Record of Processing Activities (ROPA)
Lingly Limited
Document Version: 2.0 Last Updated: 29 May 2026 Next Review: 29 November 2026 Responsible: Data Protection Officer
1. Organization information
| Field | Detail |
|---|---|
| Data Controller | Lingly Limited |
| Company Number | 12536799 (England and Wales) |
| Address | International House, 36-38 Cornhill, London, EC3V 3NG, UK |
| Contact | support@lingly.ai |
| DPO Contact | harry@lingly.ai |
| Business Activity | Language assessment and training platform for care workers and frontline professionals |
2. Processing activities
2.1 User account management
| Field | Detail |
|---|---|
| Purpose | Creating and managing user accounts for platform access |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) — providing agreed services to the employer |
| Data Categories | Name, email, job role, native language, learning language, timezone |
| Data Subjects | Non-native English speakers (primarily care workers and frontline professionals) |
| Recipients | Internal staff; cloud hosting (DigitalOcean) |
| International Transfers | None — UK/EEA processing only |
| Retention Period | Account lifetime + 12 months after last login |
| Security Measures | AES-256 at rest, TLS 1.2+ in transit, access controls |
2.2 Learning progress tracking
| Field | Detail |
|---|---|
| Purpose | Tracking progress through training modules and lessons |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) — personalised learning experience |
| Data Categories | Module completions, lesson progress, exercise scores, time spent, vocabulary mastery |
| Data Subjects | Non-native English speakers (primarily care workers and frontline professionals) |
| Recipients | Internal staff; employers (aggregated reports); cloud hosting (DigitalOcean) |
| International Transfers | None — UK/EEA processing only |
| Retention Period | 3 years after completion |
| Security Measures | Database encryption, API authentication, role-based access controls |
2.3 AI-powered exercises and conversation practice
| Field | Detail |
|---|---|
| Purpose | AI-driven exercises and realistic conversation practice across the platform |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) — core service functionality |
| Data Categories | User text inputs, AI responses, conversation transcripts, performance corrections |
| Data Subjects | Non-native English speakers (primarily care workers and frontline professionals) |
| Recipients | Internal staff; AI processing providers (OpenAI, Anthropic, Google Gemini); cloud hosting |
| International Transfers | OpenAI (US), Anthropic (US), Google Gemini (US) — all under UK Addendum to EU SCCs, zero data retention, no model training |
| Retention Period | Conversation/exercise logs: 12 months; Corrections: 18 months |
| Security Measures | TLS 1.2+ in transit, access logging, least-privilege access |
2.4 Speaking and pronunciation practice
| Field | Detail |
|---|---|
| Purpose | Speech recognition for pronunciation feedback; speech synthesis for roleplay/practice |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) — core functionality |
| Special Categories | None retained. Learner audio is transcribed and the audio deleted immediately after processing; only the text transcript and derived scores are kept. |
| Data Categories | Learner speech transcripts; pronunciation scores; speaking-pace analysis. Learner audio is processed transiently and deleted immediately, not stored. |
| Data Subjects | Non-native English speakers (primarily care workers and frontline professionals) |
| Recipients | Internal staff; speech-to-text and text-to-speech providers receive transient audio / de-identified text only |
| International Transfers | Speech-to-text and text-to-speech text/audio contain no stored personal data; learner names are stripped before synthesis. Google Cloud TTS: EU endpoint. ElevenLabs: US, no model training. |
| Retention Period | Learner audio: deleted immediately after processing. Practice session transcripts: 18 months. |
| Security Measures | Transient audio processing with immediate deletion, encrypted in transit, limited access |
2.5 User communication and support
| Field | Detail |
|---|---|
| Purpose | Customer support, service notifications, optional marketing |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) for support; Consent (Art. 6(1)(a)) for marketing |
| Data Categories | Email address, support enquiry content, communication preferences |
| Data Subjects | All platform users and admin contacts |
| Recipients | Internal staff; email delivery provider (ZeptoMail) |
| International Transfers | None — ZeptoMail EU server |
| Retention Period | Support logs: 6 months; Marketing consent: until withdrawn + 3 years |
| Security Measures | Encrypted email transmission, consent management |
2.6 Provider admin management
| Field | Detail |
|---|---|
| Purpose | Managing care-provider administrator accounts and billing |
| Legal Basis | Contractual necessity (Art. 6(1)(b)) |
| Data Categories | Admin name, email, organisation details, billing information, usage statistics |
| Data Subjects | Care-provider administrators and decision makers |
| Recipients | Internal staff; payment processor (Stripe); cloud hosting |
| International Transfers | Stripe (US) — UK Addendum to EU SCCs |
| Retention Period | Contract lifetime + 6 years (legal/tax) |
| Security Measures | Strong authentication, encrypted storage, audit trails |
2.7 Analytics and platform improvement
| Field | Detail |
|---|---|
| Purpose | Understanding usage, improving service quality, identifying technical issues |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) |
| Data Categories | Page views, feature usage, session duration, user IDs, session recordings (with input masking applied) |
| Data Subjects | All platform users |
| Recipients | Internal staff; product analytics (PostHog) |
| International Transfers | None — PostHog EU Cloud |
| Retention Period | Detailed analytics: 12 months; Aggregated: 3 years |
| Security Measures | Access controls, least privilege, input masking on session recordings |
2.8 Security, logging and fraud prevention
| Field | Detail |
|---|---|
| Purpose | Platform security, preventing unauthorised access, detecting misuse, debugging and operational logging |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) — security and reliability of the service |
| Data Categories | IP addresses, login attempts, access logs, user IDs in application/error logs, security event data |
| Data Subjects | All platform users and administrators |
| Recipients | Internal staff (two directors); production log processor (BetterStack); error-alert destination (Slack) |
| International Transfers | BetterStack: EU hosted. Slack (US) — UK Addendum to EU SCCs. |
| Retention Period | BetterStack logs: 3 days; BetterStack metrics: 30 days; Slack error logs: 90 days; Incident reports: 7 years |
| Security Measures | Encrypted logs, access restricted to the two directors |
3. Data processors and third parties
3.1 Personal-data sub-processors
| Provider | Service | Data categories | Location | Safeguards |
|---|---|---|---|---|
| DigitalOcean | Cloud hosting & managed database | All customer/personal data | UK region | DPA, encryption |
| OpenAI | AI processing (LLM) | Conversation & assessment content | US | UK Addendum/SCCs, zero data retention, no model training |
| Anthropic | AI processing (LLM) | Conversation & assessment content | US | UK Addendum/SCCs, zero data retention, no model training |
| Google (Gemini API) | AI processing (LLM) | Conversation & assessment content | US | UK Addendum/SCCs, zero data retention, no model training |
| ZeptoMail (Zoho) | Transactional email | Email address, message content | EU server | DPA, EU processing |
| Stripe | Payment processing | Admin name, email, billing data (admins only) | US | UK Addendum/SCCs |
| PostHog | Product analytics | Behavioural data incl. user IDs | EU Cloud | DPA |
| BetterStack | Production logging & monitoring | User IDs, IPs in logs | EU hosted | DPA |
| Slack | Internal error/ops alerting | User IDs, IPs in error logs | US | UK Addendum/SCCs |
Each sub-processor is engaged under data processing terms (a Data Processing Agreement and/or Standard Contractual Clauses, as applicable to the transfer). Copies of the relevant terms are available on request.
3.2 Infrastructure providers (no personal data processed)
These services receive only fixed lesson content, de-identified text, or non-personal assets.
| Provider | Service | Basis for no personal data |
|---|---|---|
| Vercel | Frontend hosting | Hosting only |
| Google Cloud TTS | Text-to-speech | Fixed lesson content only |
| ElevenLabs | Text-to-speech (roleplay) | De-identified text only — learner names stripped before synthesis; no model training |
| DeepL | Translation | Fixed content only |
| Google Translate | Translation | Fixed content only |
| Cloudflare R2 | Object storage | Non-personal assets only |
4. Data subject rights procedures
Point of contact: support@lingly.ai. Response within 30 days (extendable to 60 for complex requests). Identity verification required for all requests affecting personal data. Free unless manifestly unfounded or excessive.
Rights supported: access (automated export via dashboard plus manual compilation, 30 days); rectification (self-service via account settings and admin tools, immediate to 5 days); erasure (automated account deletion, 30 days); portability (JSON export, 30 days); restriction (account suspension maintaining data integrity, 5 days); objection (case-by-case, particularly for marketing, 30 days).
5. Security measures
Technical: AES-256 at rest; TLS 1.2+ in transit; role-based access and least privilege; security monitoring; automated daily backups with geographic redundancy.
Organisational: annual GDPR and security training; documented data-handling procedures; documented breach response; annual security review; vendor due diligence and contractual protection.
6. Data protection impact assessments
Consolidated Platform DPIA (LINGLY-DPIA-001, v1.0, 27 May 2026) covers current processing and supersedes the per-feature DPIAs from July 2025 (Voice Processing for Assessments; AI Conversation Training). New DPIAs are triggered by new processing involving special categories, systematic monitoring, large-scale processing, or new technologies posing a privacy risk.
7. Breach response procedures
Detection via automated monitoring and staff reporting. Initial assessment and containment within 4 hours of discovery; risk classification within 24 hours; ICO notification within 72 hours for high-risk breaches; data subjects notified without undue delay where high risk; customers notified within 24 hours of assessment completion; post-incident review and remediation within 14 days. A breach register is maintained.
8. Regular reviews and updates
ROPA updated quarterly or when processing activities change. Annual security review. Bi-annual policy review. Annual staff training. New processing activities are assessed and documented before launch; vendor changes trigger due diligence and contract updates; significant system changes trigger a privacy review.
9. Contact information
Data protection queries: harry@lingly.ai. Technical issues: support@lingly.ai. Business: hello@lingly.ai. Supervisory authority: Information Commissioner’s Office (ico.org.uk, 0303 123 1113).
This Record of Processing Activities is maintained in accordance with Article 30 of the UK GDPR and is subject to regular review as our processing activities evolve.