New here? See the learner guide or Tutor guide.

Privacy Policy

Effective date: [EFFECTIVE_DATE]  ·  Last updated: [EFFECTIVE_DATE]

Template notice: This document contains placeholders in [BRACKETS]. It is not legal advice. A qualified attorney or data-protection professional should review it before publication, particularly if you serve users in the EU/EEA, UK, or California.

[COMPANY_LEGAL_NAME] ("we", "us", "our") operates the LingoHelps platform at [WEBSITE_URL] (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

1

Data We Collect

1.1 Account & profile data

When you register, we collect your name, email address, password (hashed), role (Learner or Tutor), profile photo (optional), biography (optional), and any other information you choose to add to your profile.

1.2 Course & learning activity

We record course enrolments, lesson completion status, quiz results, progress percentages, playback position, certificates earned, and ratings or reviews you submit.

1.3 Booking & session data

We store booking requests, confirmed session times, Tutor/Learner pairings, session messages, and any materials shared within a session.

1.4 Payment & billing data

Payment transactions are processed by [PAYMENT_PROVIDER_NAME]. We receive a transaction reference, the last four digits of your payment method, billing currency, amount, and transaction status. We do not store full card numbers, CVV codes, or bank account credentials.

1.5 Communications

We store messages you send through the platform (session chat, tutor messages, support requests) and records of transactional and marketing emails we send to you.

1.6 Technical & usage data

We automatically collect your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and error logs. This data is collected through server logs, session cookies, and analytics tools.

1.7 User-generated content

If you are a Tutor, we store the course materials (videos, audio, documents, links) you upload. All users may generate profile content, messages, and reviews.

2

Purposes & Legal Bases

The table below sets out each processing purpose and the legal basis we rely on. [LEGAL_BASIS_GDPR_IF_EU: Update or remove the "Legal basis (GDPR)" column if GDPR does not apply to your users.]

Purpose Legal basis (GDPR)
Providing the Service: account creation, authentication, subscription management, and course access. Performance of a contract (Art. 6(1)(b))
Processing payments and managing billing cycles. Performance of a contract (Art. 6(1)(b))
Facilitating bookings and tutoring sessions. Performance of a contract (Art. 6(1)(b))
Sending transactional emails (receipts, booking confirmations, password resets). Performance of a contract / Legitimate interests (Art. 6(1)(b)/(f))
Sending marketing emails about new courses, promotions, and platform updates (opt-in). Consent (Art. 6(1)(a))
Analysing platform usage to improve features and fix issues. Legitimate interests (Art. 6(1)(f))
Detecting and preventing fraud, abuse, and security incidents. Legitimate interests / Legal obligation (Art. 6(1)(f)/(c))
Complying with legal obligations (tax records, law-enforcement requests). Legal obligation (Art. 6(1)(c))
Resolving disputes and enforcing our Terms of Service. Legitimate interests / Legal obligation (Art. 6(1)(f)/(c))
3

Cookies & Tracking

3.1 What we use. We use cookies and similar storage technologies (local storage, session storage) for the following purposes:

Cookie / key Type Purpose
Session cookie (PHP session) Strictly necessary Maintains your login state and CSRF token across page requests. Expires when you close the browser or after [SESSION_TIMEOUT, e.g. 2 hours] of inactivity.
Remember-me token Strictly necessary Keeps you logged in across browser sessions when you choose "Remember me". Expires after [REMEMBER_ME_DURATION, e.g. 30 days].
Theme preference Functional Stores your light/dark mode preference locally. No expiry.
[ANALYTICS_COOKIE_NAME, e.g. _ga] Analytics Set by [ANALYTICS_PROVIDER, e.g. Google Analytics] to distinguish unique visitors and measure site traffic. Expires after [e.g. 2 years].
[PAYMENT_PROVIDER_COOKIE] Strictly necessary Set by [PAYMENT_PROVIDER_NAME] during checkout to prevent fraud. Governed by their privacy policy.

3.2 Your choices. You can configure your browser to refuse or delete cookies, but doing so may prevent you from logging in or using certain features. [OPTIONAL: If you deploy a consent banner, describe it here.]

3.3 Do Not Track. We currently do not respond to browser "Do Not Track" signals. [Update if your analytics setup changes.]

4

Marketing Communications

4.1 Opt-in. We only send marketing emails (e.g. new-course announcements, promotions, newsletters) to users who have explicitly opted in at registration or through their account settings. We rely on your consent for this processing.

4.2 Opt-out. You may withdraw consent at any time by clicking the Unsubscribe link in any marketing email or by updating your notification preferences in your account settings. Withdrawal does not affect the lawfulness of prior processing.

4.3 Transactional emails. We will continue to send service-related emails (receipts, booking confirmations, security alerts, subscription notices) even if you opt out of marketing, as these are necessary for the performance of our contract with you.

5

Sharing Your Data

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers (subprocessors). We share data with third-party vendors who process it on our behalf, as listed in Section 6 below. These vendors are contractually required to protect your data and may not use it for their own purposes.
  • Tutors you engage. When you book a session, the Tutor receives your display name and enough information to conduct the session. They do not receive your email address or payment details.
  • Other Learners. Your display name, profile photo, and public activity (e.g. course reviews) may be visible to other platform users.
  • Legal & safety disclosures. We may disclose your data to law-enforcement agencies, courts, or regulators when required by law, or to protect the rights, safety, or property of LingoHelps, its users, or the public.
  • Business transfers. If we merge with, are acquired by, or transfer assets to another company, your data may be transferred as part of that transaction. We will notify you via the platform or by email before your data is subject to a different privacy policy.
6

Subprocessors

The following third-party subprocessors process personal data on our behalf. We maintain Data Processing Agreements with each of them where required.

Vendor Purpose Location
[HOSTING_PROVIDER, e.g. DigitalOcean / AWS] Infrastructure & file storage [HOSTING_LOCATION, e.g. EU / US]
[TRANSACTIONAL_EMAIL_PROVIDER, e.g. Mailgun / SendGrid] Transactional & marketing email delivery [EMAIL_PROVIDER_LOCATION]
[PAYMENT_PROVIDER_NAME, e.g. Flutterwave] Payment processing [PAYMENT_PROVIDER_LOCATION]
[ANALYTICS_PROVIDER, e.g. Google Analytics] Usage analytics [ANALYTICS_PROVIDER_LOCATION]
[CDN_PROVIDER, e.g. Cloudflare] Content delivery & DDoS protection Global

We review this list periodically and will update it when subprocessors change.

7

International Transfers

Some of our subprocessors are located outside your country of residence. When personal data is transferred outside the European Economic Area (EEA) or equivalent jurisdictions, we rely on appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • An adequacy decision by the relevant supervisory authority;
  • The UK International Data Transfer Agreement (IDTA), where applicable;
  • Other approved transfer mechanisms as permitted by applicable law.

You may request a copy of the relevant transfer safeguards by contacting us at [CONTACT_EMAIL].

8

Data Retention

Data category Retention period
Active account data Retained for the duration of the account.
Closed account data (profile, progress) Deleted or anonymised within [e.g. 90 days] of account closure, unless a longer retention is required by law.
Financial & billing records Retained for [e.g. 7 years] to comply with tax and accounting obligations.
Session messages & chat logs Retained for [e.g. 12 months] after the session, then deleted.
Server & application logs Retained for [e.g. 90 days], then automatically purged.
Backup copies Overwritten on a rolling [e.g. 30-day] cycle.
Marketing consent records Retained for the lifetime of the account plus [e.g. 3 years] to demonstrate compliance.

We may retain data for longer periods where required by law, or where necessary to resolve disputes or enforce our agreements.

9

Security

We implement technical and organisational measures proportionate to the risks associated with your data. No system is perfectly secure, and we cannot guarantee absolute security.

Our security measures include, but are not limited to:

  • Encryption of data in transit via TLS/HTTPS;
  • Hashing of passwords using a modern, salted algorithm (bcrypt / Argon2);
  • CSRF token validation on all state-changing requests;
  • Access controls limiting data access to authorised personnel;
  • Regular software updates and dependency patching;
  • Database backups encrypted at rest;
  • Server-side input validation and prepared statements to prevent injection attacks.
10

Breach Notification

10.1 Internal response. In the event of a personal data breach, we will follow our internal incident-response procedure to contain the breach, assess the risk, and implement remediation measures.

10.2 Regulatory notification. Where required by applicable law (e.g. within 72 hours under GDPR, Art. 33), we will notify the relevant supervisory authority of a breach that poses a risk to individuals' rights and freedoms.

10.3 User notification. If a breach is likely to result in a high risk to your rights, we will notify you without undue delay, describing the nature of the breach and the steps we are taking to mitigate it.

To report a suspected security vulnerability, please contact us at [CONTACT_EMAIL].

11

Your Rights

Depending on your location, you may have some or all of the rights listed below. To exercise any right, contact us at [CONTACT_EMAIL]. We will respond within [e.g. 30 days] and will not charge a fee unless your request is manifestly unfounded or excessive.

Access

Request a copy of the personal data we hold about you, including information about how it is processed.

Correction

Request that we correct inaccurate or incomplete personal data. You can also update most information directly in your account settings.

Erasure

Request that we delete your personal data ("right to be forgotten"), subject to our legal obligations to retain certain records.

Portability

Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.

Restriction

Ask us to restrict processing of your data in certain circumstances, for example while a correction request is assessed.

Objection

Object to processing based on legitimate interests, including direct marketing (which we will always honour immediately).

Withdraw consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Complaint

Lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data-protection authority in the EU).

12

Children's Privacy

The Service is not directed to children under the age of [MINIMUM_AGE, e.g. 13 or 16]. We do not knowingly collect personal data from children below this age. If you believe that a child has provided us with personal data without appropriate consent, please contact us immediately at [CONTACT_EMAIL] and we will take steps to delete that information.

If you are under the minimum age, please do not use the Service unless a parent or legal guardian has agreed to these terms on your behalf and you are using the Service under their supervision.

13

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you via email or a prominent in-platform notice at least [NOTICE_PERIOD, e.g. 14 days] before the changes take effect. We encourage you to review this page periodically. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

14

Contact & Data Protection Officer

If you have questions about this Privacy Policy, wish to exercise your rights, or want to report a concern, please contact us:

We aim to respond to all privacy-related enquiries within [e.g. 30 days]. If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority.

© [COMPANY_LEGAL_NAME] · All rights reserved.
Terms of Service Contact us