Privacy Policy

Last updated: July 2026

This Privacy Policy explains how Bytebloom Studios GmbH (“Bytebloom”, “we”, “us”) collects, uses and protects personal data when you use the Lingorino language-learning service, including the Lingorino mobile applications for iOS and Android, the Lingorino web application and the lingorino.com website (collectively, the “Service”). It is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the Austrian Data Protection Act (DSG).

1. Controller

The controller responsible for the processing of your personal data within the meaning of the GDPR is:

Bytebloom Studios GmbH
Bundesstraße 35
6111 Volders
Austria
Commercial Register: FN 673706 w, Regional Court of Innsbruck
VAT ID: ATU83104114
Managing Director: Stefan Steinlechner
Email: support@lingorino.com

We have not appointed an external Data Protection Officer because we are not required to do so under Article 37 GDPR. For any data-protection matter, please contact us at the email address above.

2. Categories of Personal Data We Process

2.1 Account data

When you create an account we collect your email address, the username you choose, a securely hashed copy of your password (we never store passwords in clear text, passwords are processed using the bcrypt algorithm) and an internal user identifier (UUID).

2.2 Profile and learning data

We process the language settings you select (native language, target language, learning level), your learning progress (completed lessons, XP, streaks, accuracy, time spent), interactions with course content (selected categories, lesson and task results) and, if you upload one, your profile picture.

2.3 Speech-recognition data

In conversation and pronunciation tasks we use the speech-recognition functionality provided by your device's operating system (Apple Speech / Android SpeechRecognizer). Audio is processed locally on your device or transmitted to the operating-system provider in accordance with the provider's own privacy terms. We do not record, store or transmit voice audio to our own servers.

2.4 Purchase data

If you subscribe to Lingorino Pro through one of the mobile applications, we receive subscription metadata (subscription status, product identifier, purchase date, renewal date, country) from RevenueCat and the respective app store. We do not process your full payment instrument in that case (credit-card number, bank details); payment is handled exclusively by Apple Inc. and Google LLC under their own terms.

For purchases made through the Lingorino web application, payment is processed by Stripe, Inc. Stripe may collect and process your payment-instrument data (such as credit-card number or bank-account details) directly. We receive only a token reference, the transaction status and basic metadata (amount, currency, date). We do not store your full credit-card or bank-account number on our servers.

2.5 Communication and support data

If you send us feedback or contact our support, we process the content of your message, your email address (where provided) and any technical context you attach (such as the Service version) to answer your request.

2.6 Technical and log data

When you use the Service, our servers automatically receive technical information such as your IP address, device type and operating-system version, the date and time of access, the requested endpoint and the response status. This data is processed to operate, secure and troubleshoot the Service.

3. Purposes and Legal Bases of Processing

We process the categories listed in section 2 for the following purposes and on the following legal bases under Article 6(1) GDPR:

  • Performance of the user contract (Art. 6(1)(b) GDPR): creating and operating your account, providing the learning features, syncing progress across devices, processing subscriptions and renewals.
  • Legitimate interests (Art. 6(1)(f) GDPR): ensuring the security and integrity of the Service, preventing fraud and abuse, diagnosing and fixing technical errors, improving the Service on the basis of aggregated usage patterns. Our legitimate interest is the secure and reliable operation of the Service; this interest is balanced against your right to data protection.
  • Consent (Art. 6(1)(a) GDPR): profile-picture upload, submission of voluntary feedback, processing of additional optional data you may provide. You may withdraw your consent at any time with effect for the future (Art. 7(3) GDPR).
  • Compliance with legal obligations (Art. 6(1)(c) GDPR): retention obligations under Austrian commercial and tax law (e.g. seven-year retention of accounting records under § 132 BAO).

4. Processors and Recipients

We use a small number of carefully selected service providers to operate the Service. They process data strictly on our instructions in their role as processors within the meaning of Article 28 GDPR. The relevant recipients are:

  • Amazon Web Services EMEA SARL / Amazon Web Services, Inc.: hosting of our application servers, database (MySQL), object storage and content-delivery infrastructure (Frankfurt region, eu-central-1, preferred). Country: United States parent company; processing primarily takes place in the European Union. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses pursuant to Art. 46(2)(c) GDPR.
  • RevenueCat, Inc.: subscription management, purchase validation and webhook delivery for in-app purchases. Country: United States. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses.
  • Stripe, Inc.: payment processing for purchases made through the Lingorino web application (credit-card processing, bank transfers, payment-fraud prevention). Country: United States. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses pursuant to Art. 46(2)(c) GDPR.
  • Apple Inc. / Apple Distribution International Limited: distribution of the iOS app, in-app purchases, push notifications. Country: United States / Ireland. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses.
  • Google LLC / Google Ireland Limited: distribution of the Android app and in-app purchases. Country: United States / Ireland. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses.
  • Expo, Inc. (Expo Application Services / EAS): build service for the mobile applications and delivery of over-the-air updates. Country: United States. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses.
  • Google Ireland Limited / Google LLC (Firebase): authentication of social logins (Firebase Authentication) and delivery of push notifications (Firebase Cloud Messaging) for the mobile applications. Country: Ireland / United States. Transfer mechanism: EU-US Data Privacy Framework and standard contractual clauses.

We do not display third-party advertising inside the Lingorino applications, and we do not use dedicated web-analytics SDKs. Our mobile applications do, however, integrate the Meta (Facebook) SDK (Meta Platforms Ireland Limited / Meta Platforms, Inc.) in order to offer "Log in with Facebook". By default this SDK is active while the mobile app runs and may process a device advertising identifier (such as the Google Advertising ID on Android) together with basic app-usage events for Meta's own analytics and advertising-measurement purposes; in this respect Meta acts as an independent controller. This is why our Android app declares that it uses the advertising ID. You can reset or limit this identifier at any time in your device settings (Android: Settings → Privacy → Ads; iOS: Settings → Privacy & Security → Tracking). If we introduce further advertising or analytics tools in the future, we will update this Privacy Policy and, where required, obtain your consent in advance.

5. International Data Transfers

Where personal data is transferred to a country outside the European Economic Area, we ensure an adequate level of protection in accordance with Chapter V GDPR. Transfers to the United States are made on the basis of the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795) for certified recipients and, in addition, on the basis of the European Commission's standard contractual clauses (Decision (EU) 2021/914) together with supplementary technical and contractual measures.

6. Storage Period

  • Account data and learning progress: for as long as your account exists. If you delete your account, this data is erased without undue delay, subject to statutory retention obligations.
  • Subscription data: for the duration of the subscription and afterwards for the statutory retention periods under tax and commercial law (currently seven years under § 132 BAO). This includes subscription and payment metadata received from RevenueCat and Stripe.
  • Speech-recognition audio: not stored by us at all; processed transiently on the device or by the operating system in the moment of use.
  • Server log data: retained for up to 90 days for security, abuse prevention and troubleshooting, then deleted.
  • Support correspondence: retained as long as necessary to handle your request and, where relevant for evidence purposes, for up to three years under the Austrian Civil Code limitation period.

7. Your Rights as a Data Subject

Subject to the conditions in the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): to confirm whether we process personal data about you and obtain a copy.
  • Right to rectification (Art. 16 GDPR): to have inaccurate data corrected and incomplete data completed.
  • Right to erasure (Art. 17 GDPR): to have your data deleted when one of the grounds in Art. 17 applies.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR): to receive the personal data you provided in a structured, commonly used and machine-readable format and to have it transmitted to another controller.
  • Right to object (Art. 21 GDPR): to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR) at any time, with effect for the future, where processing is based on consent.

You can exercise any of these rights by contacting us at support@lingorino.com. We will respond within one month of receipt of your request (Art. 12(3) GDPR); we may extend this period by a further two months where necessary and will inform you of any such extension.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for our establishment is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde):

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien
Austria
Web: www.dsb.gv.at

8. Account Deletion

You can delete your account at any time by sending a request to support@lingorino.com. Upon deletion, your personal data is erased without undue delay, except where we are legally obliged or entitled to retain it (e.g. for tax and accounting records). Pending subscriptions remain subject to the terms of the respective app store.

9. Children

The Service is intended for a general audience and can be used by learners of all ages. It is not specifically directed at children and is not a child-directed application within the meaning of the App Store or Google Play kids programs. Children should only use the Service with the consent and under the supervision of a parent or legal guardian. Where applicable law requires the consent or authorization of a parent or legal guardian for the processing of a minor's personal data (for example under Article 8 GDPR, where the applicable age threshold ranges between 13 and 16 depending on the EU member state), such consent or authorization must be in place, and parents or legal guardians are responsible for providing it. If you are a parent or guardian and believe that a child has provided personal data to us without the required consent, please contact us at support@lingorino.com and we will take appropriate action and delete the data.

10. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

11. Cookies and Similar Technologies

The Lingorino mobile applications do not use cookies. The Lingorino web application uses only strictly necessary technologies (e.g. local storage and secure token storage) to keep you signed in and to remember your settings; no consent is required for these under § 165 (3) TKG 2021 / Art. 5(3) ePrivacy Directive. If our website (lingorino.com) sets additional cookies (e.g. for analytics in the future), we will inform you via a separate cookie banner and, where required, obtain your consent in advance.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. These include encrypted transmission (TLS), hashing of passwords with bcrypt, access controls, encrypted storage of authentication tokens on your device (Apple Keychain / Android Keystore) and regular review of our security practices.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our processing activities or applicable law. The current version is always available at lingorino.com/privacy-policy. The date of the most recent update is indicated at the top of this page. Where a change materially affects your rights, we will inform you in advance through the Service or by email.

14. Contact

For any questions about this Privacy Policy or the processing of your personal data, please contact us at support@lingorino.com.

See also our Terms & Conditions.