Privacy Policy, GDPR and Articulate and Rise 360 courses

Hi. I'm trying to create the privacy policy for our websites where we are hosting both published Rise 360 and Articulate Storyline 360 courses. In both cases, the courses are running off of an AWS S3 Content Bucket, and we just link from our regular website to the index.html file. In this case the host site's privacy policy seems to no longer apply.  Is there any guidance on how to make these courses GDPR compliant, or to remove any cookie tracking before publishing? I assume they both track some kind of cookies, since they will tell you where you left off in the course or will show what has been completed. I'm not worried about what data is sent to Articulate when I use the product, which is what other help threads seem to talk about. I just need to know what to put in our privacy policy to tell the people who visit these courses which are free and open to the public and outside of any LMS.  Has anyone else grappled with this already??? :)

Thanks!

Sarah