Duolingo transfers and stores user data in the United States, where privacy protections may differ from those in a user's home country.
This analysis describes what Duolingo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy states that by using the service, users consent to data transfer to the US, which for EU and UK users intersects with GDPR requirements for lawful international data transfer mechanisms that go beyond consent alone.
Interpretive note: The policy does not specify which GDPR-compliant transfer mechanisms Duolingo relies upon beyond referencing user consent, creating ambiguity about the adequacy of international transfer protections for EU and UK users.
The updated privacy policy no longer contains explicit language stating that Duolingo uses cookies to enhance user experience and analyze performance, or that it shares user information with social media, advertising, and analytics partners. The policy also no longer displays a 'Do Not Sell My Personal Information' button. These removals may affect the transparency of Duolingo's practices as disclosed in the policy document itself, though actual data practices may remain unchanged. Users should review the complete updated privacy policy to understand current disclosures about data collection and sharing.
View change record →The updated policy now discloses a new Math Tutor feature that processes audio through Apple for transcription; audio is deleted but text transcripts may be retained and shared with AI vendors. Duolingo also clarified that IP addresses may be retained longer than 30 days for paying subscribers specifically for payment processing and fraud prevention. The policy changed the Video Call feature from 'Duolingo offers' to 'Duolingo may offer', clarifying it is optional. You can disable FullStory and Session Replay activity recording using the Tracking toggle in app Settings.
View change record →This new provision explicitly discloses international data transfer practices and obtains user consent for processing in the U.S., with notice that users may have fewer protections than under local law.
View full change record →The policy states that personal data is transferred to and stored in the United States, potentially under legal frameworks with different privacy protections than those applicable in EU, UK, or other jurisdictions.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Duolingo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Duolingo is based in the United States and the information we collect is governed by U.S. law. By accessing or using our services or otherwise providing information to us, you consent to the processing, transfer, and storage of information in and to the U.S. and other countries, where you may not have the same rights and protections as you do under local law.— Excerpt from Duolingo's Duolingo Privacy Policy
REGULATORY LANDSCAPE: International transfers of personal data from the EU and UK to the United States engage GDPR Chapter V and UK GDPR transfer provisions. The EU-US Data Privacy Framework and Standard Contractual Clauses are currently the primary lawful transfer mechanisms. Reliance on user consent as the primary transfer mechanism under GDPR Article 49 is permitted only for non-repetitive, occasional transfers under EDPB guidance, meaning a broader transfer mechanism is generally required for systematic data flows. GOVERNANCE EXPOSURE: Medium. The policy's assertion that users 'consent' to US data transfers by using the service may not constitute a valid transfer mechanism under GDPR for systematic international data flows. Organizations relying on consent alone for repeated transfers to the US face regulatory exposure under GDPR Chapter V. JURISDICTION FLAGS: EU and EEA users have the highest exposure given GDPR Chapter V requirements. UK users are subject to UK GDPR international transfer rules. Users in countries with adequacy decisions or bilateral agreements may have additional protections. Users in jurisdictions without specific international transfer protections have limited recourse. CONTRACT AND VENDOR IMPLICATIONS: Enterprise or institutional customers contracting with Duolingo for use by EU or UK employees or students should request information about the specific transfer mechanisms Duolingo relies upon, such as Standard Contractual Clauses or the EU-US Data Privacy Framework certification, and incorporate appropriate contractual terms. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Duolingo has implemented and documented appropriate transfer mechanisms for EU and UK personal data flows to the United States, and that these are reflected in the privacy policy and records of processing activities. Transfer impact assessments may be required for high-risk data flows.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy states that by using the service, users consent to data transfer to the US, which for EU and UK users intersects with GDPR requirements for lawful international data transfer mechanisms that go beyond consent alone.
The policy states that personal data is transferred to and stored in the United States, potentially under legal frameworks with different privacy protections than those applicable in EU, UK, or other jurisdictions.
ConductAtlas has identified this type of provision across 55 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duolingo.