Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Teachable is a US online course platform used by creators to sell courses, coaching and digital downloads. It sets first-party cookies, integrates marketing pixels (Google Analytics, Facebook Pixel), and transfers personal data to the United States and Brazil, which triggers prior consent obligations under the ePrivacy Directive and a documented transfer assessment under GDPR.
Teachable is an online course platform launched in 2014 in New York and used by independent creators, coaches and small training companies to sell courses, coaching sessions, communities and digital downloads. The service is operated by Teachable Inc., a US company that became a subsidiary of the Brazilian group Hotmart in 2020. As a result, the production stack runs on Amazon Web Services data centres in the United States, while corporate and group-level processing also takes place in Brazil. For European customers, this means that any personal data entered by students or by the school administrator (email, name, billing details, learning activity) leaves the European Economic Area as soon as it reaches the Teachable platform.
On the school front-end and inside the learning area, Teachable sets first-party cookies such as _teachable_session for authentication and CSRF protection, plus internal identifiers used to track course progress, quiz attempts and video viewing. Depending on the integrations enabled by the school owner, Teachable can also load Google Analytics (_ga, _gid), Facebook Pixel (_fbp, fr), Google Ads conversion tags, Mailchimp and Intercom scripts. Payment flows rely on Stripe and PayPal, which add their own cookies and fingerprinting signals for fraud prevention. From a GDPR perspective, all of this qualifies as personal data because it can be combined with the student account.
The school owner is the data controller for the student data hosted on Teachable, while Teachable Inc. acts as a processor under Art. 28 GDPR. The course catalogue and marketing pages typically fall under the ePrivacy Directive: any non-strictly-necessary cookie (analytics, advertising, social pixels, A/B testing) requires prior, informed and freely given consent before it is dropped. The strictly necessary session cookie used to keep students logged in can be exempted under the ePrivacy Article 5(3) exemption, provided its scope is limited to authentication and course delivery.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Two lawful bases usually apply in parallel. Performance of a contract under Art. 6(1)(b) GDPR covers the course enrolment, the delivery of lessons and the payment processing. Consent under Art. 6(1)(a) GDPR is required for marketing communications, retargeting pixels, advanced analytics and any optional integration. A compliant consent banner must block Google Analytics, Facebook Pixel and similar third-party tags until the visitor clicks Accept, must offer a refuse option as visible as the accept option, and must store proof of consent for audit purposes.
Because Teachable hosts its infrastructure on AWS US and its parent company Hotmart operates from Brazil, every European student record is transferred outside the EEA. Teachable participates in the EU US Data Privacy Framework for the US leg of the transfer, but a complementary path to Brazil must be covered by Standard Contractual Clauses under Art. 46(2)(c) GDPR. Schools handling sensitive content (medical training, religious teaching, political education) should run a Transfer Impact Assessment, document supplementary measures such as encryption at rest and pseudonymisation, and update the record of processing activities accordingly.
To deploy Teachable in a compliant manner, sign the Data Processing Addendum offered by Teachable, list Teachable Inc., Hotmart, AWS, Stripe, Mailgun and Intercom as sub-processors in your privacy notice, install a Consent Management Platform that blocks marketing scripts by default, and tag any custom code embedded through the Teachable Power Editor as conditional on consent. Define retention rules for inactive students, expose a working data subject request workflow (access, rectification, erasure, portability), and review the Teachable sub-processor page at least once per year.
Websites using Teachable must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Teachable is combined with marketing pixels (Facebook Pixel, Google Ads) or used to process special category data such as health, religious or political training content. Key risks: international transfers to the US and Brazil, profiling of learners via third-party analytics, retention of payment metadata via Stripe and PayPal, and access by sub-processors (AWS, Mailgun, Intercom). Document lawful basis per processing purpose, map sub-processors, run a Transfer Impact Assessment and define retention periods for student records and marketing data.
Sample consent text
We use Teachable to host our online courses and process your enrolment, learning progress and payments. With your consent, Teachable also loads marketing and analytics cookies (such as Google Analytics and Facebook Pixel) that may transfer data to the United States and Brazil under Standard Contractual Clauses. You can accept, refuse or customise these cookies at any time in the cookie settings.
Third-party domains contacted
teachable.com*.teachable.comapp.teachable.comfedora-prod.global.ssl.fastly.netembed.usefedora.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _teachable_session | first_party | session | Strictly necessary session cookie set by Teachable for authentication, login persistence and CSRF protection on the school site and inside the learning area. |
| school_cookie_consent | first_party | 1 year | Stores the visitor cookie consent choice (accept, refuse, custom) on the Teachable school site to avoid showing the banner on every visit. |
| _ga | third_party | 2 years | Google Analytics cookie loaded when the school administrator enables the GA integration, used to distinguish unique users and aggregate audience metrics. |
| _fbp | third_party | 3 months | Facebook Pixel cookie set when the Facebook integration is enabled, used for conversion tracking, custom audiences and retargeting on Meta platforms. |
| intercom-id | third_party | 9 months | Intercom cookie used to identify the visitor across sessions when the Teachable Intercom integration is enabled for live chat and onboarding support. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Teachable always sets a first-party session cookie (_teachable_session) for authentication and CSRF protection, plus internal cookies for course progress and video tracking. When you enable integrations such as Google Analytics, Facebook Pixel, Google Ads or Intercom in the school admin, the corresponding third-party cookies (_ga, _gid, _fbp, fr, intercom-id) are also dropped. Stripe and PayPal add their own fraud-prevention cookies on the checkout page.
The strictly necessary session cookie used to keep a student logged in falls under the ePrivacy Article 5(3) exemption and does not need consent. Everything else loaded through Teachable (analytics, advertising pixels, retargeting, A/B testing, social embeds) requires prior, informed, freely given consent before the script fires. In practice, configure your Consent Management Platform to block these tags by default.
Two bases typically apply in parallel. Performance of a contract under Art. 6(1)(b) GDPR covers the enrolment, the delivery of the course and the payment processing. Consent under Art. 6(1)(a) GDPR covers marketing, retargeting and optional analytics. Legitimate interest can only be used in limited cases such as fraud prevention, and never replaces consent for cookies under ePrivacy.
Teachable hosts production data on AWS data centres in the United States. Since the acquisition by Hotmart, additional processing also takes place in Brazil. Teachable participates in the EU US Data Privacy Framework, which provides an adequacy basis for the US leg. The transfer to Brazil must be covered by Standard Contractual Clauses under Art. 46(2)(c) GDPR and a documented Transfer Impact Assessment.
A DPIA is recommended whenever Teachable is combined with advertising pixels, used for large-scale processing, or used to deliver training on sensitive topics (health, religion, politics, sexuality). The DPIA should map the categories of data, the sub-processors (Teachable, Hotmart, AWS, Stripe, Mailgun, Intercom), the transfers, the retention and the technical and organisational measures in place.
Sign the Data Processing Addendum offered by Teachable, list all sub-processors in your privacy notice, install a Consent Management Platform that blocks marketing scripts before consent, disable optional integrations that you do not strictly need, and tag any custom code inserted via the Power Editor as conditional on consent. Document retention rules for inactive students and provide a working data subject request workflow.
European or EU-hosted alternatives include LearnWorlds (with EU hosting options), Podia, Systeme.io (France), and self-hosted solutions such as LearnDash on WordPress or Moodle. Other US-based competitors are Kajabi and Thinkific. Hosting alone does not solve the consent question: any of these tools combined with marketing pixels still requires a compliant cookie banner.
Yes. Your cookie policy must list every cookie set by Teachable and by the integrations you enable, including its purpose, duration and category. It must also disclose the transfers to the United States and Brazil, the legal basis used and the sub-processors involved. Update the policy whenever you enable a new integration in the Teachable admin and review it at least once a year.