Quick Answer: What a Kajabi Privacy Policy Must Cover
- Student account data: Name, email, password, profile information
- Course progress: Lessons completed, quiz scores, certificates issued
- Payment data: Processed by Stripe; what billing data is retained
- Email marketing: Which platform (Kajabi's built-in, ActiveCampaign, Mailchimp) and what data is used
- Analytics: How student behavior is tracked within the course platform
- GDPR: Legal basis for processing EU student data and how to exercise rights
What Kajabi Collects About Your Students (and Shares with You)
Kajabi is an all-in-one platform that handles course delivery, payments, email marketing, landing pages, and community features. When students interact with your Kajabi site, substantial data is collected - and much of it is made available to you as the creator.
As a Kajabi creator, you are the data controller for your students' data. Kajabi acts as your data processor. This means you are legally responsible for that data under privacy laws, and Kajabi's own privacy policy does not fulfill your obligations to your students.
Data You Have Access to in Your Kajabi Dashboard
| Data Type | What It Includes | Must Disclose? |
|---|---|---|
| Account information | Name, email, password (hashed), profile photo | Yes |
| Purchase history | Products purchased, amounts, purchase dates, refund status | Yes |
| Course progress | Lessons viewed, completion percentage, quiz scores, last login | Yes |
| Engagement data | Email open rates, click rates, login frequency | Yes |
| Assessment submissions | Quiz answers, assignment submissions, feedback responses | Yes |
| Community activity | Posts, comments, likes, direct messages (if Community feature is used) | Yes |
| Device and access data | IP address, device type, browser, geographic location | Yes |
Did you know?
Kajabi's analytics dashboard shows you exactly which students have logged in recently, which lessons they have completed, and even their email engagement rates. This granular behavioral data is "personal data" under GDPR and must be disclosed in your privacy policy. Many creators are surprised to learn the extent of what Kajabi tracks and surfaces.
Kajabi vs. Creator: Who Is Responsible for What
Understanding the data controller vs. data processor distinction is essential for writing an accurate privacy policy and understanding your legal obligations.
| Responsibility | Kajabi (Data Processor) | You as Creator (Data Controller) |
|---|---|---|
| Platform security | Kajabi is responsible | You must mention it in policy |
| Privacy policy for your site | Not Kajabi's responsibility | Your responsibility entirely |
| Responding to data access requests | Kajabi can assist on request | You must handle these requests |
| Consent for marketing emails | Not Kajabi's responsibility | You must obtain and manage consent |
| GDPR compliance for EU students | Kajabi provides GDPR tools | You are the data controller |
Kajabi provides a Data Processing Agreement (DPA) for creators who need to demonstrate GDPR compliance. Under GDPR Article 28, you are required to have a DPA in place with all data processors, including Kajabi. You can sign Kajabi's DPA in your account settings under Legal.
Payment Data and Stripe Integration
Kajabi processes payments through Stripe. When a student purchases a course, their card details are handled directly by Stripe - neither Kajabi nor you as the creator ever have access to raw card numbers. This is an important distinction that your privacy policy should clarify to build student trust.
However, Stripe does pass billing data back to Kajabi: the purchaser's name, email address, billing address, and transaction amount are stored in your Kajabi dashboard. If students purchase via PayPal (if you have enabled it), PayPal similarly processes the payment but shares the transaction details.
What to Include in Your Kajabi Policy About Payments
- That payments are processed by Stripe (and PayPal if enabled), not by you directly
- That Stripe is PCI DSS compliant and handles card security
- What billing information you retain (name, email, billing address, transaction history)
- How long you retain purchase records (for tax and accounting purposes, typically 7 years)
- Your refund policy and how refund requests affect data retention
- Whether you use subscription billing and how recurring payment data is handled
Did you know?
If you offer payment plans on Kajabi, Stripe stores the customer's payment method for recurring charges. Your privacy policy should note that payment method details are stored by Stripe (not you) for the duration of any installment plan or subscription. Students have the right to request deletion of their payment methods in the Stripe system once their obligations are complete.
Email Marketing to Students
Email is the primary communication channel for Kajabi creators. Kajabi has a built-in email system, but many creators also integrate ConvertKit, ActiveCampaign, Drip, or Mailchimp. Each integration creates additional data sharing that must be disclosed.
Types of Emails You Send and Their Legal Basis
| Email Type | Example | GDPR Basis | US Law |
|---|---|---|---|
| Transactional | Purchase receipt, course access link | Contract performance | Permitted |
| Course onboarding | Welcome sequence, lesson reminders | Contract performance | Permitted |
| Promotional | New course launch, discount offer | Requires explicit consent (EU) | CAN-SPAM: unsubscribe required |
| Re-engagement | Win-back campaigns for inactive students | Requires explicit consent (EU) | CAN-SPAM: unsubscribe required |
Your privacy policy must clearly state what types of emails students will receive after purchasing, how they can manage their email preferences, and how to unsubscribe from marketing communications without affecting their course access.
Membership Access and Course Progress Data
Kajabi tracks detailed student engagement data that goes beyond simple enrollment. This includes lesson completion, video watch time, quiz performance, community post activity, and login frequency. Creators use this data to improve course completion rates and to follow up with disengaged students.
Under GDPR, course progress data constitutes personal data because it can be linked to an identified individual. Your privacy policy must disclose that you collect and analyze engagement data, the purposes for which you use it (improving course delivery, student outreach, course completion optimization), and how long you retain it.
If you use course completion data to issue certificates, this is another element that should be disclosed - particularly because certificates often contain the student's full name and may be shared publicly.
Third-Party Integrations and Data Sharing
Kajabi integrates with a wide range of third-party tools. Every integration you activate is a potential data sharing arrangement that must be disclosed in your privacy policy.
| Integration | What Data Is Shared | Purpose |
|---|---|---|
| Google Analytics | Page views, session data, device info | Site analytics and optimization |
| Facebook Pixel | Purchase events, page views, email (hashed) | Retargeting and conversion tracking |
| ConvertKit / ActiveCampaign | Name, email, tags, purchase data | Email marketing automation |
| Zapier | Any data in triggers/actions | Workflow automation between tools |
| Zoom | Name, email, attendance | Live coaching calls and webinars |
| Circle / Slack (community) | Name, email, community activity | Community engagement outside Kajabi |
GDPR for International Students on Kajabi
Many successful Kajabi creators teach students globally, including from the EU and UK. GDPR applies as soon as you have EU or UK students, regardless of where you or your business are located.
Your privacy policy needs to address all of the following for EU/UK student compliance:
- Legal basis for processing student enrollment data: contract performance (course delivery)
- Legal basis for marketing emails: explicit consent (separate from enrollment)
- How students can exercise their rights: access, erasure, portability, objection, and rectification
- Retention periods for each category of student data
- Any international transfers (Kajabi is a US company, so EU student data flows to the US)
- Your contact details or those of your EU representative if applicable
Did you know?
Kajabi is headquartered in California, USA. When EU students enroll in your course, their data flows to Kajabi's US servers. Under GDPR, this is an international data transfer. Kajabi handles this through Standard Contractual Clauses (SCCs), which you can reference in your privacy policy as the transfer mechanism for EU student data.
5 Common Kajabi Privacy Policy Mistakes
Linking to Kajabi's own privacy policy instead of writing your own
Kajabi's privacy policy governs how Kajabi (the company) handles data. It does not substitute for your own privacy policy as a course creator. You need a separate policy that discloses how you specifically collect and use student data.
Not disclosing third-party integrations like Facebook Pixel or ConvertKit
If you install Facebook Pixel on your Kajabi site, student browsing data is sent to Meta. If you sync enrollments to ConvertKit, student names and emails go to ConvertKit. Both must be disclosed in your privacy policy.
Treating course progress data as non-personal operational data
Lesson completion rates, quiz scores, and login activity are personal data because they are linked to identified students. GDPR requires these to be disclosed and subject to the same rights as other personal data.
Adding students to marketing sequences without clear consent for EU students
Automatically enrolling EU students in a promotional email sequence upon course purchase is not valid GDPR consent for marketing. Transactional course emails are fine, but promotional content requires a separate, explicit opt-in.
Not including a clear data deletion process for students who request it
GDPR gives EU students the right to erasure. Your policy must explain how they can request deletion of their account and data. Note that you may retain purchase records for legal and tax purposes even after account deletion, and your policy should explain this exception.
Frequently Asked Questions
Does Kajabi have a privacy policy I can use for my site?
What data does Kajabi give course creators access to?
Do I need GDPR compliance if I have European students?
How does Stripe fit into my Kajabi privacy policy?
Can I use student email addresses to market other products to them?
Generate a Kajabi Privacy Policy in Minutes
Cover student data, Stripe payments, email marketing, course progress tracking, and GDPR compliance for international students in one tailored document.
Generate Your Privacy Policy Free