Privacy Policy

Last updated: May 11, 2026

1. Data Controller

Linguine is operated by an individual based in Denmark. For any privacy-related inquiries, you can reach us at [email protected].

2. What Data We Collect

We collect the following categories of data:

  • Account data: email address and hashed password (your password is never stored in plain text)
  • Learning data: exercise attempts, scores, and progress
  • Technical data: IP address, browser type, device information, and pages visited
  • Cookies: session cookies (essential) and analytics cookies (with your consent)

3. Legal Basis for Processing

We process your data under the following legal bases as defined by GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — your account data is necessary to provide the Service
  • Legitimate interest (Art. 6(1)(f)) — basic analytics to maintain and improve the Service
  • Consent (Art. 6(1)(a)) — for non-essential cookies such as Google Analytics

4. How We Use Your Data

  • Providing and maintaining the Service (account management, exercise delivery)
  • Tracking your learning progress across sessions
  • Improving the platform through aggregated usage analytics
  • Sending account-related communications (password resets, security notices)

We do not send marketing emails without your explicit consent.

5. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies: session and CSRF cookies required for the Service to function. These do not require consent.
  • Analytics cookies: Google Analytics 4 (GA4) is used to understand how visitors use the site. These cookies are only activated after you give consent through our cookie banner.

You can withdraw your cookie consent at any time by clearing your browser cookies and revisiting the site.

6. Third-Party Processors

We use the following third-party services that may process your data:

All third-party processors are bound by data processing agreements in accordance with GDPR.

7. International Data Transfers

Google Analytics may transfer data outside the EU. These transfers are covered by the EU–U.S. Data Privacy Framework adequacy decision and Standard Contractual Clauses where applicable.

8. Data Retention

  • Account data: retained for as long as your account is active. Upon deletion, your data is removed within 30 days.
  • Learning data: deleted together with your account.
  • Analytics data: retained by Google Analytics for up to 14 months.

9. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request that we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

10. Data Security

We take reasonable measures to protect your data, including:

  • Passwords are hashed using industry-standard algorithms
  • All connections are encrypted via HTTPS
  • Access to production systems is restricted

11. Children

You must be at least 13 years old to create an account. If we become aware that a child under 13 has registered, we will promptly delete their account and data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated by email or through a notice on the Service. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or requests, contact us at [email protected].