Legal
Privacy
Last updated May 24, 2026
Effective date: May 24, 2026
LingoBeats ("LingoBeats", "we", "us") operates the website at https://lingobeats.app — an educational platform for learning languages through music. This Privacy Policy explains what personal data we collect, why, with whom we share it, how long we keep it, and the rights you have. By using the service you agree to this Policy.
1. Who is responsible for your data
The data controller is the operator of LingoBeats. You can reach us at privacy@lingobeats.app for any privacy-related request.
2. What we collect
We collect only what is necessary to run the service.
2.1 Account data
When you create an account or sign in:
- Email/password sign-up: email address, hashed password, display name.
- Google sign-in: email, display name, profile picture URL, Google account ID.
- Spotify sign-in: email, display name, profile picture URL, Spotify user ID. We request only the
user-read-emailanduser-read-privatescopes — we do not access your playlists, library, top tracks, listening history or any other data from your Spotify account.
We do not receive your password from Google or Spotify.
2.2 Learning data
- Songs you favourite, vocabulary flashcards you review, study progress, quiz attempts, streak and XP counters, custom playlists you create.
2.3 Technical data
- Pages visited (URL only, no body content) for product analytics.
- Search queries to improve relevance.
- Approximate locale (en/es/pt/ja/ko) inferred from your browser to pick the right UI language.
- IP address only in transit (for security and rate-limiting) — not stored against your account.
- Error reports captured by Sentry (see §5).
2.4 What we do not collect
- Full Spotify listening data.
- Payment information (we do not process payments yet).
- Sensitive categories (health, religion, political opinions, etc.).
- Voice recordings (the pronunciation mic feature processes audio locally in your browser and never uploads it).
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Authenticate you and keep you signed in | Contract performance |
| Store your favourites, progress and playlists | Contract performance |
| Send service-related emails (password reset, security) | Contract performance |
| Send optional product updates via newsletter | Consent (you opt in) |
| Detect and prevent abuse, debug crashes | Legitimate interest |
| Aggregate usage analytics (anonymous) | Legitimate interest |
We do not use your data for advertising, profiling or automated decision-making with legal effects.
4. Cookies
We use a minimal set of cookies, all first-party:
- Session cookie (encrypted, set by
nuxt-auth-utils) — keeps you signed in. Required. - Locale cookie (
lingobeats_locale) — remembers your preferred UI language. - Theme cookie — remembers light/dark preference.
We do not run advertising cookies or third-party tracking.
5. Third parties we share data with
We share only what is strictly necessary to operate the service. None of these parties may sell your data.
| Service | Data shared | Why |
|---|---|---|
| CapRover (self-hosted on DigitalOcean) | All data we store | Hosting + database |
| Google OAuth | OAuth handshake only | Optional sign-in |
| Spotify OAuth | OAuth handshake only | Optional sign-in |
| OpenAI | Song lyrics excerpts you ask the editorial tools to analyse | AI-assisted editorial drafting (admin only) |
| Sentry | Error stack traces, route URL, anonymised user ID | Crash monitoring |
| Wikipedia REST API | Artist names (no user data) | Public artist biography lookups |
| lyrics.ovh | Song title + artist (no user data) | Public lyric lookups (transient, never stored) |
| Spotify Web API | Song/artist queries (no user data) | Catalogue metadata |
We do not sell, rent or trade your personal data.
6. International transfers
Our servers are located in Frankfurt (DigitalOcean). Some third parties (OpenAI, Sentry, Google) process data in the United States. Where applicable we rely on EU Standard Contractual Clauses or equivalent safeguards.
7. Retention
- Account data — kept while your account is active. Deleted within 30 days of account deletion.
- Learning data — same as account data; tied to your user record (cascading delete).
- Logs and crash reports — kept up to 90 days.
- Newsletter subscribers — kept until you unsubscribe.
8. Your rights
Under GDPR (EU/UK) and equivalent laws elsewhere you have the right to:
- Access the data we hold about you.
- Correct inaccurate data (from
/account/settings). - Delete your account and all associated data.
- Export your data in a portable format.
- Restrict or object to specific processing.
- Withdraw consent for the newsletter at any time.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@lingobeats.app. We respond within 30 days.
9. Children
LingoBeats is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we will remove it.
10. Security
- All traffic is encrypted in transit (TLS 1.3).
- Passwords are hashed with bcrypt.
- Session cookies are signed and HTTP-only.
- Admin areas are restricted by role and never indexed by search engines.
No system is perfectly secure, but we work to minimise risk and will notify affected users without undue delay in the event of a data breach.
11. Changes to this Policy
Material changes are announced in-app and via email to registered users at least 14 days before they take effect. The "Effective date" at the top of this page reflects the current version.
12. Contact
- Privacy questions: privacy@lingobeats.app
- General contact: hello@lingobeats.app
- Postal address available on request.