Lexora
Sign inSign up
Back to home

Privacy Policy

Last updated: March 30, 2026

This Privacy Policy describes how Lexora Languages ("Lexora," "we," "us," or "our") collects, uses, and protects your personal information when you use our Service at lexoralanguages.com. We are the data controller responsible for your personal data. Our registered address is 251 Main Street, Suite 300, Boston, Massachusetts 02129, United States. For any data protection inquiries, you can reach us at privacy@lexoralanguages.com.

EU/UK Representative: In accordance with Article 27 of the GDPR and UK GDPR, we have appointed a representative in the European Union for data protection matters. Our EU representative is Lexora EU Representative Services, and can be contacted at eu-representative@lexoralanguages.com. A physical mailing address for the representative is available upon request.

1. Information We Collect

Account Information

When you create an account, we collect your name and email address through our authentication provider, Clerk. If you sign up using a social login (e.g., Google), we receive basic profile information from that provider.

Learning Data

As you use the Service, we collect data related to your learning activity, including your selected languages, lesson progress, vocabulary reviews, and preferences. This data is used to personalize your learning experience.

Payment Information

Payment details (such as credit card numbers) are collected and processed directly by Stripe, our payment processor. We do not store your full payment card information on our servers. We receive from Stripe limited billing information such as the last four digits of your card, billing email, and subscription status.

Usage Data

We automatically collect certain information when you access the Service, including your IP address, browser type, device information, pages visited, and the dates and times of your visits.

Whether Providing Data Is Required

Providing your name and email address is required to create an account; without this information, you cannot use the Service. Providing payment information is required only if you wish to subscribe to a paid plan. Usage data is collected automatically as part of normal Service operation. If you are located in the EEA or UK and we process your usage data on the basis of legitimate interest, you have the right to object to this processing under GDPR Article 21 (see Section 8). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Note that certain minimal usage data collection (such as security logs) is necessary for the operation and security of the Service and may be retained on a separate legal basis.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service (including analyzing aggregate, de-identified usage patterns to improve features and fix bugs — we do not use your personal data to train or fine-tune AI models).
  • Generate personalized AI-powered lessons based on your learning preferences and progress.
  • Process payments and manage your subscription.
  • Communicate with you about your account, updates, and support requests.
  • Monitor usage patterns to improve performance and detect abuse.

Where required under applicable law (including the GDPR), our legal basis for each processing activity is as follows:

  • Providing the Service (account management, lesson delivery, payment processing) — performance of a contract (Article 6(1)(b) GDPR).
  • AI-powered lesson generation and audio synthesis — performance of a contract, as these are core features of the Service you have agreed to use.
  • Usage analytics and performance monitoring — our legitimate interest in analyzing aggregate usage patterns to identify and fix bugs, improve product features, and optimize performance (Article 6(1)(f) GDPR). We have assessed that this interest does not override your rights, as the data processed for this purpose is limited and does not involve sensitive information.
  • Security monitoring and fraud prevention — our legitimate interest in detecting unauthorized access, preventing abuse of the Service, and protecting the security of our systems and our users' accounts (Article 6(1)(f) GDPR).
  • Communicating updates and responding to support requests — performance of a contract and our legitimate interests.
  • Tax and legal record retention — compliance with legal obligations (Article 6(1)(c) GDPR).

3. Third-Party Services

We use the following third-party services to operate the Service. Each provider may process your data in accordance with their own privacy policies:

  • Clerk — authentication and account management. Clerk processes your email, name, and login credentials. See Clerk's Privacy Policy.
  • Stripe — payment processing. Stripe processes your payment information and billing details as our data processor. Stripe also independently acts as a data controller for its own fraud prevention and analytics purposes, including setting cookies or using device fingerprinting. See Stripe's Privacy Policy.
  • Anthropic (Claude API) — AI lesson generation. Text input related to your lessons (such as your target language and learning level) may be sent to Anthropic's API to generate personalized content. See Anthropic's Privacy Policy.
  • Google Cloud Text-to-Speech — audio generation. Text from lessons is sent to Google's API to produce spoken audio. See Google Cloud's Privacy Notice.
  • Neon — database hosting. Your account and learning data is stored in a managed PostgreSQL database hosted by Neon. See Neon's Privacy Policy.
  • Vercel — application hosting and deployment. See Vercel's Privacy Policy.

We have entered into Data Processing Agreements (DPAs) with each of these service providers in accordance with GDPR Article 28, which set out the terms under which they process your data on our behalf. Copies of these agreements are available upon request by contacting us at privacy@lexoralanguages.com.

4. AI Data Processing

When you use the Service, portions of your learning input (such as your selected language, proficiency level, and lesson context) are sent to third-party AI providers (Anthropic and Google Cloud) to generate lesson content and audio. Important details about this processing:

  • We do not send your personal account information (name, email, payment details) to AI providers.
  • We use Anthropic's API under terms that prohibit the use of your input data for model training. Lesson input sent to Anthropic is processed for the purpose of generating a response and may be retained by Anthropic in API logs for a limited period (currently up to 7 days) for safety and abuse monitoring purposes, in accordance with Anthropic's data usage policies.
  • Google Cloud Text-to-Speech processes lesson text solely to produce audio output and does not use your data for training purposes under our service agreement.
  • AI providers process data in accordance with their own privacy and data retention policies, which are available on their respective websites.

In accordance with the EU AI Act (Regulation 2024/1689), we inform you that lesson text, grammar explanations, vocabulary examples, and feedback presented within the Service are generated by artificial intelligence. Audio content is synthetically generated. The AI system's accuracy may vary across different language pairs.

5. Automated Decision-Making and Profiling

The Service uses AI-powered systems to assess your language proficiency and place you at an appropriate learning level (e.g., through placement quizzes). This constitutes profiling within the meaning of GDPR Article 4(4), as we automatically process your personal data (quiz responses and learning activity) to evaluate your language ability and personalize your experience. Specifically, the system evaluates your answers to placement questions to estimate your proficiency level on a scale aligned with common language frameworks (e.g., beginner, intermediate, advanced). This score determines your initial lesson difficulty and content recommendations. These assessments are used solely to personalize your learning experience and do not produce legal or similarly significant effects. You may retake any placement assessment at any time through your account settings. If you believe an automated assessment has produced an inaccurate result, you may contact us to request a manual review.

Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. While we do not believe our automated proficiency assessments fall within the scope of Article 22 (as they do not produce legal or similarly significant effects), we nonetheless provide the right to obtain human intervention, express your point of view, and contest any automated assessment by contacting us at support@lexoralanguages.com.

6. Cookies and Tracking Technologies

We use essential cookies required for authentication and maintaining your session. These cookies are set by our authentication provider (Clerk) and are strictly necessary for the Service to function. Specifically:

  • Authentication cookies (Clerk) — session tokens and authentication state, strictly necessary for the Service to function. Legal basis: necessary for the performance of the contract.
  • Fraud prevention cookies (Stripe) — Stripe may set cookies or use device fingerprinting to detect and prevent fraudulent transactions when you access payment-related pages. These cookies are set by Stripe as an independent data controller for its fraud prevention purposes. Legal basis: Stripe's legitimate interest in preventing payment fraud. See Stripe's Cookie Policy for details.

We do not use advertising, marketing, or behavioral tracking cookies. We do not use analytics cookies or session recording tools.

Do Not Track: Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-standard interpretation of DNT signals, the Service does not currently alter its data collection or use practices in response to DNT signals. However, we do recognize and honor Global Privacy Control (GPC) signals as described in Section 8.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained until you delete your account.
  • Learning progress is retained until you delete your account.
  • Payment records may be retained for up to 7 years after your last transaction as required for tax and legal compliance.
  • Usage logs are retained for up to 12 months for security and performance monitoring.

After account deletion, we will remove your personal data within 30 days, except where retention is required by law. Data contained in database backups may persist for up to 30 additional days after deletion from live systems as part of our disaster recovery process, after which it is automatically purged.

Inactive accounts: If your account has been inactive for 3 years (no login or service usage), we will send you a notice at the email address on file. If no action is taken within 30 days of that notice, we may delete your account and associated personal data in accordance with this policy.

8. Your Rights Under GDPR, CCPA, and Other Laws

Depending on your location, you may have specific rights under data protection laws. We are committed to honoring these rights regardless of where you reside.

European Economic Area (EEA) and United Kingdom — GDPR / UK GDPR

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR):

  • Right of access — You can request a copy of the personal data we hold about you.
  • Right to rectification — You can request correction of inaccurate or incomplete personal data.
  • Right to erasure — You can request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — You can request a copy of data you provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and have the right to transmit that data to another controller without hindrance.
  • Right to restrict processing — You can request that we limit how we use your data in certain circumstances.
  • Right to object — You can object to processing based on our legitimate interests.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. EEA residents may contact their national supervisory authority; a full list is available at edpb.europa.eu.

California — CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know — You can request details about the categories and specific pieces of personal information we have collected about you, the sources of that data, and how it is used.
  • Right to delete — You can request deletion of your personal information, subject to certain exceptions.
  • Right to correct — You can request correction of inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing — Lexora does not sell or share your personal information as defined by the CCPA/CPRA. We do not engage in cross-context behavioral advertising.
  • Right to limit use of sensitive personal information — We only use sensitive personal information (such as account login credentials) as necessary to provide the Service.
  • Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected and disclosed: In the preceding 12 months, we have collected the following categories of personal information and disclosed them to the following service providers for the stated business purposes: identifiers (name, email address, IP address) — disclosed to Clerk for authentication and to Stripe for payment processing; commercial information (subscription plan and billing history) — disclosed to Stripe for payment processing; internet or electronic network activity (usage data, pages visited, browser type) — disclosed to Vercel for hosting and performance monitoring; and education information (learning progress, language preferences, proficiency levels) — disclosed to Anthropic and Google Cloud for AI lesson and audio generation, and stored by Neon for database hosting. These categories are collected from you directly, from your authentication provider, and automatically through your use of the Service.

Retention periods by category (CCPA/CPRA): In compliance with California Civil Code § 1798.100(a)(3), the following are our retention periods for each category of personal information: identifiers (name, email, IP address) — retained until account deletion, then deleted within 30 days; commercial information (subscription plan, billing history) — retained for up to 7 years after the last transaction for tax and legal compliance; internet or electronic network activity (usage data, pages visited) — retained for up to 12 months; and education information (learning progress, language preferences, proficiency levels) — retained until account deletion, then deleted within 30 days.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of written authorization from you and may require you to verify your own identity directly with us.

Global Privacy Control: We recognize and honor the Global Privacy Control (GPC) signal. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable law.

Right to opt out of automated decision-making (CPRA): Under CPRA § 1798.185(a)(16), you have the right to opt out of businesses' use of automated decision-making technology. While our automated proficiency assessments are used solely to personalize your learning experience and do not produce legal or similarly significant effects, you may opt out of or contest any automated assessment by contacting us at support@lexoralanguages.com.

California "Shine the Light" (Civil Code § 1798.83): Lexora does not share personal information with third parties for their own direct marketing purposes. If our practices change, we will update this policy and provide you with the ability to opt out of such sharing.

Financial incentives: We do not offer financial incentive programs (as defined by the CCPA/CPRA) that involve the collection or sale of personal information in exchange for a price or service difference.

Right to complain: If you believe your CCPA/CPRA rights have been violated, you have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General.

Other U.S. State Privacy Laws

Residents of other U.S. states with comprehensive privacy laws — including but not limited to Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Kentucky (KCDPA), New Hampshire (SB 255), New Jersey (SB 332), Delaware (DPDPA), Maryland (MODPA), Minnesota (MCDPA), Nebraska (NDPA), Rhode Island (RIDPA), and other states that have enacted or may enact similar legislation — may have rights comparable to those described above, such as the right to access, correct, and delete personal data, the right to data portability, and the right to opt out of targeted advertising, profiling, and the sale of personal data. Lexora does not sell personal data or engage in targeted advertising. To exercise any rights available under your state's privacy law, contact us at privacy@lexoralanguages.com. If we decline your request, you may appeal by contacting us at the same address, and we will respond within the timeframe required by your state's law. You also have the right to lodge a complaint with your state's attorney general.

Exercising Your Rights

To exercise any of the rights described above, contact us at privacy@lexoralanguages.com. We will respond to verifiable requests within one month for GDPR requests (extendable by two further months for complex requests, with notice to you within the first month) or 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notice), or within the time period required by applicable law. To protect your privacy, we will verify your identity before processing your request. For CCPA/CPRA requests, our verification process involves matching at least two data points you provide (such as your name and the email address associated with your account) against information we already maintain. If you submit a request to access specific pieces of personal information, we may require additional verification, such as a signed declaration under penalty of perjury. If you submit a request through an authorized agent, we may require written proof of the agent's authorization and may contact you directly to confirm. For GDPR requests, we will verify your identity using your account login or by matching information you provide against our records.

9. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. In particular, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected data from a child under 13 (or under the applicable age of digital consent in your jurisdiction), we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@lexoralanguages.com.

10. Data Security

We implement commercially reasonable technical and organizational measures to protect your personal data, including encrypted connections (HTTPS), secure authentication, and access controls. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach, we will comply with all applicable breach notification obligations:

  • Supervisory authority notification (GDPR Article 33) — Where required under the GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms.
  • Individual notification (GDPR Article 34) — Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via the email address associated with your account. This notification will include a description of the breach, the types of data affected, the likely consequences, and the steps we are taking in response.
  • Massachusetts (M.G.L. c. 93H) — As a Massachusetts-based business, we will notify the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation in the event of a breach involving Massachusetts residents' personal information, as required by state law. We maintain a written information security program (WISP) in accordance with 201 CMR 17.00.
  • Other jurisdictions — We will also comply with breach notification requirements under other applicable laws, including U.S. state data breach notification laws.

12. International Data Transfers

Your data is processed in the United States by our service providers. Specifically: Clerk (authentication), Stripe (payments), Anthropic (AI lesson generation), Google Cloud (audio synthesis), Neon (database hosting), and Vercel (application hosting) all process data in the United States. When your data is transferred outside of your country of residence (including outside the EEA or UK), we ensure appropriate safeguards are in place, including:

  • The EU-U.S. Data Privacy Framework (DPF), where our service providers are certified under the framework. We rely on the European Commission's adequacy decision of July 10, 2023 for these transfers.
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA, used for providers not covered by the DPF or as a supplementary safeguard.
  • The UK International Data Transfer Agreement (IDTA) or the EU SCCs supplemented by the UK Addendum, as approved by the UK Information Commissioner's Office (ICO), for transfers from the United Kingdom.
  • Relying on other adequacy decisions where the destination country has been recognized as providing adequate data protection by the European Commission or the UK Secretary of State.

Where data is transferred to a jurisdiction that has not been recognized as providing adequate data protection and is not covered by the DPF, we conduct transfer impact assessments and rely on the safeguards described above to ensure your data remains protected in accordance with applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect.

Where a material change affects our legal basis for processing your data or introduces new categories of data collection, and where your consent is the applicable legal basis, we will seek your affirmative consent before the changes apply to you. Where changes relate to processing based on other legal bases (such as contractual necessity or legitimate interests), you may object to the changes and terminate your account before the effective date. If you continue to use the Service after the effective date without objecting, this will constitute your acceptance of the non-consent-based changes.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@lexoralanguages.com.