Legal
Privacy Policy
Last updated: June 2026
Upslang (“we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.
This policy applies to all services provided through upslang.com and cambridge.upslang.com.
1. Who We Are
The Data Controller responsible for your personal data is:
Upslang is an independent EdTech platform for language certification preparation. We are not affiliated with Cambridge Assessment English or Cambridge University Press & Assessment.
2. Data We Collect
We collect the following categories of personal data:
Account Data
Email address, display name. Provided by you at registration or via Google Sign-In.
Exam & Evaluation Data
Your written responses (essays, letters, reports) submitted during Writing simulations. Your answers to Reading & Use of English questions. Your Listening answers. AI evaluation results, scores, and feedback generated for each submission.
Payment Data
Payment is processed by Lemon Squeezy. We do not store your card details. We receive from Lemon Squeezy: an order ID, payment confirmation status, and amount paid. We store your subscription status and expiry date.
Usage & Analytics Data
Behavioral and usage analytics collected via two third-party tools, with your consent:
- Google Analytics 4: pages visited, session duration, device type, geographic region (country/city), and interaction events — including exam starts, exam completions, Cambridge scores achieved, exam duration in seconds, time spent reading evaluations, and navigation patterns. Data is pseudonymised and aggregated. IP addresses are not stored — they are used only to derive approximate geographic region and then discarded by Google.
- Microsoft Clarity: session recordings (anonymised replays of how you navigate the platform), heatmaps (click and scroll patterns), and behavioral analytics. Clarity uses Balanced Masking — sensitive text content in input fields is automatically obscured. Sessions are linked to a pseudonymous identifier (your Firebase User ID, not your name or email) to enable support and debugging.
- Google BigQuery (EU region): GA4 analytics data is exported to Google BigQuery, hosted in the EU, for advanced aggregate analysis. This export contains the same pseudonymised event data collected by GA4 and no additional personal information.
Security & Anti-Fraud Data
reCAPTCHA Enterprise signals (interaction patterns, browser fingerprint) used to protect our platform from bots and abuse. Processed under legitimate interest.
Session Security Data (paid accounts only)
To enforce our one-account-one-person policy, we store a one-way cryptographic hash (SHA-256) of the IP address used to access the platform. Raw IP addresses are never stored. Hashes are retained for a maximum of 24 hours in our secure database, then automatically deleted. Processed under legitimate interest (prevention of account sharing in breach of these Terms).
Service Usage Data
To enforce fair use limits, we store usage counters per account (evaluations requested today, this month, and the timestamp of the last evaluation). This data is used solely to apply rate limits and is never shared with third parties.
Anonymous Trial Sessions
When you start a free trial without registering ("Try for Free"), we create an anonymous technical identifier (a Firebase anonymous User ID) so the platform can function and apply fair-use limits. No name, email or password is collected at this stage. If you never create an account, this anonymous session and its data are automatically deleted after 30 days. When you register, the same identifier is upgraded to your account so your progress is preserved.
3. How We Use Your Data
- •Provide and operate the Upslang platform (account management, exam access)
- •Deliver AI-powered evaluations of your written and spoken exam responses
- •Process and confirm your payment for platform access
- •Save your exam history and track your progress over time
- •Protect the platform against abuse, fraud, and unauthorized access
- •Enforce fair use limits to ensure equitable access for all users (maximum evaluations per day and per month)
- •Prevent account sharing in violation of our Terms of Use (one account per person)
- •Analyze aggregated usage patterns to improve the service (with your consent)
- •Send transactional emails (account confirmation, access expiry reminders)
4. Legal Bases for Processing (GDPR Art. 6)
Performance of a contract (Art. 6(1)(b))
Account creation, exam access, payment processing, evaluation delivery.
Consent (Art. 6(1)(a))
Analytics cookies (Google Analytics 4) and session recording (Microsoft Clarity). You can withdraw consent at any time via Cookie Preferences.
Legitimate interest (Art. 6(1)(f))
Security, fraud prevention (reCAPTCHA), platform stability, and retention of account data for a limited period after account deletion to allow resolution of any disputes. Our interest is balanced against your rights.
Legal obligation (Art. 6(1)(c))
Retention of payment records as required by Italian fiscal law (10 years).
5. Data Retention
6. Data Sharing & Third Parties
We do not sell your personal data. We share data only with the following trusted service providers, strictly for the purposes described:
Google LLC — Firebase (Authentication, Firestore, Hosting)
User authentication, data storage, platform delivery.
Privacy Policy →Google LLC — Gemini AI
AI evaluation of your exam responses (Writing). Your texts are sent to Google's AI API for evaluation and are not used to train Google's models under our API agreement.
Privacy Policy →Microsoft Corporation — Microsoft Clarity
Session recordings, heatmaps, and behavioral analytics (with your consent). Clarity records anonymised replays of how users navigate the platform to help us identify usability issues. Balanced masking is applied to sensitive input content.
Privacy Policy →Lemon Squeezy (a Stripe company)
Secure payment processing. Acts as Merchant of Record — handles VAT, compliance, and chargebacks on our behalf.
Privacy Policy →7. International Data Transfers
Some of our service providers are based in the United States (Google LLC, Microsoft Corporation, Lemon Squeezy). These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), ensuring your data receives equivalent protection to that required under EU law. Google also participates in the EU-US Data Privacy Framework. Analytics data exported to BigQuery is stored in the EU region and does not leave the European Economic Area.
8. Your Rights
Depending on your location, you have the following rights over your personal data. To exercise any right, contact us at hello@upslang.com. We will respond within 30 days (GDPR allows up to 3 months for complex requests, with prior notice).
EU / UK — GDPR Rights
Right of Access (Art. 15)
Request a copy of the personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete data.
Right to Erasure (Art. 17)
"Right to be forgotten" — request deletion of your data, subject to legal retention requirements.
Right to Data Portability (Art. 20)
Receive your data in a machine-readable format (JSON/CSV).
Right to Restriction (Art. 18)
Request that we limit processing of your data.
Right to Object (Art. 21)
Object to processing based on legitimate interest.
Right to Withdraw Consent
For analytics cookies, withdraw consent at any time via Cookie Preferences.
Right to Lodge a Complaint
You may lodge a complaint with the Italian supervisory authority: Garante per la protezione dei dati personali (garanteprivacy.it). UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. You may also contact the supervisory authority in your country of habitual residence.
California Residents — CCPA / CPRA Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know
Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, or share about you.
Right to Delete
Request deletion of your personal information, subject to certain legal exceptions.
Right to Correct
Request correction of inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing
We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required — this is our default practice.
Right to Limit Sensitive Data Use
We do not collect or use sensitive personal information for purposes that require opt-out under CPRA.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Global Privacy Control (GPC)
We honor the GPC browser signal as required by California CPRA (A.B. 1355). If your browser sends a GPC signal (navigator.globalPrivacyControl = true), we automatically deny analytics data collection — no banner interaction required.
To exercise any CCPA/CPRA right, contact us at hello@upslang.com. We will respond within 45 days (extendable by a further 45 days with notice).
UK Residents — UK GDPR
If you are based in the United Kingdom, the UK GDPR (as retained in UK law following Brexit) grants you the same rights as those listed under EU GDPR above. You may also lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
ico.org.uk — 0303 123 1113
10. AI-Powered Evaluations
When you submit a Writing or Reading & Use of English (R.U.E.) simulation, your responses are processed by Google Gemini AI via our secure backend (Firebase Cloud Functions). Your text is never sent directly from your browser to the AI API. Listening evaluations are computed locally on our servers using a deterministic algorithm and do not involve any AI model.
AI evaluations are educational tools only. They are not official Cambridge Assessment scores and carry no legal effect. No automated decision-making with legal or significant individual effects (within the meaning of GDPR Art. 22) takes place on our platform.
Under our API agreement with Google, your submitted texts are not used to train or improve Google's AI models. See Google's Generative AI Terms of Service for details.
Upslang does not carry out automated profiling within the meaning of GDPR Art. 22 that produces legal or similarly significant effects on you. AI scores are educational indicators only and do not determine access to other services or products.
11. Children's Privacy
Upslang is intended for users aged 16 and older globally, in line with the GDPR minimum age for digital consent (Art. 8). We do not knowingly collect personal data from anyone under 16.
This minimum age of 16 also ensures full compliance with the U.S. Children's Online Privacy Protection Act (COPPA), which prohibits the collection of personal information from children under 13 without verifiable parental consent. Our minimum age of 16 exceeds COPPA's threshold globally.
If you believe a child under 16 has provided us with personal data, contact us at hello@upslang.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If changes are material, we will notify you by email or via a prominent notice on the platform at least 30 days before the changes take effect. Continued use of Upslang after that date constitutes acceptance of the updated policy.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34.
13. Contact Us
For any questions, requests, or concerns about this Privacy Policy or your personal data: