Privacy Policy for Teachable: What Course Creators Must Disclose

Teachable makes it easy to create and sell online courses, but the platform's privacy policy only covers Teachable as a company. It does not address how you, as an individual course creator, handle the student data you receive through every enrollment. Every time someone signs up for your course, you receive their email address, name, and enrollment details. What you do with that data is your responsibility to disclose.

Online courses create unique privacy considerations that many other digital products do not. Course completion tracking, quiz scores, assignment submissions, coaching session recordings, and student discussion forum posts all constitute personal data processing. If you sell courses, coaching programs, or membership content on Teachable, the data trail extends well beyond the initial enrollment.

Teachable also provides built-in email marketing tools that let you send updates and promotional content to enrolled students. Using these features means you are actively processing student data for marketing purposes, which requires explicit disclosure in a privacy policy. Under GDPR, marketing emails require a lawful basis (typically consent), and your privacy policy must explain this. The consequences of operating without proper disclosures can be significant. Learn more about what happens without a privacy policy.

As a Teachable course creator, you have access to more student data than you might expect. Understanding each data type is the first step toward building an accurate privacy policy.

The key distinction for Teachable creators is that online courses create an ongoing data relationship. Unlike a one-time purchase where the transaction ends at delivery, courses involve continuous progress tracking, repeated logins, quiz submissions, discussion posts, and potentially coaching interactions over weeks or months. Each of these touchpoints generates data that must be disclosed.

If you use Teachable's custom fields or forms to collect additional information (company name, learning goals, or professional background), you have full data controller responsibility for that data. Your privacy policy must explain what custom data you collect and why. For broader guidance on SaaS privacy policies, see our dedicated guide.

Teachable offers two payment options: Teachable Payments (powered by Stripe) and PayPal. When a student enters their credit card or PayPal information, that data goes directly to the payment processor. You, as the course creator, never see or have access to full payment card numbers, CVVs, or banking details. What you do receive is payment confirmation data: the amount paid, the student's email, the transaction ID, and the enrollment date.

Your privacy policy should clearly state that payment processing is handled by Teachable and its payment partners (Stripe and PayPal), that you do not store full payment card information, and that students should refer to Teachable's, Stripe's, and PayPal's privacy policies for details about how their payment data is processed. This transparency builds student trust and satisfies the disclosure requirements under both GDPR and CCPA.

If you offer subscription-based courses or payment plans on Teachable, recurring billing is also handled by the payment processors. However, you should disclose in your privacy policy that students who subscribe will have their payment information stored by Teachable's payment processor for recurring charges, and explain how students can cancel their subscriptions or payment plans.

One of the most significant privacy considerations for Teachable creators is course progress data. Teachable automatically tracks which lessons each student has completed, how far through the course they are, quiz and assessment scores, assignment submissions, and certificate issuance. All of this data is visible in your Teachable admin dashboard and constitutes personal data processing.

Under GDPR, processing student performance data requires a lawful basis. For course delivery and progress tracking, your lawful basis is typically contractual necessity (the student enrolled in a course that includes progress tracking and assessments). However, if you use course completion data for other purposes, such as marketing case studies, testimonials, or aggregate analytics shared publicly, you may need a different lawful basis such as legitimate interest or consent.

Your privacy policy should clearly explain what student performance data you collect, how you use it, how long you retain it after a student completes or leaves a course, and what happens to their data if they request deletion. If you issue completion certificates, note that certificate records are also personal data that must be accounted for in your retention policy.

Teachable provides built-in email tools that let you send course updates, announcements, and promotional content to enrolled students. Every student who enrolls in your course is automatically added to your Teachable student list, and you can send them emails directly through the platform. This is one of the most important features to address in your privacy policy.

Under GDPR, sending marketing emails requires a lawful basis. For transactional emails (enrollment confirmations, course access details, important course updates), your lawful basis is contractual necessity. For promotional emails (new course launches, discounts, cross-sells to other courses), you typically need consent as your lawful basis. Your privacy policy should differentiate between these two types of communication and explain the legal basis for each.

If you also use external email marketing tools like ConvertKit, Mailchimp, or ActiveCampaign alongside Teachable's built-in features, your privacy policy must disclose each platform that receives student email addresses. Many Teachable creators connect their schools to external tools via Zapier or direct integrations, which means student data flows to additional third parties that students should know about. Creators on platforms like Substack face similar email list disclosure requirements.

Teachable supports coaching products where students can book one-on-one sessions with you. When a student books a coaching session, additional personal data is collected: scheduling preferences, session topics, and any information the student shares during intake forms. If you record coaching sessions using tools like Zoom or Google Meet, the recordings contain personal data that must be addressed in your privacy policy.

From a privacy perspective, coaching sessions create several data processing activities that must be disclosed. Session recordings capture the student's voice, image (if video), and any personal information discussed during the call. Session notes taken by you or the student become part of the data you process. Third-party scheduling tools (like Calendly) that you integrate with Teachable also receive student data.

Your privacy policy should explain whether you record coaching sessions, where recordings are stored, how long you retain them, and whether students can request deletion of their session recordings. If you use third-party tools for scheduling or video calls, each of those services should be listed as a data processor in your policy. This level of transparency is especially important for small business privacy policies.

Teachable and you are separate data controllers under privacy law. Teachable handles platform-level data processing (hosting infrastructure, payment processing through Stripe and PayPal, platform analytics), while you are responsible for how you use student data once you receive it. Neither party's privacy policy covers the other's practices.

This shared responsibility model is common across online course platforms. Similar to how Gumroad sellers and Patreon creators need their own policies, Teachable course creators must independently disclose their data practices to students.

The practical impact is straightforward: you need your own privacy policy that covers everything you do with student data after Teachable delivers it to you. Teachable's policy covers the enrollment and payment infrastructure. Your policy covers your email marketing, course progress usage, coaching sessions, customer support interactions, and any third-party tools you connect to your Teachable school.

Teachable allows creators to set up affiliate programs where third parties earn commissions for referring students to your courses. When a student arrives through an affiliate link, Teachable tracks the referral using cookies and URL parameters. This tracking data connects the student's enrollment to the specific affiliate who referred them.

Your privacy policy must disclose that affiliate tracking occurs, what data is collected through affiliate links (referral URL, affiliate ID, enrollment amount), and that this data is shared with the referring affiliate for commission calculation. Students have a right to know that their enrollment may be linked to a third-party affiliate and what information that affiliate receives.

Under GDPR, affiliate tracking cookies require consent before being placed on a student's device. While Teachable manages the cookie placement as part of its platform, your privacy policy should still reference the use of affiliate tracking cookies and link to Teachable's cookie policy for technical details. This ensures full transparency with your students about all tracking that occurs in connection with your courses.

These five privacy mistakes are common among Teachable creators and can lead to GDPR violations, student complaints, or loss of trust.

Creating a privacy policy for your Teachable school is straightforward. Follow these six steps to create a policy that covers your student data handling, course progress tracking, and email marketing practices.

The process should take about 20 to 30 minutes total. The policy generation itself takes under 60 seconds once you have your data practices documented. Use a GDPR privacy policy template as a starting reference if you have EU students.