Privacy Policy

Lingjo (“we”, “us”, “our”) provides learning and assessment tools for students, teachers, and educational providers. For most processing described here, we act as the data controller. Where we process data strictly on behalf of a school or institution, we may act as a data processor under contract.

Registered business name: Lingjo. Contact details are in Section 16.

This policy covers personal data processed through Lingjo’s websites, applications, and related services. It includes student and teacher data, account data, learning records, support interactions, and usage analytics as described below.

• Performance of a contract: providing secure access, core app functionality, account administration.
• Legitimate interests: improving services, security monitoring, preventing abuse, and learning analytics consistent with user/educational expectations.
• Consent: optional features (e.g., marketing communications, certain cookies) and, where required, parental consent for under-13s.
• Public task: where we process on behalf of schools carrying out tasks in the public interest.

We collect the minimum necessary data to operate and secure the service:

Special category data is not intentionally collected. If provided inadvertently, we will delete or protect it appropriately.

• Provide and maintain the service and user accounts.
• Authenticate users and secure sessions.
• Operate learning, assessment, and reporting features.
• Prevent fraud and abuse; maintain platform integrity.
• Improve performance, reliability, and user experience.
• Communicate service updates; respond to support requests.
• Use aggregated or anonymised data to understand trends and improve features.

We use strictly necessary cookies for core functionality (e.g., authentication). With your consent, we may use analytics cookies to understand usage and improve the service. You can manage preferences via your browser or our in-product cookie controls (where available).

We do not sell personal data. We share data with trusted service providers (“processors”) under contract, limited to what’s necessary to deliver the service. Each processor is bound by confidentiality, security, and UK GDPR-compliant terms.

We will disclose data if required by law, to protect users, or to defend our legal rights, following due process.

Some features of Lingjo use third-party API services (for example, language models such as OpenAI’s API) to process text and generate feedback or suggestions. We design these integrations with privacy by default and apply strict minimisation and anonymisation practices.

• No direct identifiers by default: we remove or pseudonymise names, emails, IDs, and similar fields before sending requests. We use per-session or per-request pseudonymous tokens.
• Minimum necessary content: only the text strictly required to fulfil the feature (e.g., a paragraph of an essay) is sent; we avoid full records or unrelated context.
• Provider settings: where providers offer controls, we configure them so API inputs are not used to train or improve the provider’s models, and we request the shortest feasible retention.
• Regional processing & safeguards: we prefer UK/EU processing where available. If processing occurs outside the UK/EU, we rely on adequacy mechanisms or Standard Contractual Clauses and additional safeguards.
• School controls: for school customers, we can disable third-party AI features or restrict them to specific cohorts on request.
• User-generated content: avoid including special category data in free-text inputs. If included inadvertently, we handle and protect it in line with this policy.

For details about specific providers in use (and their regions), please contact us or see the vendor list in Section 7.

We endeavour to store and process personal data in the UK/EU. Where access or transfer outside the UK/EU is necessary, we rely on adequacy regulations (where available) or Standard Contractual Clauses and implement additional safeguards as appropriate.

• We retain personal data only as long as needed for the purposes described or as required by law/contract.
• Schools/teachers may request deletion following course or contract completion.
• Backups are encrypted and retained for limited periods before secure deletion.

We apply technical and organisational measures appropriate to the risk, including:

For under-18 users, we apply high-privacy defaults and design choices that protect young people, including:

• Minimal data collection and profiling.
• Clear, age-appropriate explanations of features and settings.
• Parental consent for under-13 account creation where required.
• Geolocation and social features disabled unless strictly needed.

Under UK GDPR, you have rights to access, correct, erase, restrict, or object to processing, and to data portability. Where processing relies on consent, you can withdraw consent at any time. To exercise rights, contact us using the details in Section 16. We may need to verify your identity and, where we act as a processor for a school, may redirect your request to the controller.

We assess all personal data incidents and will notify the ICO within 72 hours where required, and affected users without undue delay when there is a high risk to their rights and freedoms.

We may update this policy to reflect changes in law, guidance, or our services. We will post updates here and, when appropriate, notify you in-app or by email.