Privacy Policy

1. Overview & Scope#

This Privacy Policy ("Policy") describes how Lengio ("Lengio", "we", "us", or "our") processes information when you use the Lengio mobile application (the "App") or visit the Lengio website at lengio.app (the "Site"), collectively the "Services".

This Policy applies to all users of the Services worldwide, with additional disclosures for residents of specific regions (see Region-Specific Disclosures). It does not apply to third-party services you reach through links inside the Services — those are governed by their own privacy policies.

By using the Services you confirm you have read and understood this Policy. If you do not agree, please do not use the Services.

2. Who We Are (Data Controller)#

For the purposes of EU/UK General Data Protection Regulation, similar laws, and CCPA/CPRA, the data controller (or "business") responsible for the limited information we process is Lengio. You can reach us at support@lengio.app for any privacy-related question, request, or complaint.

We have not appointed a statutory data protection officer because our processing does not require one, but the contact above is monitored by a person with responsibility for privacy matters.

3. Key Definitions#

• Personal information — any information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable person.
• Processing — any operation performed on personal information, including collection, storage, use, disclosure, and deletion.
• On-device data — information that is created, stored, and used only on your device's local storage and never transmitted to our servers.
• Service providers / sub-processors — companies that process information on our behalf under contract (e.g. our website host).

4. Information We Collect#

We have intentionally designed Lengio to collect as little personal information as possible. The categories below describe everything we receive.

4.1 Information you provide directly

• Support correspondence — if you email support@lengio.app, we receive your email address, message content, and any attachments you choose to send (e.g. screenshots, device model). Used only to respond and improve the App.
• Feedback — opinions, feature suggestions, or bug reports you voluntarily share.

4.2 Information collected automatically (limited)

• Server log data (Site & language-pack downloads) — when you visit lengio.app or download an optional language pack, our hosting/CDN providers receive standard request data: IP address, user-agent string, requested URL, HTTP status, and timestamp. We use this only for delivery, security, and aggregate traffic statistics.
• Crash diagnostics (only if you opted in with Apple) — if you have enabled Share with App Developers under Settings → Privacy & Security → Analytics & Improvements on your iOS device, Apple may share de-identified crash reports with us. You can disable this at any time in iOS.
• Transaction confirmations — when you make an in-app purchase, Apple confirms the purchase to the App so we can unlock content. We do not receive your name, payment card details, or billing address.

4.3 AI Speech Partner (optional feature)

If you choose to use the AI Speech Partner, the App will, only while the feature is active, capture audio from your device microphone, transcribe what you said, and send your transcript to our AI provider so it can generate a tutor reply. The reply is streamed back to your device.

• Audio is processed in memory and is not stored on our servers or used to train any model.
• Conversation transcripts may be retained for a short period for abuse-prevention and quality-assurance purposes and are then deleted.
• You can revoke microphone access at any time in iOS Settings → Privacy & Security → Microphone → Lengio. Without microphone access the AI Speech Partner cannot function, but the rest of the App continues to work.

4.4 Information we do not collect

• Advertising identifiers (IDFA) or other cross-app tracking signals.
• Contacts, calendar entries, health data, financial data, biometric data, or precise location.
• Camera images other than photos you explicitly choose from your Photos library.
• Microphone audio outside of an active AI Speech Partner session.
• Behavioural analytics for advertising or user profiling.
• Inferences about your demographics, interests, or political views.

5. Information Stored Locally on Your Device#

The following information lives on your device only and is never transmitted to us. iOS encryption and sandboxing apply.

• Words you have studied, bookmarked, marked as known, or completed.
• Personal photos you attach to vocabulary entries (selected from your Photos library; see Sensitive Information).
• Your chosen learning language(s) and native language.
• Daily goal, streak count, and study statistics.
• Notification and reminder preferences.
• App language and onboarding state.
• Cached language-pack content you have downloaded.

If you have iCloud Backup enabled at the iOS level, this data may be included in your encrypted iCloud backup managed by Apple. Lengio does not have its own server-side sync; we cannot read your iCloud backup.

6. How We Use Information#

The limited information we collect is used for the following purposes only:

• To provide the Services — deliver the website and download language packs.
• To respond to you — answer your support emails, feature requests, and feedback.
• To improve reliability — investigate de-identified crash reports if you opted in.
• To fulfil purchases — unlock paid content based on Apple's transaction confirmations.
• To meet legal obligations — comply with applicable laws and respond to lawful requests.
• To protect rights and safety — detect, prevent, and address fraud, abuse, or security incidents.

We do not use your information for advertising, profiling, automated decision-making with legal effects, or to train external machine-learning models.

7. Legal Bases for Processing#

If you are in the European Economic Area, United Kingdom, Switzerland, or any region with similar law, we rely on these legal bases under Article 6 GDPR (or its local equivalent):

• Performance of a contract (Art. 6(1)(b)) — providing the Services and processing your purchases.
• Legitimate interests (Art. 6(1)(f)) — keeping the Services secure, debugging, and basic server logs. Balanced against your rights.
• Consent (Art. 6(1)(a)) — for optional crash diagnostics that you enable through your iOS Privacy settings, and for replies to your unsolicited email.
• Legal obligation (Art. 6(1)(c)) — where applicable law requires us to retain or disclose information.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

8. How We Share Information#

We do not sell or rent personal information. We do not share information with advertisers. We share information only with the parties below, and only as needed to operate the Services or comply with law:

• Service providers / sub-processors — hosting, content delivery, and email infrastructure. Contractually bound to confidentiality and to process information only on our instructions.
• Apple Inc. — App Store distribution, in-app purchases, push notification routing, optional crash diagnostics. Apple's processing is governed by Apple's own privacy policy.
• Professional advisers — lawyers, accountants, and insurers where confidentiality applies.
• Legal & safety — if required by law, court order, or to investigate fraud or threats to safety. We will challenge overbroad requests where appropriate.
• Corporate transactions — if Lengio is acquired, merged, or undergoes a similar transaction, information may be transferred subject to confidentiality and to this Policy or one materially similar.

9. Third-Party Services#

The Services rely on the third parties below. We disclose them so you can review their practices independently:

• Apple Inc. — App Store distribution, payment processing, push notifications, optional analytics. apple.com/legal/privacy
• AI speech provider — Used only when you actively use the AI Speech Partner, to transcribe your speech and generate the tutor's reply. Audio and transcripts are processed under a data-processing agreement that prohibits use of your content to train the provider's models. The specific provider may change over time as the underlying models evolve.
• Cloudflare Inc. — Website hosting and content delivery network. cloudflare.com/privacypolicy
• flagcdn.com — Country-flag imagery used on the marketing website (no user data sent).

We integrate no third-party advertising SDKs, behavioural analytics SDKs, marketing pixels, or session-replay tools inside the App.

10. Cookies & Similar Technologies#

The Site is a static website that does not set marketing or analytics cookies. Your browser may use functional storage (e.g. cache) as part of normal operation. The App does not use web cookies because it is a native iOS application.

Our hosting provider may set short-lived security cookies (e.g. to mitigate denial-of-service attacks). These are strictly necessary and exempt from consent under the ePrivacy framework.

11. Data Retention#

• On-device data — retained until you delete it from the App or uninstall Lengio.
• Support emails — retained for up to 24 months from your last interaction, then deleted or anonymised, unless we are required to retain them longer for legal or accounting purposes.
• Server logs — retained for up to 30 days for security and operational purposes, then deleted or aggregated.
• Crash reports — retained for up to 12 months in aggregate form.
• Transaction records — retained as required by tax and consumer-protection law in our operating jurisdiction (typically 7 years).

12. Data Security#

We use technical and organisational measures appropriate to the nature of the data we process. These include:

• HTTPS/TLS encryption for all traffic to lengio.app and language-pack downloads.
• iOS application sandboxing and at-rest encryption for on-device data.
• Access controls and the principle of least privilege for our internal systems.
• Routine review of third-party providers' security posture.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security. If we discover a breach affecting personal information we will notify you and any regulator as required by law.

13. International Data Transfers#

Lengio operates internationally. When you contact us by email, or when our service providers process server logs, your information may be transferred to and processed in countries outside your country of residence, including jurisdictions that may not provide the same level of data-protection law as your own.

Where required, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions. A copy of the safeguards used is available on request from support@lengio.app.

14. Your Privacy Rights#

Subject to local law, you may have the following rights regarding your personal information. Because most data stays on your device, you can exercise many of these yourself directly inside the App.

• Access — request a copy of personal information we hold about you.
• Rectification / correction — ask us to correct inaccurate information.
• Erasure ("right to be forgotten") — ask us to delete information we hold about you.
• Restriction — ask us to limit how we use your information in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Portability — receive your information in a structured, machine-readable format.
• Withdraw consent — where processing is based on consent, at any time.
• Complain to a supervisory authority — in your jurisdiction (e.g. ICO in the UK, your national DPA in the EU).
• Non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right.

To make a request, email support@lengio.app with the subject line "Privacy Request". We may need to verify your identity (for example, by replying from the email address you used when contacting us) before responding. We will respond within the statutory time frame applicable to you (typically 30 days, extendable as permitted by law).

15. Region-Specific Disclosures#

15.1 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights. The categories of personal information we have collected in the past 12 months are: identifiers (email when you contact us), internet activity information (server logs), and limited commercial information (purchase confirmations from Apple). We have not collected sensitive personal information as defined by CPRA in the past 12 months.

We have not sold or shared personal information for cross-context behavioural advertising in the past 12 months and have no intention to do so. We do not use or disclose sensitive personal information for purposes that would require us to offer a "Limit the Use of My Sensitive Personal Information" link.

You may exercise California rights — to know, delete, correct, opt out of sale/share, and not be retaliated against — by emailing support@lengio.app. An authorised agent may make a request on your behalf with written authorisation.

Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosure of certain categories of personal information to third parties for direct-marketing purposes. We do not disclose information for such purposes.

15.2 European Economic Area, United Kingdom & Switzerland

The legal bases on which we process personal information are described in Section 7. You have the GDPR rights described in Section 14. You also have the right to lodge a complaint with your local supervisory authority. We are not currently required to appoint an EU/UK representative under Article 27 GDPR; if this changes we will list the representative here.

15.3 Brazil (LGPD)

Brazilian users have rights equivalent to those described in Section 14 under Lei Geral de Proteção de Dados. Email support@lengio.app to exercise them.

15.4 Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), New Jersey (NJDPA), Delaware (DPDPA), New Hampshire (NHDPA), and other states with consumer-privacy laws have rights of access, deletion, correction, portability, and opt-out of targeted advertising or sale. We do not engage in targeted advertising or the sale of personal information. To exercise other rights, email support@lengio.app.

15.5 Australia, Canada & other jurisdictions

Where local law gives you additional rights — for example the Australian Privacy Principles or Canadian PIPEDA — we will honour them. Contact us for specifics.

16. Children's Privacy#

The Services are not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction — 14 in Spain, 15 in the Czech Republic and France, 16 in Germany and the Netherlands, and similar national variants under GDPR Article 8). We do not knowingly collect personal information from children below those ages.

Lengio is rated 4+ on the App Store and contains no objectionable content, but parents are responsible for supervising their child's use. If you believe a child has provided us with personal information, please email support@lengio.app and we will delete it promptly.

17. Sensitive Information#

Lengio lets you attach personal photos to vocabulary entries. These photos remain on your device. We have no access to them and they are not transmitted to our servers. If you choose to share screenshots with our support team, the images become part of your support correspondence and are governed by this Policy.

We strongly discourage including sensitive personal information (e.g. images of identification documents, payment cards, health records) in support correspondence. If you do, we will treat it confidentially and delete it once your support inquiry is resolved.

18. Notifications & Communications#

The App may send local notifications (e.g. daily study reminders). These are scheduled and delivered entirely on your device by iOS based on settings you control. We do not see when notifications are delivered or opened. You may disable notifications at any time in iOS Settings.

We do not send marketing emails. We will reply to support correspondence you initiate, and may send transactional emails strictly necessary to resolve an inquiry.

19. Do Not Track & Global Privacy Control#

Because the Site does not perform user tracking, Do-Not-Track signals (DNT) and Global Privacy Control (GPC) have no behavioural effect. We honour these signals where they are legally required by treating them as a valid opt-out of any future sale or share of personal information.

20. Changes to This Policy#

We may update this Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The "Last updated" date at the top of the page indicates the most recent revision.

For material changes that affect your rights, we will provide additional notice — for example, an in-app message, a prominent notice on this page, or an email to known support contacts — before the change takes effect. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

21. How to Contact Us#

For any privacy question, request, or complaint, please contact us:

• Email — support@lengio.app (please put "Privacy" in the subject line)
• Web — lengio.app/support

We aim to acknowledge requests within 5 business days and resolve them within 30 days, or sooner where required by law. If you are not satisfied with our response, you may contact your local data-protection supervisory authority.