Privacy Policy

Quilingo.com

Last Updated: 19.02.2026

1. Introduction

Welcome to Quilingo ("we," "us," "our," or the "Service"). We are committed to protecting your privacy and handling your personal data responsibly. Mainly by handling as little of them as possible.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our language learning platform at quilingo.com. It also describes your rights regarding your personal data under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

By using Quilingo, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

Name: Petr Pícha
Business ID (IČO): 08200360
Address: Primátorská 296/38, 180 00, Praha 8 - Libeň
Email: contact@quilingo.com
Website: https://quilingo.com

For any privacy-related questions or to exercise your rights, please contact us at the email address above.

3. What Personal Data We Collect

3.1 Data You Provide Directly

Data Type

Purpose

Legal Basis

Email address

Account creation, login, transactional communications, occasional service updates

Contract performance, Legitimate interest

Password

Account security (stored only in hashed form—we cannot see your actual password)

Contract performance

Nickname

Display on leaderboards and community features (should you choose to set one)

Consent, Contract performance

3.2 Data Generated Through Your Use

Data Type

Purpose

Legal Basis

Learning progress

Track your vocabulary acquisition, stories read, and learning statistics

Contract performance

Account preferences

Remember your language selections and settings

Contract performance

Usage data

Understand how the Service is used, improve functionality

Legitimate interest

3.3 Technical Data

Data Type

Purpose

Legal Basis

IP address

Security, fraud prevention, approximate location for service optimization

Legitimate interest

Browser type and device information

Ensure compatibility, troubleshoot issues

Legitimate interest

Access timestamps

Security monitoring, service improvement

Legitimate interest

3.4 Payment Data

We do not collect or store your payment card details. All payment processing is handled securely by our payment processor, Stripe Inc. or Paddle.com Market Limited. When you subscribe, Stripe or Paddle collect your payment information directly. Please refer to Stripe's Privacy Policy or Paddle’s Privacy Policy for details on how they handle your payment data.

We receive from our payment processors only:

  • Confirmation of successful payment

  • Subscription status

  • Transaction identifiers (for our records and customer support)

4. How We Use Your Data

We use your personal data to:

  1. Provide the Service — Create and manage your account, deliver content, track your learning progress

  2. Process payments — Manage your subscription through payment processor

  3. Communicate with you — Send transactional emails (password resets, subscription confirmations, important account notices)

  4. Send service updates — Occasionally inform you about new features, content (new stories, languages), or significant changes to the Service

  5. Improve the Service — Analyze usage patterns to enhance functionality and user experience

  6. Ensure security — Protect against fraud, unauthorized access, and abuse

  7. Comply with legal obligations — Meet accounting, tax, and regulatory requirements

We do not sell your personal information. We do not share your personal data with third parties for their own marketing or advertising purposes.

We do not use automated decision-making. We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

5. Marketing Communications

We will only send you marketing emails if you have given us your explicit consent (opt-in) during registration or in your account settings. Marketing emails may include information about new features, content updates, or service improvements.

Your choices:

  • You can withdraw your consent and unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in any email or

  • You can update your preferences in your account settings or

  • Contact us to opt out

  • Unsubscribing from marketing emails will not affect transactional emails (account confirmations, password resets, subscription notices, privacy policy or terms of service changes)

6. Cookies and Similar Technologies

6.1 What We Use

We use only essential cookies necessary for the Service to function:

Cookie Type

Purpose

Duration

Session cookie

Keep you logged in during your visit, maintain your authenticated session

Persistent login expiring after some time

6.2 What We Don't Use

We do not use:

  • Third-party advertising cookies

  • Social media tracking pixels

  • Cross-site tracking technologies

6.3 Future Analytics

We may implement lightweight, privacy-respecting analytics in the future to understand how the Service is used. If we do, we will:

  • Update this Privacy Policy

  • Use privacy-focused solutions that minimize data collection

  • Not share analytics data with third parties for advertising purposes

7. Third-Party Services

We use the following third-party services to operate Quilingo. These services may process your data as described:

7.1 Stripe (Payment Processing)

  • Purpose: Process subscription payments

  • Data shared: Payment details (entered directly with Stripe), email, transaction information

  • Location: United States (with EU data processing capabilities)

  • Safeguards: Data Processing Agreement (DPA) in place; PCI-DSS compliant; Standard Contractual Clauses for international transfers

  • Privacy Policy: https://stripe.com/privacy

7.2 Paddle (Payment Processing)

  • Purpose: Process subscription payments in regions selected by us

  • Data stored: Payment details (entered directly with Paddle), email, transaction information

  • Location: United Kingdom

  • Safeguards: Data Processing Agreement (DPA) in place; PCI-DSS compliant; acts as Merchant of Record

  • Privacy Policy: https://www.paddle.com/legal/privacy

Note: Depending on your location, your payment will be processed by either Stripe or Paddle. You will be informed which provider is processing your payment at checkout.

7.3 Supabase (Database & Backend)

  • Purpose: Store account data, learning progress, application data

  • Data stored: Email, hashed password, learning progress, preferences, nickname

  • Location: Global network with EU presence

  • Safeguards: Data Processing Agreement (DPA) in place

  • Privacy Policy: https://supabase.com/privacy

7.4 Cloudflare (Hosting & CDN)

  • Purpose: Host and deliver the website, provide security and performance optimization

  • Data processed: IP address, browser information, access logs (temporary)

  • Location: Global network with EU presence

  • Safeguards: Data Processing Agreement (DPA) in place

  • Privacy Policy: https://www.cloudflare.com/privacy/

7.5 Loops (Email Service)

  • Purpose: Send transactional and service update emails

  • Data shared: Email address

  • Location: United States

  • Safeguards: Data Processing Agreement (DPA) in place, Standard Contractual Clauses for international transfers

  • Privacy Policy: https://loops.so/privacy

7.6 Disclosure to Authorities

We may disclose your personal data to law enforcement, regulatory authorities, government officials, or other third parties when we are compelled to do so by a court order, or when we believe in good faith that disclosure is necessary to:

  • Comply with applicable laws or legal processes

  • Protect our rights, privacy, safety, or property

  • Respond to lawful requests from public authorities

8. International Data Transfers

Your data is primarily stored and processed within the European Union (Supabase EU servers). However, some of our service providers are based in the United States or other countries outside the EU.

When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Data Processing Agreements with all third-party processors

  • Selection of providers with strong privacy practices and security measures

9. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

9.1 Unregistered Users (Free Sample)

If you use Quilingo without creating an account, we retain your session data (learning progress, preferences, and technical identifiers) for 14 days from your last activity. This allows you to return and continue where you left off. After 14 days of inactivity, this data is automatically and permanently deleted.

If you create an account within this period, your progress will be transferred to your account and retained according to the policies below.

9.2 Registered Users

Data Type

Retention Period

Active account data

For as long as your account is active

Unverified accounts

If you begin registration but do not verify your email address, your data is automatically deleted after 30 days

Inactive accounts

We may delete accounts that have been inactive for more than 3 years after the last subscription has ended

Account data after deletion request

Deleted within 30 days of your request

Transaction and payment records

10 years (required by Czech accounting and tax law)

Commercial correspondence

6 years (business record requirements)

Data related to legal disputes

Up to 4 years after account closure or resolution of dispute (Czech statute of limitations)

Server logs (IP, access data)

Up to 90 days

Marketing-related data

Until you object or unsubscribe

After the retention period expires, data is securely deleted or anonymized.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Data transmitted to and from our Service is encrypted using TLS/SSL

  • Password security: Passwords are hashed using industry-standard algorithms—we cannot access your actual password

  • Access controls: Only authorized personnel have access to personal data, on a need-to-know basis

  • Secure infrastructure: We use reputable service providers with strong security practices

  • Regular review: We periodically review our security practices

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach as required by law.

11. Your Rights Under GDPR

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

11.1 Right of Access

You can request a copy of the personal data we hold about you.

11.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain certain data.

11.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

11.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format.

11.6 Right to Object

You can object to processing based on legitimate interests, including for direct marketing purposes.

11.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

11.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: contact@quilingo.com

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

11.9 Right to Lodge a Complaint

If you believe we have not handled your data properly, you have the right to lodge a complaint with a supervisory authority. In the Czech Republic, this is:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Office for Personal Data Protection
Website: https://www.uoou.cz

You may also complain to the supervisory authority in your country of residence.

11.10 Additional Rights for California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You can request information about what personal information we collect, use, and disclose about you.

  • Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

  • Right to Correct: You can request correction of inaccurate personal information.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We do not "sell" or "share" your personal information as those terms are defined under CCPA/CPRA.

To exercise these rights, contact us at contact@quilingo.com. We will respond within 45 days.

Please note that certain data may be retained as required by applicable law, including Czech and EU legal requirements for tax, accounting, and legal compliance purposes.

11.11 Additional Rights for Brazilian Residents

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, delete, anonymize, and port your personal data. You also have the right to information about third parties with whom we share your data and the right to revoke consent.

To exercise these rights, contact us at contact@quilingo.com.

Please note that certain data may be retained as required by applicable law, including Czech and EU legal requirements for tax, accounting, and legal compliance purposes.

12. Children's Privacy

Quilingo is not intended for individuals under 16 years of age. We do not knowingly collect personal data from individuals under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at contact@quilingo.com, and we will delete such data.

If you are between 16 and 18 years old, please ensure you have your parent's or guardian's permission before using the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.

When we make material changes:

  • We will update the "Last Updated" date at the top of this policy

  • We will notify registered users via email

  • We may also post a notice on our website

We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: contact@quilingo.com
Website: https://quilingo.com
Address: Primátorská 296/38, 180 00, Praha 8 - Libeň

We aim to respond to all inquiries within 30 days.

By using Quilingo, you acknowledge that you have read and understood this Privacy Policy.