Do I really need a privacy policy?

Yes. If your website collects any data — including analytics, cookies, or email addresses — you're legally required to have one. GDPR (EU), CCPA (California), PIPEDA (Canada), and LGPD (Brazil) all mandate it. Google AdSense, Apple App Store, and Stripe also require one.

Is this a legally valid privacy policy?

PolicyForge generates professionally structured policies based on current privacy law frameworks. While we cover all major compliance areas, we recommend consulting an attorney for complex or high-risk situations. For most small businesses and startups, our policies provide solid coverage.

Why PolicyForge instead of a free template?

Free templates are generic and often outdated. PolicyForge customizes your policy based on your specific data practices — whether you use cookies, process payments, have user accounts, or handle children's data. Pro policies include GDPR/CCPA-specific rights sections that most templates miss entirely.

What's the difference between Free and Pro?

Free gives you 2 basic privacy policies per day. Pro ($12.99 one-time) adds unlimited generations, full GDPR/CCPA rights sections, data retention clauses, security measures, children's privacy, Terms of Service generator, and removes PolicyForge branding.

Is this a subscription?

No. All plans are one-time payments. Pay once, use forever. No recurring charges.

Privacy Policy for Your Online Course

Online course creators collect sensitive student data from the moment someone visits your sales page through enrollment, lesson completion, quizzes, and certificate issuance. Under GDPR, CCPA, and potentially FERPA, you are legally required to disclose how you collect, use, store, and protect this data. Whether you sell courses on Teachable, Thinkific, Kajabi, Podia, Udemy, or your own platform, a privacy policy is not optional — it is a legal necessity.

Generate Your Online Course Privacy Policy in 2 Minutes

PolicyForge creates customized privacy policies for online course creators. Covers student enrollment data, payment processing, learning management systems, email marketing, and full GDPR/CCPA compliance — all for $4.99 instead of $500+ for a lawyer.

Generate Free Policy Check Your Compliance

Why Online Course Creators Need a Privacy Policy

If you sell online courses, you are collecting personal data at every stage of the student journey. When a potential student visits your sales page, analytics tools record their IP address, browser type, device, and browsing behavior. When they sign up for a free lead magnet or webinar, you collect their name and email. When they enroll in a paid course, you process their payment information. During the course, you track lesson completion, quiz scores, assignment submissions, and discussion forum posts. Every one of these data points is regulated under modern privacy law.

The GDPR applies to your online courses if even one student is in the European Union, regardless of where you are based. The CCPA applies if you have California students and meet revenue or data-volume thresholds. If your course involves students under 13, COPPA applies. If you are affiliated with an educational institution in the US, FERPA may apply to student records. The regulatory landscape for online education is complex and overlapping.

Beyond legal requirements, major course platforms require sellers to have privacy policies. Teachable, Thinkific, and Kajabi all require creators to comply with applicable data protection laws. Payment processors like Stripe and PayPal require a visible privacy policy. Email marketing platforms like ConvertKit, Mailchimp, and ActiveCampaign require consent documentation. Without a privacy policy, you risk losing access to the tools your business depends on.

GDPR fines can reach €20 million or 4% of global annual revenue. CCPA violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Even individual course creators have received compliance notices. A proper privacy policy costs a fraction of even a single fine.

What Data Do Online Courses Collect?

Most course creators underestimate the volume and sensitivity of data they collect. It extends far beyond the enrollment form.

Student Identity & Account Data

Collected at enrollment and account creation.

Full name, email address, and profile photo
Username and password (hashed)
Billing address and country of residence
Phone number (if collected for SMS notifications)
Professional background or bio (if profile fields exist)
Date of birth or age (if age verification is required)

Learning & Progress Data

Tracked automatically by the LMS platform.

Course enrollment dates and completion status
Lesson views, time spent on each lesson, and video watch percentage
Quiz and assessment scores, attempts, and answers
Assignment submissions (text, files, video recordings)
Discussion forum posts and comments
Certificate issuance records
Course ratings and reviews

Payment & Transaction Data

Processed through the platform or external payment gateways.

Credit/debit card details (tokenized by payment processor)
PayPal, Apple Pay, or Google Pay identifiers
Transaction amounts, dates, and currency
Subscription status and renewal dates (for membership sites)
Refund and dispute records
Coupon and discount code usage

Marketing & Analytics Data

Collected through marketing funnels and analytics tools.

Email opt-in status and consent records
Webinar registration and attendance data
Lead magnet download history
Email open rates, click-throughs, and engagement
Facebook Pixel, Google Ads, and TikTok tracking data
UTM parameters and referral sources
Sales page visit history and funnel progression

Platform-Specific Privacy Requirements

Each course platform handles data differently. Your privacy policy must reflect the specific platform you use.

Teachable

Teachable acts as your data processor. They store student data on AWS servers (primarily US). Teachable collects student browsing behavior, quiz responses, and video watch data on your behalf. You need your own privacy policy as the data controller. Teachable provides a DPA for GDPR compliance. You must disclose Teachable as a processor and explain what data they access.

Thinkific

Thinkific processes student data on your behalf and provides GDPR-compliant data processing agreements. Thinkific stores data in Canada and the US. Their platform tracks course progress, quiz scores, and certificate completion. As the site owner, you must have your own privacy policy that discloses Thinkific's role and your specific data practices.

Kajabi

Kajabi is an all-in-one platform that handles courses, email marketing, sales funnels, and community features. This means Kajabi processes an unusually broad set of student data: course progress, email engagement, purchase history, community posts, and pipeline stage. Your privacy policy must cover all of these data categories.

Udemy / Skillshare / Coursera

If you sell on marketplace platforms, the platform is the primary data controller for student data. However, if you also collect student emails for your own list, run your own website, or use external marketing tools, you need your own privacy policy for that data. Many Udemy instructors have separate websites that require their own privacy policy.

GDPR Requirements for Online Course Creators

If any of your students are in the EU, GDPR applies to your online course business. Here are the specific requirements:

Lawful Basis for Processing Student Data

ContractProcessing enrollment, delivering course content, issuing certificates

ConsentEmail marketing, newsletter subscriptions, webinar follow-ups

Legitimate InterestCourse analytics, fraud prevention, improving course content

Student Rights You Must Support

✓Right to access all personal data you hold about them

✓Right to rectify inaccurate data (e.g., correct their name or email)

✓Right to erasure (delete their account and course data)

✓Right to restrict processing (pause marketing while keeping enrollment)

✓Right to data portability (export their data in a common format)

✓Right to object to processing based on legitimate interest

✓Right to withdraw consent for marketing at any time

Note: when a student requests data deletion, you must delete their data from your course platform, your email marketing tool, your analytics, and any other system that stores their information. A deletion request to one system must propagate to all systems.

Common Third-Party Services in Online Course Businesses

Your privacy policy must disclose every third-party service that processes student data. Online course businesses typically use more third-party tools than they realize:

ConvertKit / Mailchimp / ActiveCampaign

Email marketing: stores student emails, names, tags, sequences, and engagement data.

Stripe / PayPal

Payment processing: handles credit card data, transaction records, and refund processing.

Zoom / Vimeo / Wistia

Video hosting/live sessions: collects viewer data, watch duration, IP addresses, and attendance records.

Google Analytics / Hotjar

Analytics: tracks page views, session behavior, demographics, and conversion funnels.

Meta Pixel / Google Ads

Advertising: tracks conversions, builds retargeting audiences, and creates lookalike audiences from student data.

Slack / Circle / Discord

Community platforms: stores student messages, profiles, files shared, and engagement history.

PolicyForge vs. Generic Templates

FeatureFree TemplatesPolicyForge

CostFree (but generic)$4.99 - $12.99

Online course-specificNoYes

LMS platform coverageNoTeachable, Thinkific, Kajabi

Third-party service disclosuresGeneric listSpecific to your tools

GDPR + CCPA compliancePartialFull compliance

Student data rights sectionRarely includedIncluded

Updates when services changeStart overRegenerate instantly

Create Your Online Course Privacy Policy Now

PolicyForge generates customized privacy policies for online course creators. Covers student data, payment processing, LMS platforms, email marketing tools, and full GDPR/CCPA compliance. Done in under 2 minutes for $4.99 — not $500.

Generate Free Policy Check Your Compliance

Frequently Asked Questions

Do I need a privacy policy if I only sell on Teachable or Udemy?

If you only sell on a marketplace like Udemy, the platform's privacy policy covers most student data. However, if you also collect emails (lead magnets, webinar signups), have your own website, run ads, or use external analytics, you need your own privacy policy for that data. Most course creators use multiple tools beyond the platform itself.

Does FERPA apply to my online courses?

FERPA (Family Educational Rights and Privacy Act) applies to educational institutions that receive federal funding. Independent course creators typically are not subject to FERPA. However, if your course is offered through or accredited by a US educational institution, FERPA may apply to student records. When in doubt, include FERPA-aligned protections in your privacy policy as a best practice.

Can I use student quiz scores and progress data for marketing?

Under GDPR, using learning data for marketing requires explicit consent separate from course enrollment. The data was collected for educational purposes (contractual basis) and repurposing it for marketing is a different purpose. You must obtain separate consent or rely on legitimate interest with an opt-out mechanism. Your privacy policy must clearly state this practice.

What if a student requests deletion of their course data?

Under GDPR's right to erasure, you must delete a student's personal data upon request unless you have a legitimate reason to retain it (e.g., financial records required by tax law). You may need to retain transaction records for accounting purposes but must delete profile data, progress data, and marketing data. Your privacy policy should explain your data retention periods.

Do I need a cookie consent banner on my course website?

If you serve EU students and use analytics cookies (Google Analytics), advertising cookies (Meta Pixel), or any non-essential cookies, you need a cookie consent banner under the ePrivacy Directive. Most course creators use multiple tracking tools, making a cookie policy and consent banner mandatory for EU compliance.

Related Resources

For membership-based course platforms and SaaS tools.

General privacy policy guide for solopreneurs and small teams.

GDPR Privacy Policy Generator

Full GDPR-compliant privacy policy for any website or service.

For course creators who also run email newsletters.

PolicyForge helps online course creators build compliant privacy policies.
Generate a privacy policy | Check your compliance | Generate terms of service