How Langoo collects, uses, stores, shares and protects your personal data, in accordance with the GDPR, the French Data Protection Act and Apple App Store requirements.
Langoo Privacy
This policy describes the actual processing carried out by Langoo: Firebase authentication, Firestore storage, Render backend processing, AI features through OpenAI, Apple billing and e-mail support. It applies to every user aged 13 or over (see section 11).
Version 2026.04.22GDPRCNILAges 13+iOS App Store
1. Data controller and scope of this policy
Identification of the data controller within the meaning of article 4(7) GDPR and scope of application.
Data controllerThe controller of personal data collected through the Langoo app is the publisher of the app, reachable via the contact e-mail address indicated in the Settings section of the app as well as on Langoo's official App Store listing. Apple acts as a separate, independent controller for payment, billing and Apple ID data that transits through its infrastructure.
ScopeThis policy applies to all personal data processed in connection with the Langoo app: account creation and management, authentication, profile, learning activity, written and oral exercises, AI interactions, subscription, user support and technical maintenance.
Relationship with the TermsThis policy must be read together with the Langoo Terms of Use. Accepting the Terms and this policy is mandatory in order to create an account and use the app.
Applicable textsProcessing complies with Regulation (EU) 2016/679 (GDPR), French Act No. 78-17 of 6 January 1978 as amended (French Data Protection Act), CNIL guidelines, and the transparency requirements imposed by Apple's App Store (App Privacy).
2. Categories of personal data collected
Langoo applies the minimisation principle (article 5.1.c GDPR) and only collects data strictly necessary for the operation of the service.
Identification and account dataE-mail address, Firebase authentication identifiers, anonymised Apple identifier (Sign in with Apple), Firebase UID, first name entered by the user, declared age, chosen native language, account creation date, subscription status.
Voice and text dataVoice recordings produced during oral exercises, speech-recognition transcripts, prompts sent to the AI, user written answers, AI-generated responses, session metadata.
Technical and security dataTemporary IP address, device type (iPhone/iPad model), iOS version, app version, session identifier, authentication logs, error logs, fraud-detection signals.
Subscription dataSubscription status (active / inactive / in trial), purchased plan (monthly / six-month / yearly), subscription date, renewal date, eligibility for the 3-day free trial. Langoo never collects your bank-card numbers: this information is managed exclusively by Apple.
Communications dataContent of e-mails exchanged with support, password-reset requests, technical notifications related to the account.
3. Sources of data
Origin of the personal data processed by Langoo.
Data provided directly by the userInformation entered during sign-up, profile completion, exercises, AI interactions and support exchanges.
Data generated by useProgress, scores, history, session logs, automatically generated by the app during normal use.
Data received from third partiesApple transmits an anonymised identifier to Langoo and, if the user accepts, their first name and relay e-mail address when using Sign in with Apple. Firebase transmits authentication identifiers. Technical providers never communicate bank-card information.
4. Purposes and legal bases of processing
Each processing activity relies on an identified legal basis (article 6 GDPR) and pursues a specific purpose.
Performance of the contract (article 6.1.b GDPR)Account creation, authentication, delivery of the learning service, subscription management, provision of AI and voice features, delivery of corrections, preservation of progress, sending of service e-mails (password reset, sign-up confirmation, subscription notifications).
Legitimate interest (article 6.1.f GDPR)App security, fraud prevention, abuse detection, moderation of inappropriate content, debugging, maintenance, service improvement, defence of Langoo's rights in the event of a dispute. These interests have been balanced against users' rights; they do not override fundamental freedoms.
Consent (article 6.1.a GDPR)Microphone access for voice exercises (consent collected via the iOS system dialog), explicit acceptance of the Terms and this policy at sign-up via the dedicated checkbox.
Legal obligation (article 6.1.c GDPR)Retention of certain data to meet accounting and tax requirements, judicial requests, consumer-law requirements (withdrawal period, proof of acceptance of the Terms) and any other obligation imposed by French or European legislation.
5. Recipients and subprocessors
Exhaustive list of the categories of recipients of the data. Langoo never sells your personal data.
Apple Inc.Processes, as an independent controller, payments, billing information, subscription management through the App Store and Sign in with Apple data. Subject to Apple's privacy policy (privacy.apple.com).
Google / Firebase (subprocessor)Provides authentication (Firebase Authentication) and database storage (Cloud Firestore). Google acts as a Langoo subprocessor, with Standard Contractual Clauses for transfers outside the EU. Subject to the Firebase Data Processing Addendum.
Render, Inc. (subprocessor)Hosts Langoo's backend (relay of AI requests, server-side processing of exercises). Data transits in encrypted form (HTTPS/TLS). A DPA is signed with Render.
OpenAI (subprocessor)Processes the text prompts, speech transcripts and pedagogical context needed to generate AI corrections and dialogues. OpenAI applies its API retention policy (currently up to 30 days for abuse monitoring, with no use for training by default on paid APIs). Langoo has no control over future changes to OpenAI's policy and invites users to consult openai.com/policies.
Other recipientsData may be communicated to legal counsel, accountants, auditors, insurers, administrative or judicial authorities in the event of a legal request, and to a potential successor in the event of a transfer or restructuring of Langoo, subject to compliance with the GDPR.
No sale of dataLangoo does not sell, rent or monetise in any manner its users' personal data to advertisers, data brokers, advertising networks or commercial third parties.
6. International data transfers
Some data may be transferred outside the European Economic Area (EEA).
Processing countriesThe servers of Firebase, Render and OpenAI may be located in the United States or in other countries outside the EEA. Transfers comply with chapters IV and V of the GDPR.
Appropriate safeguardsFor each transfer outside the EEA, Langoo relies on the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914), or on any equivalent recognised mechanism (adequacy decisions, EU-US Data Privacy Framework where applicable).
Right to informationYou may request a copy of the safeguards in place by writing to the contact address indicated in section 15 of this policy.
7. Retention periods
Data is only retained for as long as strictly necessary for the purposes pursued (article 5.1.e GDPR).
Active account dataRetained for the entire lifetime of the account, i.e. until deletion by the user or prolonged inactivity exceeding 3 years.
Learning activity dataProgress, XP, exercise history: retained for the duration of the account, then deleted within 90 days after closure.
Voice recordings and transcriptsVoice recordings are processed ephemerally to deliver the correction and are not kept beyond the session, unless the playback feature is enabled; in that case, they are deleted within 30 days.
Subscription dataRetained for 10 years after the end of the subscription, in accordance with accounting obligations (article L.123-22 of the French Commercial Code).
Security logsRetained for up to 12 months in accordance with CNIL recommendations, except in the event of a documented security incident.
Proof of acceptance of the TermsRetained for 5 years after the end of the contract to address potential disputes (general limitation period, article 2224 of the French Civil Code).
Backup copiesDeleted data may temporarily reside in encrypted backups for a maximum of 90 days before being definitively overwritten.
8. Data security
Langoo implements appropriate technical and organisational measures (article 32 GDPR).
Technical measuresEncryption of communications in HTTPS/TLS 1.2+, encrypted storage at rest with subprocessors Firebase and Render, strong Firebase authentication, environment separation, secrets management through encrypted environment variables.
Organisational measuresAccess to data limited to what is strictly necessary (least-privilege principle), logging of administrator access, automatic deletion of expired data, incident-response procedure.
Data breachIn the event of a breach presenting a risk to the rights and freedoms of users, Langoo notifies the CNIL within 72 hours (article 33 GDPR) and, if the risk is high, individually informs the users concerned (article 34 GDPR).
LimitsNo system offers absolute security. The user undertakes to protect their own credentials, not to share them and to use a strong password. Langoo cannot be held liable for fraudulent access resulting from user negligence.
9. User rights (GDPR)
You have extensive rights over your personal data (articles 15 to 22 GDPR).
Right of access (article 15)You may obtain confirmation that data about you is being processed, and receive a copy of it in a structured format.
Right to rectification (article 16)You may correct any inaccurate or incomplete data concerning you, directly in the app (profile) or through a support request.
Right to erasure (article 17)Also known as the "right to be forgotten". You may request deletion of your data, subject to legal exceptions (accounting obligations, ongoing disputes, security).
Right to restriction (article 18)You may request temporary suspension of processing in case of contested accuracy or unlawful processing.
Right to portability (article 20)You may receive your data in a structured, commonly used and machine-readable format, in order to transmit it to another controller.
Right to object (article 21)You may object to processing based on legitimate interest on grounds relating to your particular situation.
Right to withdraw consentWhere processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Example: revocation of microphone access through iOS Settings.
Post-mortem directives (French Data Protection Act, art. 85)You may set directives relating to the fate of your data after your death.
10. Exercising rights and complaints
Concrete procedure to enforce your rights vis-à-vis Langoo and the CNIL.
How to exercise your rightsSend your request to the contact e-mail address indicated in the Settings > Support section of the app, specifying your account identifier and the nature of your request.
Response timeLangoo responds within one month from receipt of the request, extendable by two months in the event of complexity (article 12.3 GDPR).
Identity verificationTo prevent impersonation, Langoo may request additional elements of identity verification before acting on the request.
Complaint to the CNILIf, after contacting us, you consider that your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL): 3 place de Fontenoy, 75007 Paris, www.cnil.fr.
11. Minors and child protection
Specific provisions applicable to minor users.
Minimum ageLangoo is reserved for persons aged at least 13, in accordance with article 45 of the amended French Data Protection Act (digital age of consent in France).
Between 13 and 15 years oldFor minors under 15, consent must be given jointly by the minor and the holder of parental authority (article 45 cited above). By signing up, the user certifies that they are either over 15 or have obtained the authorisation of their legal representative.
No targeting of under-13sThe app is neither designed nor marketed for children under 13. Any suspicion of an account opened in breach of this rule will result in suspension and deletion of data, in accordance with article 8 GDPR.
No biometric processingVoice recordings are used exclusively for pedagogical analysis and linguistic correction. They do not constitute biometric processing within the meaning of article 9 GDPR and are not used for the purpose of uniquely identifying a person.
12. Artificial intelligence and automated processing
Transparency on the role of AI in Langoo (article 22 GDPR).
Role of AIAI (in particular OpenAI) is used to generate corrections, dialogues, translations, grammatical explanations and learning scenarios adapted to the user's level.
No solely automated decisions with legal effectNo decision producing legal effects or significant effects (article 22 GDPR) is taken solely on the basis of automated processing by Langoo. Decisions to moderate, suspend or refund always involve human intervention.
Limits of AI modelsContent generated by AI may include errors, linguistic inaccuracies or biases. Langoo does not guarantee the absolute accuracy of corrections and invites users to exercise their critical thinking.
No training on user dataLangoo configures its API calls to OpenAI so as not to allow the use of user prompts for model training, to the extent that this option is offered by the provider. Langoo endeavours to maintain this configuration but cannot guarantee future changes to the provider's policies.
13. Marketing, cookies and technical identifiers
No targeted advertising and no commercial trackers within Langoo.
No targeted advertisingLangoo serves no advertising, sells no data to advertisers and takes part in no cross-app behavioural advertising programme (ATT - App Tracking Transparency: Langoo does not request tracking authorisation because it has no use for it).
Technical identifiersOnly identifiers strictly necessary for operation (Firebase identifier, session token) are used. No advertising identifier (IDFA) is collected.
Service e-mailsLangoo may send transactional e-mails (sign-up confirmation, password reset, security alerts, subscription notifications, important changes to the Terms or to this policy). These e-mails are not marketing communications and therefore cannot be unsubscribed from without cancelling the account.
14. Policy changes
Update procedure and notification of users.
VersionsThis policy is time-stamped (version 2026.04.22). In the event of a material modification, the user will be notified on opening the app and invited to accept the new version via a checkbox before being able to continue using the service.
Minor changesMinor corrections (typos, rewordings without impact on processing) may be made without specific notification. The update date of the version in force is always displayed at the top of this page.
ArchivingLangoo keeps a history of successive versions of the policy in order to establish which version was in force at a given time, for evidentiary purposes.
15. Contact and support
Channels for any question relating to data protection.
Contact e-mail addressAny question, rights-exercise request or complaint must be sent via the e-mail address indicated in the Settings > Support section of the app, or on Langoo's official App Store listing.
Data Protection OfficerLangoo is not required to appoint a DPO to date (no large-scale processing of sensitive data within the meaning of article 37 GDPR). This situation may evolve as the app grows; where applicable, the DPO's name and contact details will be published in this section.
Supervisory authorityFrench Data Protection Authority (CNIL) - 3 place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07 - Tel.: +33 (0)1 53 73 22 22 - www.cnil.fr.