Privacy Policy

Tallinn International School OÜ

1. Introduction

Tallinn International School OÜ (hereinafter “IST”, “we”, or “the School”) is committed to protecting the privacy and personal data of its students, parents or legal guardians, staff, applicants, alumni, and other individuals whose personal data we process. As an educational institution working primarily with minors, IST applies heightened safeguards when processing personal data and treats data protection as a core operational and ethical responsibility. This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Estonian Personal Data Protection Act, and other applicable legislation.

2. Data Controller and Contact Details

The data controller is Tallinn International School OÜ. Registered address and official contact details are published on the school’s website. For all matters relating to personal data protection, privacy, or the exercise of data subject rights, individuals may contact IST via the School’s official contact details or directly contact the Data Protection Officer at dpo@ist.ee. The Data Protection Officer acts as the primary point of contact for data subjects and supervisory authorities regarding personal data processing.

3. Scope of This Policy

This Privacy Policy applies to all personal data processed by IST in the course of its educational, administrative, legal, and operational activities. This includes data processed through our website, admissions process, educational platforms, communication systems, internal administration, and cooperation with service providers. This policy applies to students, parents or legal guardians, staff, contractors, applicants, alumni, and website visitors.

4. Categories of Personal Data We Process

IST may process the following categories of personal data. Identification data, such as name, date of birth, personal identification number (where required by law), nationality, and student or staff identifiers. Contact data, such as addresses, email addresses, telephone numbers, and emergency contact details. Educational data, including enrolment information, academic records, assessments, attendance, learning support records, and disciplinary information. Special category data, where strictly necessary, including health data (such as allergies, medical conditions, medication instructions), dietary requirements, and information required to ensure student safety and wellbeing. Employment and HR data for staff, including contracts, payroll data, qualifications, performance records, and legally required records. Technical and usage data, such as login records, access logs, IP addresses, and system usage data related to IST’s ICT systems and platforms. Website data, including cookies and analytics data, as described separately below.

5. Purposes and Legal Bases for Processing

IST processes personal data only where there is a lawful basis under GDPR. The primary purposes and legal bases include performance of a contract, such as providing education, managing enrolment, employment relationships, and delivering agreed services. Compliance with legal obligations, including obligations under education law, labour law, accounting law, child protection regulations, and data protection legislation. Protection of vital interests, particularly where health or safety of a student or other individual is at stake. Performance of tasks carried out in the public interest related to education and safeguarding. Legitimate interests, such as ensuring the security of ICT systems, preventing misuse, and improving educational services, provided such interests do not override the rights of the data subject. Consent, where required, particularly for processing special category data, publishing photos or media, optional services, and non-essential cookies. Consent may be withdrawn at any time.

Automated Decision-Making

IST does not use automated decision-making or profiling, including through artificial intelligence or chatbot services, to make decisions that produce legal or similarly significant effects on individuals, including students, parents, or staff.

6. Processing of Children’s Personal Data

IST primarily educates minors and therefore applies enhanced safeguards when processing children’s personal data. Personal data of students is processed only for legitimate educational, administrative, safeguarding, and legal purposes. Where consent is required, it is obtained from parents or legal guardians in a verifiable manner. IST does not use children’s data for commercial profiling or marketing purposes. Access to sensitive student data is strictly limited to authorized staff based on role and necessity.

7. Special Category Data

Special category personal data, including health, dietary, and other sensitive information, is processed only where strictly necessary to fulfil IST’s legal obligations, protect vital interests, or ensure appropriate educational support and safety. Such data is processed based on explicit consent and/or applicable legal obligations. Additional technical and organizational security measures are applied to protect this data, including restricted access and secure storage.

8. Data Retention

IST retains personal data only for as long as necessary for the purposes for which it was collected or as required by law. Retention periods are defined internally by data category. Student academic records are retained in accordance with applicable education and archival requirements. Health and welfare data is retained only for the duration of the student’s enrollment unless a longer period is required by law. Staff data is retained in accordance with employment and accounting legislation. Website analytics and cookie data is retained for limited periods as described in the cookie section. When retention periods expire, data is securely deleted or anonymized.

9. Data Sharing and Recipients

IST may share personal data with third parties only where necessary and lawful. This includes educational service providers, ICT and cloud service providers, government authorities where legally required, and professional advisors. All service providers processing personal data on behalf of IST act as data processors under GDPR and are bound by data processing agreements ensuring confidentiality, security, and compliance. IST does not sell personal data.

10. International Data Transfers

IST primarily processes and stores personal data within the European Economic Area (EEA). Where personal data is transferred outside the EEA, IST ensures that appropriate safeguards are in place, such as adequacy decisions or Standard Contractual Clauses approved by the European Commission.

11. Data Security

IST implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include access controls, authentication mechanisms, role-based access, encryption where appropriate, secure backups, monitoring, and cooperation with professional ICT service providers. Staff and contractors are bound by confidentiality obligations.

12. Cookies and Website Analytics

IST’s website uses cookies to ensure basic functionality, manage user consent preferences, and collect anonymised statistical information about website usage. Cookies are small text files stored on a user’s device when visiting a website.

12.1 Categories of Cookies Used

IST uses the following categories of cookies:

Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled. They do not require user consent under applicable law.

• cookieyes-consent
  Purpose: Stores the user’s cookie consent preferences so they are respected on subsequent visits.
  Duration: 1 year
  Provider: CookieYes
  Personal data: No personal data is stored.
• Session and technical cookies (e.g. WooCommerce-related session and fragment cookies)
  Purpose: Ensure correct technical operation of site features.
  Duration: Session-based or short-lived.
  Personal data: No profiling or tracking.

Analytics Cookies (Consent Required)

These cookies are used to collect aggregated and anonymised statistics about how visitors use the website. They are only set after the user has provided explicit consent.

• _ga and _ga_*
  Purpose: Google Analytics cookies used to distinguish users, count visits, and analyse website usage patterns.
  Duration: 1 year 1 month 4 days
  Provider: Google LLC
  Data processing: IP addresses are anonymised; no direct identification of individuals is performed.

IST uses Google Analytics solely for statistical purposes to understand website usage and improve content. Analytics data is not used for profiling, advertising, or marketing.

12.2 Legal Basis for Cookie Use

Necessary cookies are processed based on IST’s legitimate interest in ensuring a secure and functional website. Analytics cookies are processed based on the user’s explicit consent, in accordance with GDPR and applicable ePrivacy rules. Users may withdraw or change their consent at any time.

12.3 Cookie Consent Management

IST uses a cookie consent management tool (CookieYes) to obtain, record, and manage user consent. When first visiting the website, users are presented with a clear choice to accept or reject non-essential cookies. Consent preferences can be changed at any time via the cookie settings link available on the website.

12.4 International Data Transfers Related to Cookies

Where Google Analytics is used, data may be processed by Google LLC. IST relies on appropriate safeguards for international data transfers, such as Standard Contractual Clauses approved by the European Commission, and configuration settings that minimise data collection and anonymise IP addresses.

12.5 Disabling Cookies

Users can also manage or delete cookies through their browser settings. Disabling necessary cookies may affect website functionality, while disabling analytics cookies will not impact core site usage.

13. Use of Generative AI and Chatbot Services

IST’s website includes a generative AI–powered chatbot designed to provide general informational assistance about the School, its programmes, admissions, and services. The chatbot is intended as a supportive information tool and does not replace direct communication with IST staff.

When users interact with the chatbot, the content of their messages may be processed to generate responses. Users are advised not to submit personal data, sensitive information, or information relating to identifiable children through the chatbot interface.

The chatbot is not intended for:

• submitting applications or official requests
• sharing personal, health, or confidential information
• making decisions affecting students, parents, or staff

Any personal data submitted voluntarily through the chatbot is processed in accordance with this Privacy Policy and applicable data protection laws.

AI Service Providers and Data Processing

The chatbot operates using third-party AI technology providers acting as data processors on behalf of IST. Where applicable, appropriate data processing agreements and safeguards are in place to ensure confidentiality, security, and compliance with GDPR.

Chatbot interactions are processed solely for the purpose of providing responses and maintaining the quality, safety, and functionality of the service. Chat content is not used by IST for profiling, automated decision-making, or marketing.

14. Data Subject Rights

Data subjects have the right to access their personal data, request rectification of inaccurate data, request erasure where applicable, restrict or object to processing, request data portability where applicable, and withdraw consent at any time where processing is based on consent. Requests relating to personal data, including access, rectification, erasure, restriction, objection, or consent withdrawal, should be submitted by contacting dpo@ist.ee. IST will respond without undue delay and no later than one month from receipt of the request. Identity verification may be required to protect data security.

15. Complaints and Supervisory Authority

If a data subject believes their personal data has been processed unlawfully, they have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

16. Data Breaches

IST maintains internal procedures for identifying, managing, and reporting personal data breaches. Where required by GDPR, data breaches will be reported to the supervisory authority within 72 hours and to affected data subjects where there is a high risk to their rights and freedoms.

17. Changes to This Privacy Policy

IST may update this Privacy Policy from time to time to reflect changes in legislation, operations, or data processing practices. The latest version will always be published on the IST website with the effective date.

18. Effective Date

This Privacy Policy is effective from the date of publication on the IST website and replaces any previous versions.

For further details, please contact:

Tallinn International School OÜ
Valukoja 9, Ülemiste City, 11415 Tallinn
Email: dpo@ist.ee
Website: https://ist.ee