Privacy policy

This privacy policy explains how Norden International School collects, uses, stores and protects personal data when you visit our website, contact us, or apply for a place. We comply with the EU General Data Protection Regulation (GDPR) and, for our Helsinki campus, applicable Finnish data-protection legislation.

1. Controller

Norden International School of Helsinki
Vanha Helsingintie 2, 00700 Helsinki, Finland
Email: admin@nordenschool.com
Phone: +358 40 176 1961

[PLACEHOLDER — owner to confirm] If the school has appointed a Data Protection Officer (DPO), their contact details will appear here. In the meantime, all data-protection enquiries should be directed to the email address above.

2. What data we collect and why

We collect only the data that is necessary for the specific purpose for which it is requested. The table below summarises the categories of data and the purposes for which we process them.

2.1 Enquiries via the contact form

When you use the contact form on our website, we collect your name, email address, phone number (optional), the campus you are enquiring about, and the content of your message. We use this information to respond to your enquiry.

2.2 School applications (children's data)

The online application form collects data about both the applying child and the parent or guardian submitting the application. Data collected about the child may include: full name, date of birth, grade applying for, current school, English-language proficiency assessment, and any supporting documents (such as previous report cards) uploaded by the applicant.

Data collected about the parent or guardian includes: full name, email address, phone number, and campus preference (Helsinki or Brussels).

Special note on children's data. We recognise that children's personal data warrants heightened protection. We collect the minimum data necessary to assess and process an application. We do not use children's data for marketing purposes. Access to children's data is restricted to staff directly involved in the admissions process.

2.3 Cookies and analytics

Our website uses cookies. Analytics and advertising cookies are only loaded after you have given explicit consent via the cookie banner. Essential cookies required for the site to function are always active. You may withdraw consent at any time by clearing your cookies or revisiting the consent banner.

3. Lawful basis for processing

We process personal data on the following lawful bases:

• Contractual necessity — processing applications, communicating with enrolled families, and managing the enrolment agreement.
• Legitimate interests — responding to enquiries submitted through the contact form and keeping records of communications to provide consistent service.
• Legal obligation — retaining financial records in accordance with Finnish accounting law and complying with Finnish basic-education legislation.
• Consent — where we request consent (for example, for non-essential cookies, newsletters, or any marketing communications), we record your consent and will not process data for that purpose unless consent has been given. You may withdraw consent at any time.

4. Data retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law:

• Enquiries that do not result in enrolment: data is deleted within [PLACEHOLDER — owner to confirm, e.g. 12 months] of our last correspondence.
• Application records for unsuccessful applicants: data is retained for [PLACEHOLDER — owner to confirm, e.g. 12 months] and then securely deleted.
• Records relating to enrolled students: retained for the duration of the student's enrolment and, thereafter, for the period required by Finnish education and data-protection law [PLACEHOLDER — owner to confirm exact period, e.g. 6 years from end of enrolment].
• Financial and accounting records: retained for the period required by the Finnish Accounting Act (generally 6 years from the end of the financial year).
• Cookie consent records: retained for 12 months from the date consent was given.

5. Data processors and recipients

We use the following third-party services to operate our website and manage communications. Each acts as a data processor on our behalf under a data-processing agreement:

• Supabase Inc. — cloud database provider. Form submissions (contact enquiries and applications) are stored in a Supabase PostgreSQL database hosted in the EU (eu-north-1 region). Supabase processes data in accordance with GDPR under standard contractual clauses.
• Resend Inc. — transactional email service used to deliver confirmation emails to you and notification emails to our team. Resend processes only the data necessary to deliver a specific email (recipient address, email content).
• Cloudflare Inc. — website hosting and content delivery network. Cloudflare processes network traffic data (including IP addresses) to deliver the website securely and protect against attacks.
• Google LLC — analytics (Google Analytics 4) and, with your consent, advertising measurement (Google Ads). GA4 data is anonymised; IP addresses are not stored in full. Data may be processed in the United States under the EU–US Data Privacy Framework and standard contractual clauses.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. Data may be disclosed to authorities where required by law.

6. International data transfers

Some of our processors (including Google and Cloudflare) may process data outside the European Economic Area. Where this occurs, we ensure that an appropriate safeguard is in place — either an adequacy decision by the European Commission, standard contractual clauses, or the EU–US Data Privacy Framework.

7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

• TLS encryption of all data in transit (HTTPS).
• Row-level access controls on database records, so only authorised staff can view application and enquiry data.
• Restricted access — only staff members who need the data to perform their duties may access it.

8. Your rights as a data subject

Under GDPR, you have the following rights in relation to your personal data (and, where applicable, the data of your child):

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to ask us to correct inaccurate data.
• Right to erasure — to ask us to delete your data when there is no longer a lawful basis for processing it.
• Right to restriction of processing — to ask us to limit how we use your data in certain circumstances.
• Right to object — to object to processing based on legitimate interests.
• Right to data portability — to receive your data in a structured, machine-readable format where processing is based on consent or contract.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — if you believe your data has been processed unlawfully, you may lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or, for the Brussels campus, with the Belgian Data Protection Authority (dataprotectionauthority.be).

To exercise any of these rights, please contact us at admin@nordenschool.com. We will respond within one month. We may need to verify your identity before processing a request.

9. Changes to this policy

We may update this privacy policy from time to time, for example when our services change or when there are updates to data-protection law. The current version is always published on this page, with the date of last update shown at the top.

10. Contact us

For any questions about this privacy policy or the way we handle your data, please contact us:

Email: admin@nordenschool.com
Phone: +358 40 176 1961 (available Mon–Fri 10:00–14:00)
Post: Norden International School of Helsinki, Vanha Helsingintie 2, 00700 Helsinki, Finland