Privacy Policy

Last updated: 14 August 2025

Lumina International School(“we”, “us”, “our”) respects your privacy and is committed to protecting the personal data of our students, parents/guardians, staff, applicants, and visitors. This Privacy Policy explains how we collect, use, disclose, and protect personal data in accordance with Singapore’s Personal Data Protection Act 2012 (“PDPA”). The PDPA sets out obligations including consent, purpose limitation, notification, access/correction, accuracy, protection, retention, and transfer limitations, as well as accountability.

1) What we collect

Depending on your interaction with us, we may collect:

• Identity & contact data: child’s name, NRIC/FIN (where necessary), date of birth, citizenship, parent/guardian names, addresses, phone numbers, email.
  
  

• Student records: class placement, attendance, learning observations, assessment notes.
  
  

• Health & emergency data: allergies, medical conditions, immunisation records, emergency contacts.
  
  

• Financial data: billing information, payment records, subsidies/financial aid.
  
  

• Images & video: CCTV footage for security, photos/videos during school activities and events.
  
  

• Digital data: website/app usage data, device information, cookies (see Section 9).
  
  

For activities involving children, we take special care and adopt “data protection by design” principles when handling children’s personal data. 

2) How we use your data

We may collect, use, and disclose personal data for purposes such as:

• School operations: enrolment, class placement, attendance, timetable/transport coordination, parent communications.
  
  

• Student care & safety: administering first aid, responding to incidents, risk management, security (including CCTV).
  
  

• Learning & activities: curriculum delivery, co-curricular programmes, field trips (including sharing necessary data with venues/service providers).
  
  

• Administration & finance: invoicing, fee processing, audits, regulatory reporting.
  
  

• Communications: sending notices about programmes, events, schedules, and policies.
  
  

• Compliance: meeting legal, regulatory, or professional requirements.
  
  

We will notify you of new purposes where required and obtain fresh consent where necessary under the PDPA.

3) Consent

We generally obtain consent (including deemed consent where applicable) before collecting, using, or disclosing personal data. You may withdraw consent at any time by contacting our Data Protection Officer (“DPO”); however, doing so may affect the services we provide. We will inform you of likely consequences before processing your request. 

4) Access and correction

You may request access to your/your child’s personal data in our possession and information on how it has been used/disclosed within the past year, and request corrections where you believe the data is inaccurate or incomplete, subject to PDPA conditions and exceptions. Reasonable administrative fees may apply.

5) Accuracy

We rely on accurate, complete, and current data to serve you. Please notify us of any changes promptly. 

6) Protection

We implement reasonable administrative, physical, and technical safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. 

7) Retention

We retain personal data only as long as reasonably necessary for legal or business purposes, after which we will securely delete or anonymise it. 

8) Disclosure to third parties

We may disclose data to:

• service providers (e.g., student management systems, transport vendors, payment processors, IT support) under confidentiality obligations;
  
  

• activity partners (e.g., field-trip venues) where necessary; and
  
  

• public agencies/regulators, where required by law.
  We require third parties to protect personal data consistent with PDPA standards.
  
  

9) Websites, cookies, and digital services

Our websites/apps may use cookies or similar technologies to improve functionality and user experience. You can disable cookies in your browser, but this may affect site features. We may collect aggregated analytics that do not identify individuals.

10) Marketing and the Do Not Call (DNC) Registry

If you consent, we may send marketing messages about our programmes and events via phone, SMS, email, or messaging apps. We comply with the DNC provisions and will check relevant DNC Registers before sending telemarketing messages to Singapore numbers, unless an exception applies. You may opt out at any time. 

11) Children’s data & images

We recognise that children merit heightened protection. We obtain appropriate consent from parents/guardians for the collection and use of children’s personal data, including photos/videos used for learning portfolios, class communications, and—where separately consented—publicity (e.g., website/social media). We apply additional safeguards for online services used by children. 

12) Cross-border transfers

If personal data is transferred outside Singapore (e.g., to cloud providers), we will ensure the recipient provides a standard of protection comparable to the PDPA, using legally appropriate transfer mechanisms (such as contractual clauses). 

13) Data breach management

If a data breach occurs, we will assess its impact and, where the breach is “notifiable” under the PDPA, notify the Personal Data Protection Commission (PDPC) as soon as practicable and no later than 3 calendar days after assessment, and notify affected individuals if significant harm is likely. 

14) Updates to this policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. We will post the latest version on our website with the effective date. Material changes will be notified where appropriate.