Privacy Policy

International School of Madeira ("ISM", "we", "us", "our") is the data controller for personal data processed in connection with our educational services, website, and parent portal. Registered Address: Quinta Martins, Rua da Levada de Santa Luzia 40, 9050-219 Funchal, Madeira, Portugal Email: info@ismadeira.com Telephone: +351 291 129 900 For data protection enquiries, please contact us at info@ismadeira.com.

We process personal data in accordance with: • The General Data Protection Regulation (EU) 2016/679 (GDPR) • Portuguese Law No. 58/2019, which implements the GDPR in Portugal • The Portuguese Constitution (Article 35 — right to data protection) • Other applicable Portuguese and European data protection legislation Our supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) — the Portuguese Data Protection Authority.

We collect and process the following categories of personal data:

• Parent/guardian names, email address, phone number, and country of residence • Child's name, date of birth, current school, and year group of interest • Desired start date and any additional information provided in the enquiry • Referral source (how you heard about ISM)

• Parent/guardian names, email addresses, phone numbers, and residential addresses • Student names, dates of birth, medical information, and emergency contacts • Attendance records, academic reports, and assessment data • Enrolment contracts and billing information • Photographs and videos (with consent) for school activities and communications

• IP address, browser type, and device information (via cookies and analytics) • Pages visited and interactions on our website

• Name, email, phone number, CV, and cover letter

We process personal data for the following purposes: • Processing admissions enquiries — Legal basis: Legitimate interest / Pre-contractual steps • Managing student enrolment and education — Legal basis: Performance of a contract • Communicating with parents via email and WhatsApp — Legal basis: Legitimate interest / Consent • Billing, invoicing, and payment processing — Legal basis: Performance of a contract • Student attendance and academic record-keeping — Legal basis: Legal obligation / Legitimate interest • Medical and dietary information for student welfare — Legal basis: Vital interests / Explicit consent • Recruitment and job applications — Legal basis: Pre-contractual steps / Legitimate interest • Website analytics and improvement — Legal basis: Consent (cookies) / Legitimate interest • Safeguarding and child protection — Legal basis: Legal obligation / Vital interests

We use email and WhatsApp to communicate with prospective and enrolled families. This includes: • Admissions communications: application confirmations, call/visit invitations, and enrolment updates • Operational messages: school closures, schedule changes, and important notices • Administrative messages: billing reminders, portal access, and contract notifications By providing your phone number during the admissions process, you consent to receiving messages via WhatsApp. You may opt out at any time by contacting us at info@ismadeira.com or replying STOP. Email and WhatsApp are delivered through reputable third-party communications providers acting as our processors under written agreements. Communication logs are retained for record-keeping and customer-management purposes.

We do not sell personal data. We share personal data only with the following categories of recipients, as necessary for the purposes described above: • Cloud hosting and storage providers — to host the website, parent portal, and supporting services in EU data centres • Authentication and identity providers — to manage secure sign-in to the parent portal • Email and messaging providers — to deliver email and WhatsApp communications to families • Payment service providers — to process card and bank-transfer payments (PCI DSS compliant) • Examination and curriculum bodies — to administer external assessments and curricula offered to students, where required • Portuguese and Madeiran authorities — where required by law (e.g. tax authorities, education authorities, child-protection agencies) All processors act under written agreements that bind them to GDPR-equivalent standards. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. A list of the specific service providers we currently engage is available on request from info@ismadeira.com.

We retain personal data only for as long as necessary for the purposes for which it was collected: • Admissions enquiries (not enrolled): 2 years from last contact, then anonymised or deleted • Student records: Retained for the duration of enrolment plus 7 years, in line with Portuguese educational record-keeping requirements • Financial records: 10 years, as required by Portuguese tax law • Job applications (unsuccessful): 1 year from the closing date of the vacancy • Communication logs: 3 years for operational records • Website analytics: up to 26 months

Under the GDPR, you have the following rights regarding your personal data: • Right of access — request a copy of the personal data we hold about you • Right to rectification — request correction of inaccurate or incomplete data • Right to erasure — request deletion of your data (subject to legal retention obligations) • Right to restriction — request that we limit processing of your data in certain circumstances • Right to data portability — receive your data in a structured, machine-readable format • Right to object — object to processing based on legitimate interests or direct marketing • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time To exercise any of these rights, please contact us at info@ismadeira.com. We will respond within 30 days of receiving your request. If you are unsatisfied with our response, you have the right to lodge a complaint with the CNPD (Comissão Nacional de Proteção de Dados) at www.cnpd.pt.

As an educational institution, we necessarily process personal data relating to children. We are committed to protecting children's data and note the following: • We process children's data with the consent of their parent or legal guardian • Children's data is only accessible to authorised school staff on a need-to-know basis • Under Portuguese law (Law 58/2019, Article 16), children aged 13 and over may consent to information society services; for children under 13, parental consent is required • We do not publish children's full names or identifiable photographs online without explicit parental consent

Our website uses cookies and similar technologies to improve your experience. Cookies are categorised as follows: • Strictly necessary cookies: required for the website to function (no consent needed) • Performance cookies: help us understand how visitors use our website • Functional cookies: remember preferences such as your language choice • Marketing cookies: used to deliver relevant advertisements Full details, including the categories and purpose of each cookie, are set out in our Cookie Policy at /cookie-policy. You can manage your preferences at any time through the Cookie Settings link in the footer or through your browser settings.

We implement appropriate technical and organisational measures to protect personal data, including: • Encryption of data in transit (TLS/SSL) and at rest • Access controls and role-based permissions for staff • Secure authentication with multi-factor authentication support • Regular security reviews and updates • Data hosted in EU-based data centres In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the CNPD within 72 hours and inform affected individuals without undue delay, as required by GDPR Articles 33 and 34.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically. Significant changes affecting your rights will be communicated directly via email.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: International School of Madeira Quinta Martins, Rua da Levada de Santa Luzia 40, 9050-219 Funchal, Madeira, Portugal Email: info@ismadeira.com Telephone: +351 291 129 900