You sign up for an online course on Teachable — a New York company, or so you think. Since 2020, Teachable is owned by Hotmart, a Brazilian company. The privacy policy now covers a Brazilian invoicing platform called eNotas. Your course progress data can flow between New York, Belo Horizonte, and Amsterdam. Teachable builds the tracking into your course pages — Meta, Google, LinkedIn, TikTok pixels all pre-integrated. But when a student complains about tracking, Teachable points at you. "Creators are fully responsible for complying with data privacy laws." They provide the surveillance infrastructure, you take the legal hit.
What they claim: Creators are "fully responsible for complying with data privacy laws" regarding tracking on their Teachable pages
What we found: Teachable enables Meta pixels, Google Analytics, LinkedIn Insight Tag, TikTok pixels, and Google Tag Manager on student-facing pages by default. Student course activity events are sent to these services. But the privacy policy makes creators legally responsible while Teachable provides and profits from the integrations.
What they claim: DPA: "Creators are considered controllers or 'owners' of the personal information they collect"
What we found: Teachable controls the infrastructure, sets cookies, provides tracking integrations, decides sub-processors. Creators cannot audit sub-processors, verify data deletion, or control what Hotmart does with shared data. The platform takes the money; the creator takes the legal risk.
What they claim: Teachable presents as a US-based education platform at 530 Fifth Avenue, New York
What we found: Since 2020, owned by Hotmart, headquartered in Belo Horizonte, Brazil, with EU entity in Amsterdam. Unified privacy policy covers hotmart.com, teachable.com, and enotas.com.br (Brazilian invoicing). Student data may flow between US, Brazil, and Netherlands.
What they claim: Teachable claims GDPR compliance and transparent data processing
What we found: GDPR Article 28 requires disclosure of sub-processors. Teachable's DPA: "Creators interested in knowing which sub-processors are hired by Teachable may forward a request to privacy@hotmart.com." List not published anywhere. Students have no mechanism at all to discover which companies process their data.
What they claim: Students can "access courses, track progress, and earn certificates" on Teachable
What we found: When a creator leaves: "After a 30-day period, Teachable has no obligation to maintain any of the creator's data and may delete all data." Deleting a product ends subscriptions and "student enrollment records including progress data are not available for deleted products."
What they claim: Data processing is for "enabling the Services of Hotmart Company"
What we found: Privacy policy permits sharing "between parent companies, subsidiaries, affiliated companies of Teachable, or any companies of Hotmart Company, to generate administrative efficiencies." Hotmart operates HotPay (payments) and eNotas (Brazilian invoicing). US students have no opt-out from data flowing to Brazilian financial subsidiaries.
What they claim: Teachable markets itself as a platform for creators to build sustainable businesses
What we found: ToS: Teachable "reserves the right to modify, terminate, or refuse to provide services at any time for any reason, without notice." A creator with 10,000 students can be deplatformed instantly. Student enrolment, progress, and certifications all disappear. No appeal process specified.