Lingly
Book a call

Lingly

Sign inBook a call

Privacy Policy

Lingly Limited

Last Updated: 29 May 2026

1. Introduction

Welcome to Lingly (“Lingly”, “we”, “us”, “our”). Lingly Limited provides a unified language assessment and training platform designed for workplace language skills, primarily serving care workers and other frontline professionals. Our services are provided to business organisations (“Customers”) and accessed by individual employees or candidates (“Users”) under a Customer’s account.

This Privacy Policy explains what personal data we collect when you (an individual “User”, which may include employees or candidates of our Customers) use our Services, how we use and share that data, and your rights concerning your data.

For the purposes of the UK General Data Protection Regulation (UK GDPR), your employer (the Customer) is the Data Controller for the personal data of its Authorised Users, and Lingly is the Data Processor, processing that data on the Customer’s documented instructions to provide the Services. Lingly also generates anonymised, aggregated insights from platform usage that do not identify any individual; these are not personal data, and the Customer grants Lingly a licence to use them to operate and improve the Services (see Section 6).

This Privacy Policy forms part of our Terms of Use. By using our Services, you acknowledge you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

2. Information we collect

We collect information to provide and improve our Services. This includes:

a. Information you provide directly

Account registration and onboarding: when you or your employer creates an account or you onboard onto our training platform, we may collect your name, email address, native language, the language you are learning, your assessed language level, desired language level, timezone, locale preference, job role, employer name, and industry. If you sign up using Google, we may receive your name, email address, and Google avatar URL.

Communications: if you contact us directly (e.g. via support at support@lingly.ai), we collect your name, email address, and the content of your communication.

b. Information collected during service use

Language training platform (app.lingly.ai): we collect data about your learning progress, including modules and lessons started/completed, performance in exercises and roleplays (including text transcriptions and speech-to-text inputs), vocabulary learned and reviewed, fluency tip interactions, daily review completions, quiz scores, and learning streaks.

Audio data (AI roleplays): when you take part in interactive AI roleplays, your speech is transcribed to text for processing and feedback. The audio itself is processed transiently and deleted immediately after transcription; we do not store learner voice recordings. Where synthesised speech is generated for roleplay, the text sent to our speech providers has learner names removed beforehand.

Automatically collected data (website and platform):

  • Log and device data: when you access our website or platform, we automatically collect your IP address, browser type, operating system, device identifiers, settings, and the date/time of your visit.
  • Usage data: information about how you interact with our website and platform, such as pages visited, features used, and session duration.
  • Cookies and tracking technologies: we use cookies and similar technologies on our website (lingly.ai uses Google Analytics) to operate the site, understand how visitors use it, and for marketing. We use product analytics on app.lingly.ai (PostHog) to understand usage and improve the service. You can manage cookie preferences through your browser settings and our website’s cookie consent tool.

3. How we use your information

We use the information we collect for purposes including: providing and maintaining the Services; personalising language training; improving the Services (analysing usage, diagnosing issues, developing features); communication (service updates, support, and marketing with consent); reporting to employers (as per contractual agreements, often aggregated/anonymised); security and fraud prevention; and legal compliance.

We rely on the following legal bases:

  • Contractual necessity: to provide the core Services under our agreement with your employer.
  • Legitimate interests: for service improvement, personalisation, security, and analytics, ensuring these do not override your rights.
  • Consent: for marketing emails and non-essential cookies.
  • Legal obligation: to comply with legal duties.

5. How we share your information

We do not sell your personal data. We may share it with:

Service providers (sub-processors). Third parties assisting with our operations. The current personal-data sub-processors are:

  • Cloud infrastructure: DigitalOcean (hosting and database, UK region); Vercel (frontend hosting)
  • AI processing: OpenAI, Anthropic, and Google (Gemini) — large language models
  • Email: ZeptoMail (transactional email, EU)
  • Product analytics: PostHog (EU Cloud)
  • Logging and monitoring: BetterStack (production logging, EU); Slack (internal error alerting)

These providers are contractually obligated to protect data and process it only for the purposes we specify. A current list is maintained in our Record of Processing Activities (lingly.ai/policies/ropa), which also lists infrastructure providers that process no personal data (text-to-speech and translation on fixed or de-identified content, and storage of non-personal assets).

Employers (our Customers). Training platform progress reports (individual progress where contractually agreed, otherwise aggregated/anonymised) may be shared with the employer providing your access.

Legal requirements. When required by law or to protect rights and safety.

Business transfers. In the case of a merger, acquisition, or asset sale.

6. AI data processing and aggregation

a. Third-party processing

To provide AI-powered features, we process your data using third-party AI providers (OpenAI, Anthropic, and Google Gemini). We configure these services so that your data is not used to train their AI models. Where an approved zero-data-retention or equivalent configuration is available, we route requests only through covered projects and eligible endpoints. Some provider safety, policy-enforcement, abuse-monitoring, or non-covered features may still involve limited retention under the provider’s terms; we do not use features that would require longer retention for learner content unless this policy is updated. Speech synthesis providers receive only de-identified text (learner names removed), subject to the relevant provider configuration and endpoint limits, and do not use it to train their models.

b. Internal improvement

We generate anonymised, aggregated insights from use of the Services (“Learning Insights”) — for example learning patterns, content-effectiveness metrics, and usage analytics — processed so that they cannot reasonably be used to identify any individual Authorised User or Customer. Learning Insights are not personal data under the UK GDPR. Under our agreement with the Customer, Lingly is licensed to use Learning Insights to operate and improve the Services, develop new features, improve our internal tools (for example grammar-correction accuracy), and for research and benchmarking. This internal use of anonymised data is separate from third-party AI processing: our external AI providers do not train on your data.

7. Data security

We implement technical and organisational measures including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, multi-factor authentication, and least-privilege access to protect your data. No system is completely secure, but we work to protect your data in line with recognised standards and our Cyber Essentials certification.

8. Data retention

We retain personal data only as long as necessary for the purposes described in this policy, to provide our Services, or as required by law. Learner audio is deleted immediately after processing. For detailed timeframes by data category, see our Data Retention Policy.

You can request deletion of your data at any time by contacting support@lingly.ai. Data may be deleted earlier than our standard retention periods if you exercise your right to erasure or if our processing becomes unlawful.

9. Your data protection rights (UK GDPR)

Under UK GDPR you have the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent for marketing.

To exercise these rights, contact support@lingly.ai. As your employer is the Data Controller for learner data, you may also need to contact them directly for certain requests. You also have the right to complain to the Information Commissioner’s Office (ICO).

10. Children’s privacy

Our Services are not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we learn we have collected such data, we will delete it promptly.

11. International data transfers and locations

We prioritise data sovereignty. Our primary databases and hosting infrastructure are located within the United Kingdom and the EEA. Email (ZeptoMail), product analytics (PostHog), and production logging (BetterStack) are processed within the EU/EEA.

Some specialised services process data outside the UK/EEA:

  • OpenAI, Anthropic, and Google (Gemini) — AI processing: processed in the United States under approved zero-data-retention or equivalent configurations for covered projects and eligible endpoints, with no model training. Some provider safety, policy-enforcement, abuse-monitoring, or non-covered features may involve limited retention under the provider’s terms. Transfers safeguarded by the UK Addendum to EU Standard Contractual Clauses.
  • ElevenLabs — speech synthesis: United States. Receives de-identified text only (learner names removed). Not used for model training. Transfers safeguarded by Standard Contractual Clauses.
  • Stripe — payment processing (Customer administrators only): United States. Transfers safeguarded by Standard Contractual Clauses.
  • Slack — internal error alerting: United States. Transfers safeguarded by Standard Contractual Clauses.

For all international transfers, we ensure appropriate safeguards are in place so that your data receives protection equivalent to UK GDPR standards.

Our Services may link to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies before providing any personal information.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Significant changes will be notified via our website and/or email to registered users. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.

14. Contact us

Email: support@lingly.ai Data Protection Officer: harry@lingly.ai Company: Lingly Limited Address: International House, 36-38 Cornhill, London, EC3V 3NG, United Kingdom