Privacy Policy for Online Courses and Membership Sites: A Complete Guide for 2026

Whether you’re running a self-paced online course, a live cohort-based program, or a recurring membership community, you’re collecting personal data from your students that goes far beyond basic contact information. You’re tracking their learning progress, monitoring their engagement, storing their course content, and processing their payments over weeks, months, or years.

Unlike a simple blog or e-commerce site, educational platforms create an ongoing relationship with users that demands a privacy policy specifically designed for how course platforms operate. This guide walks you through everything your privacy policy needs to cover, the platform-specific considerations you can’t ignore, and how to protect your students’ data properly.

Why Online Course Creators Need Specialised Privacy Policies

A generic website privacy policy template simply doesn’t account for the realities of running an online course or membership site. Here’s what makes educational platforms different:

• Long-term data relationships: Students enrol in your courses and remain active for months or years, creating persistent data profiles that evolve over time
• Learning analytics and tracking: You monitor which lessons students complete, how long they spend on each video, which resources they download, and where they struggle
• Community and interaction data: Discussion forums, comments, direct messages, and peer-to-peer interactions generate user-generated content that you host and moderate
• Progress and assessment data: Quiz results, assignment submissions, certification records, and completion percentages are sensitive educational records
• Recurring payments and subscriptions: Membership sites process ongoing payments, requiring you to store billing information indefinitely
• Age-sensitive audiences: If you teach minors (under 13 in the US, under 16 in the EU), you face strict requirements under COPPA and GDPR
• Third-party platform dependencies: Most course creators use Teachable, Thinkific, Kajabi, or similar platforms that introduce their own data processing layers

Your privacy policy needs to address all of these specific data practices. Generic templates either omit these details entirely or provide vague statements that don’t satisfy regulators or reassure students.

What Data Online Courses and Membership Sites Collect

Understanding exactly what data you collect is the foundation of an accurate privacy policy. Online course platforms typically gather data across six categories:

Student Account and Identity Information

This is the basic information students provide when they create an account:

• Full name, email address, and password
• Display name and profile photo
• Country, timezone, and language preferences
• Date of birth (if required for age verification)
• Professional information (job title, company, industry) for professional development courses
• Social media profiles if they sign in via OAuth

Learning Progress and Activity Data

This is where educational platforms differ most dramatically from standard websites. You’re not just tracking page views — you’re monitoring educational progress:

• Lesson and module completion status
• Video watch duration and playback position (so students can resume where they left off)
• Quiz scores, assessment results, and assignment submissions
• Time spent on each lesson or activity
• Download history for course resources and materials
• Course completion rates and certification achievements
• Learning path selections and course enrolment history
• Abandoned lessons or modules (where students stopped progressing)

Community and Communication Data

Many course platforms include community features that generate additional personal data:

• Forum posts, comments, and discussion threads
• Direct messages between students or between students and instructors
• Live session attendance and participation records
• Peer review feedback and collaborative project contributions
• Customer support tickets and help requests

Payment and Subscription Data

• Payment method details (usually tokenised via Stripe, PayPal, or your platform’s payment processor)
• Billing address and VAT/tax identification numbers
• Purchase history, invoice records, and refund requests
• Subscription tier, membership level, and plan changes
• Coupon codes and discount redemptions
• Affiliate referral data (if you run an affiliate program)

Marketing and Engagement Data

• Email open rates and click-through rates for course announcements
• Landing page visits before enrolment
• Free preview video viewing and lead magnet downloads
• Webinar registration and attendance
• Survey responses and feedback forms

Technical and Device Data

• IP addresses and approximate geolocation
• Browser type, operating system, and device information (important for video playback compatibility)
• Cookies, local storage, and session identifiers
• Referral source and UTM parameters (how they found your course)

Your privacy policy must explicitly list each category of data you collect, explain why you collect it, and identify the legal basis for processing it under GDPR and similar regulations.

Platform-Specific Privacy Considerations

Most course creators don’t build their own learning management systems from scratch — they use third-party platforms like Teachable, Thinkific, Kajabi, Podia, or WordPress with LearnDash. Each platform introduces its own data handling practices that your privacy policy must address.

Teachable

Teachable hosts your course content, processes student payments, and tracks learning progress. Your privacy policy should:

• Disclose that Teachable acts as a data processor on your behalf
• Link to Teachable’s privacy policy and Data Processing Agreement
• Explain that student data is stored on Teachable’s infrastructure (hosted on AWS in the US)
• Clarify your responsibilities as the data controller versus Teachable’s role as processor

Thinkific

Similar to Teachable, Thinkific provides the infrastructure for your courses. Key disclosures include:

• Thinkific’s role as a sub-processor
• Data hosting in Canada (Thinkific’s primary data centre location)
• Integration with Thinkific’s payment processor and any third-party apps you’ve connected
• How students can exercise their data rights through your Thinkific-hosted platform

Kajabi

Kajabi is an all-in-one platform that handles courses, memberships, email marketing, and sales funnels. Your privacy policy needs to account for:

• Kajabi’s integrated email marketing (students’ email engagement is tracked)
• Sales funnel and landing page data collection
• Kajabi’s built-in analytics and reporting
• Any additional Kajabi apps or integrations you use

Podia

Podia focuses on digital products, courses, and memberships with a simplified interface:

• Podia’s payment processing (Stripe and PayPal integration)
• Email marketing features built into the platform
• Digital download tracking for course resources
• Membership drip content scheduling data

WordPress with LearnDash, LifterLMS, or Tutor LMS

If you self-host your courses on WordPress, you have more control over data but also more responsibility:

• Your web hosting provider’s data handling practices
• Each WordPress plugin you use for courses, payments, email, and analytics
• Whether student data is stored in your WordPress database or on external services
• Your backup and security practices

The self-hosted approach means you can’t defer responsibility to a platform provider — you’re the data controller and processor, which requires more detailed privacy policy disclosures.

Student Data Protection: Special Considerations for Younger Learners

If your courses are accessible to children under 13 (in the US) or under 16 (in most EU countries), you face significantly stricter requirements under COPPA (Children’s Online Privacy Protection Act) and GDPR.

COPPA Requirements (US)

COPPA applies if your course or membership site is directed at children under 13, or if you knowingly collect data from children under 13. Requirements include:

• Verifiable parental consent: You must obtain consent from a parent or guardian before collecting data from a child
• Clear privacy notice to parents: Explain what data you collect, how you use it, and whether you share it with third parties
• Parental access rights: Parents must be able to review, delete, or stop further collection of their child’s data
• Data minimisation: Collect only the data necessary for the child to participate in your course
• Reasonable security: Implement appropriate safeguards to protect children’s data

Many course creators choose to restrict enrolment to users aged 13 and older to avoid COPPA compliance. If that’s your approach, state it clearly in your privacy policy and terms of service.

GDPR Requirements for Minors (EU)

Under GDPR, if you offer services to children in the EU (defined as under 16, though member states can set it as low as 13), you must:

• Obtain parental consent for processing personal data
• Make your privacy information particularly clear and easy to understand for younger audiences
• Implement age verification mechanisms
• Take extra care to protect children from data processing risks

If you market courses to families or offer educational content suitable for children, work with a lawyer to ensure your parental consent mechanisms meet COPPA and GDPR standards. A standard privacy policy template won’t suffice.

GDPR Compliance for Course Creators

If you have students in the EU or UK, GDPR applies to you regardless of where you’re based. Here’s what your privacy policy must address:

Lawful Basis for Processing

For each type of data you collect, you need a lawful basis. Common bases for course platforms include:

• Contract: Processing is necessary to provide the course the student purchased (account creation, course delivery, progress tracking)
• Legitimate interests: You have a legitimate business interest in preventing fraud, improving your courses, or maintaining platform security
• Consent: For marketing emails, optional analytics cookies, or data processing beyond what’s strictly necessary for course delivery
• Legal obligation: For tax records, anti-money laundering checks, or responding to legal requests

Your privacy policy should specify which legal basis applies to each data processing activity.

Data Subject Rights

EU students have the right to:

• Access: Request a copy of all their personal data, including learning progress, forum posts, and payment history
• Rectification: Correct inaccurate information in their profile or records
• Erasure: Request deletion of their data (with exceptions for legal obligations like tax records)
• Portability: Receive their course progress data in a machine-readable format to transfer to another platform
• Restriction: Limit how you process their data
• Objection: Object to processing based on legitimate interests (like marketing analytics)

Your privacy policy must explain how students can exercise these rights — whether through their account settings, a dedicated email address, or a web form. You have one month to respond to data subject requests under GDPR.

Data Retention

Be specific about how long you keep different types of data:

• Active student account data: Retained while the account is active
• Course completion records: Often retained permanently for certification verification
• Payment records: Typically 7 years for tax compliance
• Marketing data: Until the student unsubscribes or objects
• Inactive account data: Specify how long before you delete accounts that haven’t logged in

CCPA Compliance for California Students

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), give California residents specific rights over their personal information. If you have students in California, your privacy policy must:

• Disclose data collection: List the categories of personal information you collect and the business purposes for each
• Disclose data sharing: Identify which third parties receive student data and for what purposes
• Provide opt-out mechanisms: If you sell or share personal information, provide a clear way to opt out (note: selling course data is rare and generally discouraged)
• Enable deletion requests: Allow California students to request deletion of their data
• Offer correction rights: Let students correct inaccurate personal information
• Prohibit discrimination: You cannot charge different prices or provide different service levels to students who exercise their CCPA rights

Your privacy policy should include a dedicated section for California residents or clearly label which provisions apply to them.

Essential Privacy Policy Clauses for Course Platforms

Beyond the standard privacy policy sections, online courses and membership sites need several specific clauses that generic templates don’t include.

Video and Content Tracking

Explain that you track video viewing behaviour to save students’ progress and help them resume where they left off. If you use video hosting platforms like Vimeo, Wistia, or YouTube, disclose that these services may set their own tracking cookies and collect viewing analytics.

Quiz and Assessment Data

Clarify how quiz results and assessment submissions are stored, whether they’re used to generate completion certificates, and how long you retain this data. If students can retake quizzes, explain whether you keep previous attempts or only the highest score.

Community Features and User-Generated Content

If your course includes forums, comments, or discussion boards, explain:

• That posts and comments may be visible to other students
• Whether you moderate or review user-generated content
• How students can edit or delete their posts
• Whether deleted forum content is permanently removed or archived
• What happens to a student’s community contributions if they delete their account

Third-Party Integrations

Course platforms often integrate with numerous third-party tools. Your privacy policy should list or categorise them:

• Payment processors: Stripe, PayPal, or your platform’s native processor
• Email service providers: ConvertKit, Mailchimp, or built-in platform email
• Video hosting: Vimeo, Wistia, YouTube
• Analytics: Google Analytics, Mixpanel, or platform-native analytics
• Community tools: Circle, Discourse, or Slack integrations
• Webinar platforms: Zoom, Demio, or WebinarJam
• Customer support: Intercom, Help Scout, or live chat tools

For each category, explain what data these services receive and link to their privacy policies.

Refunds and Data Deletion

Address what happens to student data after a refund:

• Whether course access is immediately revoked
• How long you retain their account data after a refund
• Whether learning progress is deleted or anonymised

Membership Cancellation

For recurring membership sites, explain:

• What data is retained after cancellation
• How long cancelled members can still access content
• Whether they can re-subscribe and regain access to their previous progress
• The process for permanently deleting their account versus simply cancelling

Certificates and Proof of Completion

If you issue course completion certificates, clarify:

• How long you retain completion records
• Whether you maintain a permanent record for verification purposes
• What happens to certification records if a student requests data deletion (typically these are retained for legal and verification purposes)

International Data Transfers for Course Platforms

Online courses are global by nature. Students enrol from dozens of countries, which means their data crosses international borders. Your privacy policy must address:

• Where data is hosted: Disclose the physical location of your servers or your platform provider’s data centres
• Cross-border transfers: If EU student data is processed outside the EEA, explain the legal mechanism (Standard Contractual Clauses, adequacy decisions, etc.)
• Platform provider locations: Teachable and most platforms host data in the US, which requires specific GDPR transfer safeguards
• Payment processor locations: Stripe processes data globally but stores it primarily in the US

For EU compliance, ensure your course platform provider has signed Standard Contractual Clauses or offers a Data Processing Agreement that addresses international transfers.

Security Measures for Student Data

Your privacy policy should reassure students that their data is protected. Describe your security practices, such as:

• Encryption: All data transmitted via HTTPS/TLS
• Payment security: PCI-compliant payment processing (typically handled by Stripe or PayPal)
• Access controls: Who on your team can access student data and under what circumstances
• Data backups: How frequently you back up course data and where backups are stored
• Breach notification: Your process for notifying students if a data breach occurs (GDPR requires notification within 72 hours)

If you use a third-party platform, you can reference their security certifications (e.g., “Our platform provider maintains SOC 2 Type II compliance and undergoes annual security audits”).

Creating Your Course Privacy Policy with LegalForge

Writing a privacy policy that covers all of these course-specific requirements, platform integrations, student data types, and compliance obligations is a significant undertaking. Generic templates miss the nuances of how learning platforms actually work, and hiring a lawyer to draft a custom policy can cost hundreds or thousands of pounds.

LegalForge was built specifically for digital businesses like online courses and membership sites. Rather than giving you a one-size-fits-all template, LegalForge asks you targeted questions about your course platform, the data you collect, the integrations you use, and whether you serve younger learners. In under 60 seconds, it generates a comprehensive, tailored privacy policy that covers everything discussed in this article.

Your generated policy includes platform-specific disclosures for Teachable, Thinkific, Kajabi, or self-hosted WordPress courses. It addresses GDPR, CCPA, and COPPA requirements. It covers video tracking, quiz data, community features, third-party integrations, and international data transfers. It’s written in plain English that students can actually understand, and it’s ready to publish on your course website immediately.

For £19 as a one-time payment — no subscription, no recurring fees — you get a privacy policy that would otherwise take hours to research and draft or cost hundreds in legal fees. It’s the fastest, most affordable way to ensure your online course or membership site is legally compliant and trustworthy to your students.