Laleo Language Limited - Privacy Policy
Last Updated: 6 February 2026
1. Introduction
This Privacy Policy explains how Laleo Language Limited ("Laleo", "we", "us", or "our") collects, uses, and protects your personal information when you use our language learning platform (the "Service").
Laleo Language Limited is a company registered in England and Wales. We are the data controller for your personal information.
Contact for privacy matters:
Email: [email protected]
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
After log-in you can provide a screen name by which the system will refer to you.
2.2 Study Data
To provide personalised content recommendations, we collect and process:
- Viewlogs: Records of which texts you have read, when, and how many times
This data is essential to how the Service works. Our algorithm uses your reading history to calculate your familiarity with vocabulary and grammar, and to recommend texts at an appropriate difficulty level.
2.3 Technical Data
We automatically collect:
- IP address
- Browser type and version
- Device information
- Pages visited and features used
- Date and time of access
2.4 Payment Information
We do not collect or store your payment card details. All payment processing is handled by Paddle.com Market Limited ("Paddle"), who acts as the Merchant of Record. Paddle's privacy policy governs their handling of your payment information.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the Service | Account info, study data | Contract performance |
| Personalised recommendations | Study data (viewlogs) | Contract performance |
| Account authentication | Account info, technical data | Contract performance |
| Transactional emails | Email address | Contract performance |
| Service improvement | Aggregated/anonymised usage data | Legitimate interests |
| Security and fraud prevention | Technical data | Legitimate interests |
| Marketing communications | Email address | Consent (opt-in only) |
4. Data Sharing and Third Parties
We share your data only with service providers necessary to operate the Service:
| Provider | Purpose | Location | Data Shared |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany | All service data |
| Cloudflare, Inc. | CDN, proxy, backups (R2) | Global edge; metadata in US + EU; R2 in EU | IP addresses, request headers, backups |
| Paddle.com Market Ltd | Payment processing | United Kingdom | Payment and billing info |
| Postmark (ActiveCampaign) | Transactional email | United States | Email address, email content |
| Formbricks | User surveys (opt-in) | See Formbricks privacy policy | Survey responses, browser metadata |
Formbricks: We occasionally link to optional surveys powered by Formbricks. These surveys are entirely voluntary; Formbricks only receives data if you choose to visit a survey page.
We do not sell your personal information to third parties.
5. International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA) and United Kingdom.
Cloudflare (United States and global): Cloudflare proxies all HTTP traffic to the Service. Edge processing occurs at the nearest Cloudflare data centre worldwide; request metadata (including IP addresses) is processed in Cloudflare's US and EU data centres for a limited period. Database backups stored in Cloudflare R2 remain in EU (Western Europe). These transfers are protected by:
- Cloudflare's certification under the EU-U.S. Data Privacy Framework, Swiss-U.S. DPF, and UK extension
- EU Standard Contractual Clauses (SCCs) incorporated in Cloudflare's Data Processing Addendum as a fallback
- Cloudflare's Data Processing Addendum (incorporated into their Self-Serve Subscription Agreement)
Postmark (United States): Transactional emails are sent via Postmark, which processes data in the United States. This transfer is protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Postmark's Data Processing Agreement
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion, plus 30 days |
| Study data (viewlogs) | Until account deletion, plus 30 days |
| Technical logs | 90 days |
| Backup data | Deleted within 30 days of account deletion |
After you request account deletion, we will delete or anonymise your personal data within 30 days, unless we are legally required to retain it.
7. Your Rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Data portability: Receive your data in a portable format
- Restriction: Request we limit how we use your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at [email protected].
We will respond to your request within one month. If your request is complex, we may extend this by a further two months, but we will inform you of any delay.
8. Data Portability
You may request an export of your study data at any time. We provide exports in the following formats:
- CSV (comma-separated values)
- SQLite database file
To request an export, contact us at [email protected].
9. Account Deletion
To delete your account and all associated data:
- Contact us at [email protected]
- We will verify your identity
- Your account and data will be deleted within 30 days
- Backups containing your data will be purged within 30 days of deletion
If you have an active subscription, please cancel it before requesting deletion. Any refund due will be processed in accordance with our Terms of Service.
10. Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keep you logged in | Up to 1 year |
| Flash cookie | One-time status messages | 60 seconds |
We do not use:
- Advertising or tracking cookies
- Third-party analytics cookies
- Social media cookies
Because we use only essential cookies, we do not require cookie consent under UK GDPR.
11. Marketing Communications
We maintain a separate mailing list for promotional communications about Laleo. This list is:
- Opt-in only: You will only receive marketing emails if you explicitly subscribe
- Easy to unsubscribe: Every email includes an unsubscribe link
- Separate from your account: You can use the Service without subscribing to marketing emails
Transactional emails (password resets, subscription confirmations, study reminders, etc.) are not marketing and will be sent regardless of your marketing preferences.
12. Children's Privacy
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from someone under 18, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Email (to the address associated with your account)
- Notice on the Service
We will provide at least 30 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: https://ico.org.uk
We would appreciate the opportunity to address your concerns directly first - please contact us at [email protected].
15. Contact Us
For any questions about this Privacy Policy or our data practices: