium

Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...

See all platforms with this clause type →

Monitoring

Duolingo has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
If you are located in the European Union or United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete personal information we hold about you; the right to restrict or object to our processing of your personal information; the right to data portability; and the right to lodge a complaint with your local supervisory authority.

— Excerpt from Duolingo's Duolingo Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implements rights under GDPR Articles 15-22 and UK GDPR equivalents. Duolingo, as a US-based company processing EU and UK personal data, is subject to GDPR by virtue of Article 3(2) (offering services to EU data subjects). Enforcement is by national data protection authorities in EU member states and the ICO in the UK. Duolingo may be required to designate an EU representative under GDPR Article 27. GOVERNANCE EXPOSURE: Medium. The policy acknowledges GDPR rights obligations. Key compliance risks include the adequacy of response processes for rights requests, documentation of lawful bases for all processing activities, and whether Duolingo has appointed an EU representative and Data Protection Officer as required. JURISDICTION FLAGS: EU member state DPAs have jurisdiction over processing of data belonging to residents of their respective states. The ICO has jurisdiction for UK data subjects. Lead supervisory authority under the GDPR one-stop-shop mechanism may apply if Duolingo has an EU establishment. CONTRACT AND VENDOR IMPLICATIONS: Institutional customers in the EU and UK deploying Duolingo for employees or students should ensure that a Data Processing Agreement under GDPR Article 28 is in place with Duolingo and that the agreement addresses rights request handling and sub-processor obligations. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Duolingo has documented lawful bases for each category of processing under GDPR, that a Record of Processing Activities exists as required under Article 30, and that the privacy policy satisfies the transparency requirements of Articles 13 and 14. The appointment and contact details of an EU representative and any Data Protection Officer should be verified.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has authority over US-based companies' compliance with international privacy representations under the FTC Act, and participates in oversight of EU-US data transfer frameworks.
File a complaint →

Applicable regulations

United States Federal

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

UK GDPR

United Kingdom

Universal Opt-Out Mechanism Expansion 2026

Provision details

Document information

Document

Duolingo Privacy Policy

Entity

Duolingo

Document last updated

May 5, 2026

Tracking information

First tracked

May 12, 2026

Last verified

May 12, 2026

Record ID

CA-P-011284

Document ID

CA-D-00084

Evidence Provenance

Source URL

https://www.duolingo.com/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

2dade822ccc0a9857012fa095dd3b53bfd7ed24f07f06c2c24446c668fae1eea

Analysis generated

May 12, 2026 08:26 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Duolingo
Document: Duolingo Privacy Policy
Record ID: CA-P-011284
Captured: 2026-05-12 08:26:59 UTC
SHA-256: 2dade822ccc0a985…
URL: https://conductatlas.com/platform/duolingo/duolingo-privacy-policy/eu-and-uk-user-rights-gdpr/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Data Collection Scope medium
Advertising and Analytics Data Sharing high
Children's Privacy and Parental Consent high
International Data Transfers medium
Corporate Transaction Data Sharing medium
California Resident Rights (CCPA/CPRA) medium

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Duolingo's EU and UK User Rights (GDPR) clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.

Is ConductAtlas affiliated with Duolingo?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.