Record of Processing Activities (ROPA)
Document Version: 1.0
Last Updated: July 23, 2025
Next Review: July 23, 2026
Responsible: Data Protection Officer
1. Organization Information
| Data Controller | Lingly Limited |
| Company Number | 12536799 (England and Wales) |
| Address | Cornhill International House, 36-38 Cornhill, London, EC3V 3NG, UK |
| Contact | support@lingly.ai |
| DPO Contact | harry@lingly.ai |
| Business Activity | Language assessment and training platform for care workers |
2. Processing Activities
2.1 User Account Management
| Purpose | Creating and managing user accounts for language training platform access |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - providing agreed services to employer |
| Data Categories | Name, email, phone number, job role, native language, learning language, timezone, daily commitment preferences |
| Data Subjects | Care workers and frontline professionals |
| Recipients | Internal staff, cloud hosting providers (Digital Ocean) |
| International Transfers | None - UK/EEA processing only |
| Retention Period | Account lifetime + 12 months after last login |
| Security Measures | Encryption at rest (AES-256), encrypted transmission (TLS 1.2+), access controls |
2.2 Language Screening Service
| Purpose | Conducting telephone-based English language assessments for recruitment |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - employment screening as requested by employer |
| Special Categories | Native language (potential ethnic origin indicator) - processed under substantial public interest (Art. 9(2)(g)) |
| Data Categories | Name, phone number, voice recordings (temporary), call transcripts, assessment scores, competency analysis |
| Data Subjects | Job candidates and existing employees |
| Recipients | Internal staff, requesting employers, telephony provider (Twilio), AI processing (OpenAI) |
| International Transfers | OpenAI (US) - Standard Contractual Clauses with zero data retention and training prohibition |
| Retention Period | Assessment results: 5 years; Voice recordings: deleted after processing; Transcripts: 2 years |
| Security Measures | End-to-end encryption, secure telephony infrastructure, restricted access to results |
2.3 Learning Progress Tracking
| Purpose | Tracking user progress through language training modules and lessons |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - providing personalized learning experience |
| Data Categories | Module completions, lesson progress, exercise scores, time spent learning, vocabulary mastery |
| Data Subjects | Platform users (care workers) |
| Recipients | Internal staff, employers (aggregated reports), cloud storage providers |
| International Transfers | None - EU/UK processing only |
| Retention Period | 3 years after completion |
| Security Measures | Database encryption, API authentication, role-based access controls |
2.4 AI-Powered Conversation Training
| Purpose | Providing realistic conversation practice through AI roleplay scenarios |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - core service functionality |
| Data Categories | User text inputs, AI responses, conversation transcripts, performance corrections, fluency tips interactions |
| Data Subjects | Platform users engaging in conversation training |
| Recipients | Internal staff, AI processing providers (OpenAI), cloud storage |
| International Transfers | OpenAI (US) - Standard Contractual Clauses, zero-retention configuration |
| Retention Period | Conversation logs: 12 months; Corrections: 18 months |
| Security Measures | Encrypted transmission, anonymized where possible, access logging |
2.5 Voice Recording and Analysis
| Purpose | Speech recognition, pronunciation assessment, and feedback provision |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - core assessment functionality |
| Special Categories | Voice recordings may reveal health conditions (speech impediments) |
| Data Categories | Voice recordings, transcribed text, pronunciation scores, speaking pace analysis |
| Data Subjects | Users participating in speaking exercises |
| Recipients | Internal staff, speech processing providers, cloud storage |
| International Transfers | Speech processing APIs (various) - Standard Contractual Clauses |
| Retention Period | Voice recordings: 2 years for assessment verification |
| Security Measures | Encrypted storage, limited access, automatic deletion processes |
2.6 User Communication and Support
| Purpose | Providing customer support, service notifications, and optional marketing |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) for support; Consent (Art. 6(1)(a)) for marketing |
| Data Categories | Email address, phone number, support inquiry content, communication preferences |
| Data Subjects | All platform users and admin contacts |
| Recipients | Internal staff, email service provider (Plunk), SMS providers |
| International Transfers | None - EU-based email processing |
| Retention Period | Support logs: 6 months; Marketing consent: until withdrawn + 3 years |
| Security Measures | Encrypted email transmission, consent management system |
2.7 Provider Admin Management
| Purpose | Managing care provider administrator accounts and billing |
| Legal Basis | Contractual necessity (Art. 6(1)(b)) - fulfilling service agreements |
| Data Categories | Admin name, email, organization details, billing information, usage statistics |
| Data Subjects | Care provider administrators and decision makers |
| Recipients | Internal staff, payment processors, cloud storage |
| International Transfers | Payment processing may involve US providers - adequacy decisions |
| Retention Period | Contract lifetime + 6 years for legal/tax requirements |
| Security Measures | Strong authentication, encrypted storage, audit trails |
2.8 Analytics and Platform Improvement
| Purpose | Understanding user behavior, improving service quality, identifying technical issues |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - service improvement and optimization |
| Data Categories | Page views, feature usage, session duration, error logs, aggregated performance metrics |
| Data Subjects | All platform users |
| Recipients | Internal staff, analytics providers (HotJar, Vercel Analytics) |
| International Transfers | None - HotJar (Ireland), Vercel Analytics (anonymous data only) |
| Retention Period | Detailed analytics: 12 months; Aggregated data: 3 years |
| Security Measures | Data minimization, anonymization where possible, access controls |
2.9 Security and Fraud Prevention
| Purpose | Protecting platform security, preventing unauthorized access, detecting misuse |
| Legal Basis | Legitimate interests (Art. 6(1)(f)) - security of processing systems |
| Data Categories | IP addresses, login attempts, access logs, device fingerprints, security event data |
| Data Subjects | All platform users and administrators |
| Recipients | Internal security team, cloud security providers, law enforcement (if required) |
| International Transfers | Security monitoring tools may process in US - Standard Contractual Clauses |
| Retention Period | Security logs: 12 months; Incident reports: 7 years |
| Security Measures | Real-time monitoring, encrypted logs, restricted access to security data |
3. Data Processors and Third Parties
3.1 Primary Technology Providers
| Provider | Service | Data Categories | Location | Safeguards |
|---|---|---|---|---|
| Digital Ocean | Cloud hosting & database | All customer data | UK region | Data Processing Agreement, encryption |
| Vercel | Frontend hosting | Anonymous analytics only | London functions | No personal data collected |
| OpenAI | AI processing | Conversation data, assessment content | US | Standard Contractual Clauses, zero-retention |
| Twilio | Telephony services | Voice calls, phone numbers | Dublin (EEA) | Data Processing Agreement |
| Plunk | Email delivery | Email addresses, message content | EU | EU-based processing |
3.2 Analytics and Monitoring
| Provider | Service | Data Categories | Location | Safeguards |
|---|---|---|---|---|
| HotJar | User experience analytics | Behavioral data, form interactions | Ireland (EEA) | Data Processing Agreement |
| Sentry | Error monitoring | Technical error data, user IDs | Various regions | Standard Contractual Clauses |
4. Data Subject Rights Procedures
4.1 Rights Request Handling
-
Point of Contact: support@lingly.ai
-
Response Timeframe: 30 days (extendable to 60 days for complex requests)
-
Identity Verification: Required for all requests affecting personal data
-
Fee Structure: Free unless requests are manifestly unfounded or excessive
4.2 Supported Rights
| Right | Implementation Method | Typical Response Time |
|---|---|---|
| Access | Automated data export via dashboard + manual compilation | 30 days |
| Rectification | User self-service via account settings + admin tools | Immediate to 5 days |
| Erasure | Automated account deletion process | 30 days |
| Portability | JSON export of user data | 30 days |
| Restriction | Account suspension maintaining data integrity | 5 days |
| Objection | Case-by-case assessment, particularly for marketing | 30 days |
5. Security Measures
5.1 Technical Measures
-
Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit
-
Authentication: Strong authentication and access controls for admin accounts
-
Access Controls: Role-based permissions, principle of least privilege
-
Monitoring: Real-time security monitoring and alerting
-
Backup: Automated daily backups with geographic redundancy
5.2 Organizational Measures
-
Staff Training: Annual GDPR and security training for all staff
-
Data Handling: Clear procedures for data processing activities
-
Incident Response: Documented breach response procedures with 72-hour reporting
-
Regular Audits: Annual security assessments and compliance reviews
-
Vendor Management: Due diligence and contractual protections for all processors
6. Data Protection Impact Assessments (DPIAs)
6.1 Completed DPIAs
-
Voice Processing for Assessments (July 2025) - Medium risk, additional safeguards implemented
-
AI Conversation Training (July 2025) - Low risk after anonymization measures
6.2 DPIA Triggers
New DPIAs required for:
-
New data processing activities involving special categories
Systematic monitoring of users
Large-scale processing of personal data
New technologies that may pose privacy risks
7. Breach Response Procedures
7.1 Detection and Assessment
-
Detection: Automated monitoring + staff reporting
-
Initial Assessment: Within 24 hours of discovery
-
Risk Classification: High/Medium/Low impact assessment
-
Containment: Immediate steps to limit data exposure
7.2 Notification Requirements
-
Supervisory Authority (ICO): Within 72 hours for high-risk breaches
-
Data Subjects: Without undue delay for high-risk breaches
-
Customers (Care Providers): Within 24 hours of assessment completion
-
Documentation: Comprehensive breach register maintained
8. Regular Reviews and Updates
8.1 Review Schedule
-
ROPA Updates: Quarterly or when processing activities change
-
Security Review: Annual comprehensive assessment
-
Policy Updates: Bi-annual review of all data protection policies
-
Staff Training: Annual refresher training
8.2 Change Management
-
New Processing Activities: Must be assessed and documented before implementation
-
Vendor Changes: Due diligence and contract updates required
-
System Changes: Privacy impact assessment for significant modifications
9. Contact Information
Data Protection Queries: harry@lingly.ai
Technical Issues: support@lingly.ai
Business Inquiries: hello@lingly.ai
Supervisory Authority: Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
This Record of Processing Activities is maintained in accordance with Article 30 of the UK GDPR and is subject to regular review and updates as our processing activities evolve.