Privacy Policy

1. Who we are

AIM School Málaga ("AIM School", "we", "us") operates an international school located at Diseminado Rincón del Hinojal, 20, 29650 Mijas, Málaga, Spain. We are the data controller responsible for personal data processed through our website (aimschool.es / aimalaga.es / aimalaga.dk), our parent portal, and our mobile applications. Contact: info@aimalaga.es.

2. Data we collect

• Contact information — parent name, email address, phone number, postal address.
• Children's data — name, date of birth, class, allergies, medical and dietary notes, attendance, photos for school use, and educational progress.
• Account data — login email, hashed password, role, login history.
• Device identifiers — push notification tokens, device type, app version.
• Payment data — billing address and invoice history. Card numbers are processed directly by Stripe and never touch our servers.
• Communications — messages sent through the portal, WhatsApp opt-in status, email correspondence.
• Usage data — anonymous analytics on how the website and portal are used.

3. Why we use your data (legal basis)

• Performance of contract — running the school, managing enrolments, attendance, meals, activities and billing.
• Legal obligation — accounting, tax (Quipu), and educational record-keeping required by Spanish law.
• Consent — push notifications, WhatsApp messages, marketing emails, photo publication on social media.
• Legitimate interest — keeping the platform secure, preventing fraud, and improving our services.

4. Children's data

In Spain, parental consent is required to process the personal data of minors under 14. Parents create and manage the account on behalf of their child and are responsible for providing this consent. Children do not log in directly. Parents can review, correct, or request deletion of their child's data at any time by contacting us.

5. Service providers (data processors)

We share data only with the providers strictly necessary to deliver our services:

• Supabase (EU — Frankfurt) — database, authentication, file storage. All data is stored in the European Union.
• Stripe — payment processing for tuition, activities and one-off charges. Stripe is PCI-DSS Level 1 certified.
• Resend — sending transactional and billing emails.
• OneSignal — delivery of push notifications to mobile and web devices.
• WhatsApp (Meta) — opt-in school messages to parents who provide their WhatsApp number.
• Google (Gmail API, Analytics, Ads) — outbound email from info@aimalaga.es and anonymous traffic analytics.
• Quipu — Spanish e-invoicing and tax compliance.
• Cloudflare / Lovable — website hosting and content delivery.

Where a provider is located outside the EU, transfers are protected by Standard Contractual Clauses approved by the European Commission.

6. How long we keep data

Active student and parent records are kept while the family is enrolled. Financial records are kept for 6 years as required by Spanish law. Other personal data is deleted within 12 months after the family leaves the school, or sooner on request.

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and personal data ("right to be forgotten"). You can do this directly inside the parent app under Profile → Delete Account, or by emailing us.
• Restrict or object to certain processing.
• Withdraw consent at any time (e.g. push notifications, WhatsApp, marketing).
• Receive a copy of your data in a portable format.
• Lodge a complaint with the Spanish Data Protection Agency (AEPD — www.aepd.es).

8. Security

All data is encrypted in transit (HTTPS) and at rest. Access to personal data is restricted to authorised staff under strict role-based permissions, audited via our backend security policies.

9. Contact

Questions about this policy or your personal data? Email info@aimalaga.es or write to AIM School Málaga, Diseminado Rincón del Hinojal, 20, 29650 Mijas, Málaga, Spain.