Privacy Policy
Last updated: 17 July 2026
This policy explains what data Lingoberry collects, why, and how it is handled. We designed the service with privacy in mind — we collect only what is needed to provide and improve the service.
1. Data Controller
Lingoberry is operated by Juha Jantunen (sole proprietor), based in Finland. Contact: hello@lingoberry.app.
2. What We Collect
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account login, password reset, notifications | Contract |
| Display name and username | Public profile, leaderboards | Contract |
| Password (bcrypt hash) | Authentication | Contract |
| Language preferences and proficiency level | Generate exercises at the right difficulty | Contract |
| Timezone | Accurate streak tracking | Contract |
| Translations you write | Provide AI feedback, track progress | Contract |
| Avatar image (optional) | Profile personalisation | Consent |
| Usage events (exercise counts, login timestamps) | Analytics, streak calculation, service improvement | Legitimate interest |
We do not collect: IP addresses in our database, device fingerprints, third-party tracking cookies, or advertising identifiers.
3. Third-Party Processors
| Provider | Purpose | Data Shared |
|---|---|---|
| Mistral AI (France, EU) | Generate exercises and evaluate translations | Your topic choices, proficiency level, and translation text |
| Hetzner (Germany, EU) | Server hosting and object storage | All stored data (encrypted at rest) |
All processors are EU-based. We do not transfer personal data outside the EEA.
4. Data Retention
- Account data: Retained while your account is active.
- Exercises and translations: Retained while your account is active, to track progress.
- Sessions: Expire after 7 days and are deleted.
- Password reset tokens: Expire after 1 hour and are invalidated after use.
- Analytics events: Retained 12 months, then automatically purged.
- Account deletion: You can permanently delete your account and all associated data from your Profile settings at any time. Deletion is immediate and irreversible.
5. Your Rights (GDPR)
As an EU resident, you have the right to:
- Access — Request a copy of your personal data.
- Rectification — Correct inaccurate data (you can do this directly in your profile settings).
- Erasure — Delete your account and all data via Profile settings, or by emailing us.
- Portability — Receive your data in a structured, machine-readable format.
- Restriction — Request that we limit processing of your data.
- Objection — Object to processing based on legitimate interest.
- Withdraw consent — Via profile settings, at any time.
To exercise these rights, email hello@lingoberry.app. We will respond within 30 days.
6. Security
- Passwords are hashed with bcrypt (never stored in plain text).
- All traffic is encrypted via TLS (HTTPS).
- Sessions use secure, HttpOnly cookies with SameSite protection.
- Sensitive tokens (password reset, email verification) are stored as SHA-256 hashes.
- Rate limiting protects against brute-force attacks.
- User input is validated and moderated before reaching the AI.
7. Cookies
We use only essential cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| lingoberry_session | Keeps you logged in | 7 days |
| lingoberry_flash | Shows one-time notification messages | 10 seconds |
| lingoberry_tz_dismiss | Remembers timezone banner dismissal | 7 days |
We do not use analytics cookies, advertising cookies, or third-party tracking. No cookie consent banner is needed because all cookies are strictly necessary.
8. Children
Lingoberry is not intended for users under 16. We do not knowingly collect data from children. If you believe a child under 16 has created an account, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this policy. We will notify users of significant changes via email. The "Last updated" date at the top indicates when changes were last made.
10. Contact and Complaints
Privacy questions or exercising your rights: hello@lingoberry.app.
If you believe your rights have been violated, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).