Last updated: March 30, 2026
This Privacy Policy describes how Lexora Languages ("Lexora," "we," "us," or "our") collects, uses, and protects your personal information when you use our Service at lexoralanguages.com. We are the data controller responsible for your personal data. Our registered address is 251 Main Street, Suite 300, Boston, Massachusetts 02129, United States. For any data protection inquiries, you can reach us at privacy@lexoralanguages.com.
EU/UK Representative: In accordance with Article 27 of the GDPR and UK GDPR, we have appointed a representative in the European Union for data protection matters. Our EU representative is Lexora EU Representative Services, and can be contacted at eu-representative@lexoralanguages.com. A physical mailing address for the representative is available upon request.
When you create an account, we collect your name and email address through our authentication provider, Clerk. If you sign up using a social login (e.g., Google), we receive basic profile information from that provider.
As you use the Service, we collect data related to your learning activity, including your selected languages, lesson progress, vocabulary reviews, and preferences. This data is used to personalize your learning experience.
Payment details (such as credit card numbers) are collected and processed directly by Stripe, our payment processor. We do not store your full payment card information on our servers. We receive from Stripe limited billing information such as the last four digits of your card, billing email, and subscription status.
We automatically collect certain information when you access the Service, including your IP address, browser type, device information, pages visited, and the dates and times of your visits.
Providing your name and email address is required to create an account; without this information, you cannot use the Service. Providing payment information is required only if you wish to subscribe to a paid plan. Usage data is collected automatically as part of normal Service operation. If you are located in the EEA or UK and we process your usage data on the basis of legitimate interest, you have the right to object to this processing under GDPR Article 21 (see Section 8). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Note that certain minimal usage data collection (such as security logs) is necessary for the operation and security of the Service and may be retained on a separate legal basis.
We use the information we collect to:
Where required under applicable law (including the GDPR), our legal basis for each processing activity is as follows:
We use the following third-party services to operate the Service. Each provider may process your data in accordance with their own privacy policies:
We have entered into Data Processing Agreements (DPAs) with each of these service providers in accordance with GDPR Article 28, which set out the terms under which they process your data on our behalf. Copies of these agreements are available upon request by contacting us at privacy@lexoralanguages.com.
When you use the Service, portions of your learning input (such as your selected language, proficiency level, and lesson context) are sent to third-party AI providers (Anthropic and Google Cloud) to generate lesson content and audio. Important details about this processing:
In accordance with the EU AI Act (Regulation 2024/1689), we inform you that lesson text, grammar explanations, vocabulary examples, and feedback presented within the Service are generated by artificial intelligence. Audio content is synthetically generated. The AI system's accuracy may vary across different language pairs.
The Service uses AI-powered systems to assess your language proficiency and place you at an appropriate learning level (e.g., through placement quizzes). This constitutes profiling within the meaning of GDPR Article 4(4), as we automatically process your personal data (quiz responses and learning activity) to evaluate your language ability and personalize your experience. Specifically, the system evaluates your answers to placement questions to estimate your proficiency level on a scale aligned with common language frameworks (e.g., beginner, intermediate, advanced). This score determines your initial lesson difficulty and content recommendations. These assessments are used solely to personalize your learning experience and do not produce legal or similarly significant effects. You may retake any placement assessment at any time through your account settings. If you believe an automated assessment has produced an inaccurate result, you may contact us to request a manual review.
Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. While we do not believe our automated proficiency assessments fall within the scope of Article 22 (as they do not produce legal or similarly significant effects), we nonetheless provide the right to obtain human intervention, express your point of view, and contest any automated assessment by contacting us at support@lexoralanguages.com.
We use essential cookies required for authentication and maintaining your session. These cookies are set by our authentication provider (Clerk) and are strictly necessary for the Service to function. Specifically:
We do not use advertising, marketing, or behavioral tracking cookies. We do not use analytics cookies or session recording tools.
Do Not Track: Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-standard interpretation of DNT signals, the Service does not currently alter its data collection or use practices in response to DNT signals. However, we do recognize and honor Global Privacy Control (GPC) signals as described in Section 8.
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
After account deletion, we will remove your personal data within 30 days, except where retention is required by law. Data contained in database backups may persist for up to 30 additional days after deletion from live systems as part of our disaster recovery process, after which it is automatically purged.
Inactive accounts: If your account has been inactive for 3 years (no login or service usage), we will send you a notice at the email address on file. If no action is taken within 30 days of that notice, we may delete your account and associated personal data in accordance with this policy.
Depending on your location, you may have specific rights under data protection laws. We are committed to honoring these rights regardless of where you reside.
If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR):
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. EEA residents may contact their national supervisory authority; a full list is available at edpb.europa.eu.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Categories of personal information collected and disclosed: In the preceding 12 months, we have collected the following categories of personal information and disclosed them to the following service providers for the stated business purposes: identifiers (name, email address, IP address) — disclosed to Clerk for authentication and to Stripe for payment processing; commercial information (subscription plan and billing history) — disclosed to Stripe for payment processing; internet or electronic network activity (usage data, pages visited, browser type) — disclosed to Vercel for hosting and performance monitoring; and education information (learning progress, language preferences, proficiency levels) — disclosed to Anthropic and Google Cloud for AI lesson and audio generation, and stored by Neon for database hosting. These categories are collected from you directly, from your authentication provider, and automatically through your use of the Service.
Retention periods by category (CCPA/CPRA): In compliance with California Civil Code § 1798.100(a)(3), the following are our retention periods for each category of personal information: identifiers (name, email, IP address) — retained until account deletion, then deleted within 30 days; commercial information (subscription plan, billing history) — retained for up to 7 years after the last transaction for tax and legal compliance; internet or electronic network activity (usage data, pages visited) — retained for up to 12 months; and education information (learning progress, language preferences, proficiency levels) — retained until account deletion, then deleted within 30 days.
Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of written authorization from you and may require you to verify your own identity directly with us.
Global Privacy Control: We recognize and honor the Global Privacy Control (GPC) signal. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable law.
Right to opt out of automated decision-making (CPRA): Under CPRA § 1798.185(a)(16), you have the right to opt out of businesses' use of automated decision-making technology. While our automated proficiency assessments are used solely to personalize your learning experience and do not produce legal or similarly significant effects, you may opt out of or contest any automated assessment by contacting us at support@lexoralanguages.com.
California "Shine the Light" (Civil Code § 1798.83): Lexora does not share personal information with third parties for their own direct marketing purposes. If our practices change, we will update this policy and provide you with the ability to opt out of such sharing.
Financial incentives: We do not offer financial incentive programs (as defined by the CCPA/CPRA) that involve the collection or sale of personal information in exchange for a price or service difference.
Right to complain: If you believe your CCPA/CPRA rights have been violated, you have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General.
Residents of other U.S. states with comprehensive privacy laws — including but not limited to Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Kentucky (KCDPA), New Hampshire (SB 255), New Jersey (SB 332), Delaware (DPDPA), Maryland (MODPA), Minnesota (MCDPA), Nebraska (NDPA), Rhode Island (RIDPA), and other states that have enacted or may enact similar legislation — may have rights comparable to those described above, such as the right to access, correct, and delete personal data, the right to data portability, and the right to opt out of targeted advertising, profiling, and the sale of personal data. Lexora does not sell personal data or engage in targeted advertising. To exercise any rights available under your state's privacy law, contact us at privacy@lexoralanguages.com. If we decline your request, you may appeal by contacting us at the same address, and we will respond within the timeframe required by your state's law. You also have the right to lodge a complaint with your state's attorney general.
To exercise any of the rights described above, contact us at privacy@lexoralanguages.com. We will respond to verifiable requests within one month for GDPR requests (extendable by two further months for complex requests, with notice to you within the first month) or 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notice), or within the time period required by applicable law. To protect your privacy, we will verify your identity before processing your request. For CCPA/CPRA requests, our verification process involves matching at least two data points you provide (such as your name and the email address associated with your account) against information we already maintain. If you submit a request to access specific pieces of personal information, we may require additional verification, such as a signed declaration under penalty of perjury. If you submit a request through an authorized agent, we may require written proof of the agent's authorization and may contact you directly to confirm. For GDPR requests, we will verify your identity using your account login or by matching information you provide against our records.
The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. In particular, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected data from a child under 13 (or under the applicable age of digital consent in your jurisdiction), we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@lexoralanguages.com.
We implement commercially reasonable technical and organizational measures to protect your personal data, including encrypted connections (HTTPS), secure authentication, and access controls. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
In the event of a personal data breach, we will comply with all applicable breach notification obligations:
Your data is processed in the United States by our service providers. Specifically: Clerk (authentication), Stripe (payments), Anthropic (AI lesson generation), Google Cloud (audio synthesis), Neon (database hosting), and Vercel (application hosting) all process data in the United States. When your data is transferred outside of your country of residence (including outside the EEA or UK), we ensure appropriate safeguards are in place, including:
Where data is transferred to a jurisdiction that has not been recognized as providing adequate data protection and is not covered by the DPF, we conduct transfer impact assessments and rely on the safeguards described above to ensure your data remains protected in accordance with applicable law.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect.
Where a material change affects our legal basis for processing your data or introduces new categories of data collection, and where your consent is the applicable legal basis, we will seek your affirmative consent before the changes apply to you. Where changes relate to processing based on other legal bases (such as contractual necessity or legitimate interests), you may object to the changes and terminate your account before the effective date. If you continue to use the Service after the effective date without objecting, this will constitute your acceptance of the non-consent-based changes.
If you have questions about this Privacy Policy or our data practices, please contact us at privacy@lexoralanguages.com.