Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ThimPress Course Review is a WordPress plugin that adds a star rating and review system to LearnPress courses. Reviews are stored in the site's own WordPress database; no tracking cookies are set by default.
ThimPress Course Review is an add on for the LearnPress learning management system on WordPress, published by ThimPress, a Vietnamese vendor. It lets enrolled students leave a star rating and a written review on each course, and displays the average rating on course pages. The plugin runs entirely on the WordPress site and does not introduce any external tracking script.
The plugin stores the review content, the star rating, the author''s name and email and the timestamp in the WordPress database. By default no marketing or analytics cookies are set. When a logged out visitor leaves a review, WordPress may write the standard comment_author cookies (name, email, website URL) to pre fill the next review form. These functional cookies are usually considered strictly necessary for the requested feature.
Reviewer data is personal data under Article 4(1) GDPR. The most appropriate legal basis is legitimate interests (Article 6(1)(f)): the site operator has a legitimate interest in showing reviews, and the data subject has voluntarily submitted them. If reviews are linked to identified students, you may also rely on the performance of a contract (Article 6(1)(b)). The functional WordPress cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The plugin does not itself send review data to ThimPress. Transfers only arise from the WordPress hosting environment, for instance a US based shared host, a CDN that caches review pages or a backup service outside the EEA. Plugin update and licence checks may connect to ThimPress in Vietnam, which is a third country without an adequacy decision; SCCs are required for that flow.
Inform reviewers in your privacy notice that their name, email and review content will be stored and published. Offer access, rectification and erasure on request and, where appropriate, anonymise old reviews. Map the WordPress host and any CDN or backup providers, sign data processing agreements with them and document the legal basis chosen for reviews in your record of processing.
Websites using ThimPress Course Review must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is rarely required because the plugin processes a limited set of voluntary personal data (name, email, review content, rating). Document the categories of data, retention, the location of the WordPress hosting, any backups and how reviewers can exercise their rights of access, rectification and erasure.
Sample consent text
When you submit a course review, your name, email and the content of your review are stored on this site so we can display the review and contact you if needed. By default your browser may remember your name and email to make future reviews easier; you can clear this at any time.
Third-party domains contacted
thimpress.comapi.thimpress.comlicense.thimpress.comthimpress.comapi.thimpress.comlicense.thimpress.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| comment_author_{HASH} | first_party | 347 days | Standard WordPress cookie that remembers the reviewer's name to pre fill the next review form. Only written when an unauthenticated visitor submits a review with the option enabled. |
| comment_author_email_{HASH} | first_party | 347 days | Standard WordPress cookie that remembers the reviewer's email address for future review forms on the same site. |
| comment_author_url_{HASH} | first_party | 347 days | Standard WordPress cookie that remembers the reviewer's website URL for future review forms on the same site. |
| wordpress_logged_in_* | first_party | session | Standard WordPress authentication cookie used to identify the logged in learner submitting a course review. |
| wp_settings_* | first_party | 1 year | Stores WordPress user interface preferences for the dashboard and review form, scoped to the WordPress user ID. |
| wp_lp_session | first_party | session | LearnPress session cookie used to track the current learner activity while completing or reviewing a course. |
| lp_review_submitted | first_party | 30 days | Marks that the learner has recently submitted a review for a given course, preventing duplicate submissions. |
ThimPress Course Review collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The plugin itself does not set tracking cookies. When a logged out visitor submits a review, WordPress may write the standard comment_author_*, comment_author_email_* and comment_author_url_* cookies for around a year so the form can be pre filled on later visits. These are functional cookies for a feature the user has actively requested.
No banner level consent is required to display reviews or to store them in your WordPress database, because legitimate interests and contract performance can cover that processing. You should however inform reviewers about the processing in your privacy notice and, where the optional WordPress comment cookies are written, treat them as strictly necessary functional cookies.
Legitimate interests under Article 6(1)(f) is the most common basis for publishing voluntarily submitted reviews. For reviews from logged in students who agreed to your terms, performance of the contract under Article 6(1)(b) can also apply. The functional cookies rely on the strictly necessary exemption of Article 5(3) of the ePrivacy Directive.
Reviews stay in the WordPress database controlled by you. Transfers to third countries only happen because of your hosting choices, for instance a US shared host, a global CDN that caches pages, or backup software that stores copies abroad. Plugin updates and licence checks may also connect to ThimPress in Vietnam.
A full DPIA is rarely required because the processing is limited in scope and based on data the user has freely provided. A short legitimate interests assessment is usually enough. Run a full DPIA only if you combine reviews with broader profiling, sentiment analysis or large scale public sharing of identifiable students.
Add a clear notice next to the review form explaining what data will be stored, who will see it and for how long. Allow users to request deletion or anonymisation, and configure your WordPress comments policy accordingly. If your hosting or CDN is outside the EEA, document the transfer mechanism.
For LearnPress and other WordPress LMS solutions, alternatives include native WordPress comments, third party review systems such as WP Customer Reviews or Site Reviews, or LMS specific add ons from LifterLMS and Tutor LMS. All raise similar privacy questions and rely on first party storage of reviewer data.
Add a section describing the WordPress comment_author cookies, their purpose (remembering reviewer details), duration and classification as strictly necessary functional cookies. If you use a CDN or external host that sets its own cookies, document those separately. Reference the privacy policy section that describes how reviews are stored and published.