Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Thinkific is a Canadian online course platform that lets creators and businesses build, host, and sell courses, communities, and digital products. It sets first-party cookies for student sessions and analytics, and may transfer data to Canada and the United States.
Thinkific is an online course platform founded in 2012 in Vancouver, British Columbia and operated by Thinkific Labs Inc., a public company listed on the Toronto Stock Exchange (TSE:THNC). The platform enables creators, coaches, educators, and businesses to design, host, and sell online courses, membership communities, coaching sessions, and downloadable digital products. Students access course sites either on a Thinkific subdomain (yoursite.thinkific.com) or on a fully branded custom domain configured by the course creator. Under the hood, course content, student profiles, progress tracking, quizzes, and payment flows are served from AWS infrastructure located in Canada and the United States.
Thinkific sets several first-party cookies on the course site domain. The _thinkific_session cookie keeps a learner signed in across pages. The tcsi cookie (Thinkific course site identifier) ties a browser to a specific course site. When Google Analytics integration is enabled, _ga and _gid cookies are dropped for measurement. A thinkific_split cookie may also be set for A/B testing of pricing pages and checkout flows. In addition to cookies, Thinkific collects student names, email addresses, billing information processed through Stripe or PayPal, course progress, quiz answers, IP addresses, and device or browser metadata. Custom integrations with Google Analytics, Facebook Pixel, Mailchimp, or Zapier can extend the volume and granularity of data captured.
When a Thinkific course is offered to learners in the European Union, both the GDPR and the ePrivacy Directive (also known as the Cookie Law) apply. The course creator is typically the data controller and Thinkific Labs Inc. acts as a data processor under a Data Processing Addendum. Strictly necessary cookies such as the session cookie can be set without prior consent because they are required to deliver the service requested by the user. Analytics, A/B testing, and marketing cookies, including Google Analytics, Facebook Pixel, and any Mailchimp tracking, require prior, free, specific, informed, and unambiguous consent before they are dropped, in line with Art. 5(3) of the ePrivacy Directive and Art. 7 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Thinkific processes personal data on AWS regions located in Canada and the United States. Transfers to Canada benefit from a European Commission adequacy decision covering commercial organisations subject to PIPEDA, which means no additional safeguards are required for that leg of the processing. Transfers to AWS US, however, must be framed by Standard Contractual Clauses under Art. 46(2)(c) GDPR, complemented by a Transfer Impact Assessment evaluating US surveillance laws such as FISA 702 and Executive Order 12333. Course creators should document these transfers in their Record of Processing Activities and disclose them in their privacy notice, including a clear reference to the recipient country and the legal mechanism used.
To deploy Thinkific in a GDPR and ePrivacy compliant way: sign and store the Thinkific Data Processing Addendum, list Thinkific Labs Inc. as a sub-processor in your privacy notice, configure a Consent Management Platform such as Axeptio to block analytics, A/B testing, and marketing scripts until consent is collected, update your cookie policy with the exact list of Thinkific cookies and their retention, expose a clear consent banner on both marketing pages and course sites, document Canada (adequacy) and US (SCCs plus TIA) transfers in your Record of Processing Activities, and offer learners straightforward ways to exercise their access, rectification, erasure, and portability rights.
Websites using Thinkific must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Thinkific is used to deliver courses to large EU audiences, when sensitive categories of data are collected (for example health, religious, or political training), when behavioural analytics or marketing automation are enabled, or when student profiles are enriched with third-party trackers such as Google Analytics or Facebook Pixel. Assess transfers to AWS Canada (adequacy) and AWS US (SCCs and Transfer Impact Assessment), retention periods for course progress, and rights of EU learners to access, rectify, and erase their data.
Sample consent text
We use Thinkific to host our online courses and process your enrolment, progress, and payments. Thinkific sets functional cookies required to keep you signed in and to track your course progress. With your consent, Thinkific and integrated tools (Google Analytics, Facebook Pixel, Mailchimp) may also set analytics and marketing cookies, and your data may be transferred to Canada and the United States under appropriate safeguards. You can accept, refuse, or customise these cookies at any time.
Third-party domains contacted
thinkific.com*.thinkific.comcdn.thinkific.comembedwistia-a.akamaihd.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _thinkific_session | first_party | Session | Maintains the authenticated learner session across pages on the Thinkific course site. |
| tcsi | first_party | 1 year | Thinkific course site identifier that ties a browser to a specific course site for navigation and analytics. |
| thinkific_split | first_party | 30 days | A/B testing cookie used to assign variants on pricing pages and checkout flows. |
| _ga | third_party | 2 years | Google Analytics cookie used to distinguish unique visitors when GA integration is enabled. |
| _gid | third_party | 24 hours | Google Analytics cookie used to distinguish users over a 24 hour window when GA integration is enabled. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Thinkific sets first-party cookies on the course site domain. The main ones are _thinkific_session (session and authentication), tcsi (Thinkific course site identifier), and thinkific_split (A/B testing of pricing and checkout pages). When the Google Analytics integration is enabled, _ga and _gid are also dropped. Additional cookies may be added by Facebook Pixel, Mailchimp, or any other tracker connected by the course creator.
Consent is required only for cookies and trackers that are not strictly necessary. The session cookie that keeps a learner signed in can be set without prior consent, while Google Analytics, A/B testing, Facebook Pixel, and Mailchimp tracking must be loaded only after a positive consent signal is collected through a Consent Management Platform such as Axeptio.
Two main legal bases apply. Performance of contract under Art. 6(1)(b) GDPR covers course delivery, account management, and payment processing because these are required to provide the service the learner has signed up for. Consent under Art. 6(1)(a) GDPR is required for marketing emails, behavioural analytics, retargeting, and any other optional tracking.
Yes. Thinkific operates AWS infrastructure in Canada and the United States. Transfers to Canada benefit from the European Commission adequacy decision for commercial organisations under PIPEDA, so no extra safeguards are needed for that leg. Transfers to the US must rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR, combined with a Transfer Impact Assessment that addresses FISA 702 and other surveillance laws.
A Data Protection Impact Assessment is recommended when Thinkific is used to deliver courses to a large number of EU learners, when sensitive categories of data are processed (for example health, religious, or political content), when behavioural profiling or marketing automation is added on top, or when integrations such as Facebook Pixel are activated. The DPIA should cover transfers to AWS Canada and AWS US, retention periods, and the rights of EU learners.
Block the Thinkific embed and any optional analytics, A/B testing, and marketing scripts until a positive consent signal is collected through Axeptio. Allow only strictly necessary cookies (session, CSRF, basic course site identifier) by default, then conditionally load Google Analytics, Facebook Pixel, and Mailchimp tracking based on the visitor consent stored in the CMP.
Frequently considered alternatives include Kajabi, Teachable, Podia, LearnWorlds, and Coassemble. Each one has a different mix of EU or US hosting, sub-processors, and built-in marketing tools. The right choice depends on your audience, your data residency requirements, and the level of integration with existing CRM, payment, and analytics stacks.
Document every cookie set by Thinkific and its integrations, including name, purpose, type (functional, analytics, marketing), retention, and the entity that drops it. List Thinkific Labs Inc. as a sub-processor, mention transfers to Canada and the United States with the corresponding legal mechanism, and link to the Thinkific privacy policy and to your Consent Management Platform settings page.