European Union GDPR Privacy Policy

Privacy protection – Student notice pursuant to Article 13 and 14 of EU Regulation 679/16.

The data requested from you, as an interested party, is processed by The International Studies Institute LLC (VAT number 06820750484), with registered office in Delaware-Dover, Kent County The Green, Ste A 8 (USA) and operational headquarters in Florence, Via della Vigna Nuova n.18, Data controller (pec: [email protected], e-mail address: [email protected] – Tel. 055 2645910), hereinafter referred to as ISI Abroad. The Data Protection Officer (DPO) is engr. Marco Turri (VAT number 04854420488 – registered email address (pec) [email protected] , email address [email protected])

The processing of personal data, carried out in full compliance with current legislation (Legislative Decree No. 196 of June 30, 2003 and EU Regulation 679/16), is executed for the management of the contractual relationship between the parties and, in particular, for the preparation of; academic services, cultural and volunteering initiatives, assistance with bureaucratic procedures related to entry and permanence in the Italian State, billing of payments, communications by print, IT and via telephone, for the management of the Student’s needs and the satisfaction of all contractual and legal obligations. In relation to the contractual relationship, ISI Abroad may also process data relating to legal matters, for the sole purpose of ensuring the safety and security of the students and remaining in compliance with current legislation. (Purpose of the processing).

ISI Abroad will therefore treat the identification data (e.g. name and surname, social security, residence/domicile address, telephone number, e-mail address, references of identity documents, bank details, data relating to the university of origin), for the aforementioned purposes, as these data are necessary to provide the aforementioned service. The legal basis of the related treatment is therefore the execution of the contractual relationship and the fulfillment of the related legal obligations (e.g. of an accounting and fiscal nature). In the event of disputes regarding this relationship, the legal basis is the legitimate interest of the Data Controller in the right of defense. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

ISI Abroad may also process photographic images and videos depicting your person for the purpose of information, promotion, and/or enhancement of the activities carried out by students and teaching staff at ISI Abroad and/or performed by the Data Controller in the presence of the aforementioned people. The legal basis of the processing is the consent of the interested party which is provided during the application and enrollment phase as part of the participation agreement. In the absence of this consent ISI Abroad will not use these images (except in any case of the provisions of Art. 96 and 97 of Law n. 633/1941). 

In relation to the contractual relationship, ISI Abroad may also process data belonging to “special categories of data” pursuant to Article 9 of EU Regulation 679/16, such as data relating to health status (e.g. in the case of pathologies and/or allergies) with the purpose of guaranteeing special conditions in relation to housing and/or academic activities that guarantee the parties’ health and safety, as well as assistance from ISI Abroad employees and/or collaborators to accompany them to medical examinations or public institutions. The legal basis for processing data belonging to “particular categories of data” is the consent of the interested party.

Personal data may be, even partially, provided by the student’s home university. Personal data may also be processed to share (via e-mail or telephone), newsletters and communications regarding ISI Abroad initiatives and services (so-called direct marketing). The legal basis of the processing is the consent of the interested party.

The International
Studies Institute, LLC
Via della Vigna Nuova, 18
50123 Firenze (Italy)
Fax +39 055 2646721
Cod. Fisc. 94084400483
Partita IVA: 06820750484
Codice SDI: M5UXCR1

@Palazzo Rucellai
Via della Vigna Nuova, 18
50123 Firenze (Italy)
Phone +39 055 2645910

@Palazzo Bargagli
Lungarno delle Grazie, 22
50122 Firenze (Italy)
Phone +39 055 5359751

@Umbra Institute
Piazza IV Novembre 23
60123 Perugia (Italy)
Phone: +39 075-7750101

Websites: www.umbra.org, www.isiflorence.org, [email protected]

The processing of personal data will consist in the collection, recording, organization, structuring, storage, adaptation or modification, extraction, selection, consultation, use, communication by transmission or other forms, comparison or interconnection, the limitation, cancellation or destruction of the same. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Personal data is processed in written form, on paper, magnetic and telematic format, with appropriate tools to guarantee the security of the same and entered in the data bank of the data controller.
The provision of personal data does not constitute a legal obligation, but is contractually necessary, as such, it is mandatory for our company to carry out the aforementioned services and for the purposes indicated above. In the event of refusal to provide such information, ISI Abroad will not be able to perform the requested contractual service. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Your data may also be processed for the purpose of protecting people, property and company assets, through a video surveillance system of some areas of the building, identifiable by the presence of appropriate signs. This treatment pursues our legitimate interest in protecting people and property against possible assaults, thefts, robberies, damages, vandalism and for purposes of fire prevention and safety. (Legal basis of the treatment: legitimate interest of the Data Controller to safeguard people and company assets). Personal data are processed exclusively by subjects appointed by the Data Controller, who is specially trained in the field. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Recipients. Personal data can be communicated to all the subjects whose access is recognized by current legislation and for purposes related to legal obligations (e.g. Guarantor Authority, Public Authorities, Public Administrations), as well as public and private entities (e.g. hospitals, private clinics, insurance companies, accommodation and travel organizations, owners of housing properties, voluntary organizations, intermediary companies for student services), in addition to the employees and collaborators appointed for data processing by ISI Abroad, to whom communication is necessary for the purposes indicated above. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Personal data may also be communicated to professionals, IT experts, companies that manage cloud and telephone services, companies and credit institutions in charge of data processing, connected with the fulfillment of administrative, accounting and managerial obligations linked to the ordinary performance of our business (e.g. accounting and tax compliance, verification of economic relations). These individuals may be designated Data Processors pursuant to Article 28 of EU Regulation 679/16. The list of individuals appointed as data processors is available at our registered office. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

The personal data will also be communicated to the universities of origin (in particular the data contained in the certificates issued by ISI Abroad at the end of the academic course), for the purposes indicated above. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Personal data (for example relating to any academic questions) also belonging to “special categories of data” (e.g. relating to legal issues, medical conditions, etc.) may eventually be communicated to the parent / family member / legal guardian indicated to us, always for the purposes described above. Such communications may involve the transfer of data to the student’s country of origin. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

Personal data will not be disseminated, except as specified below. All students and visiting faculty will have given express consent as a condition of enrollment into the program, and as part of the processing activities, the photographic and video images in which you are depicted in and collected for the purposes described above may be published on the web channels and other media created or managed by ISI Abroad (e.g. website, social network).

Images recorded using a video surveillance system are not communicated to third parties, except for specific investigative requests by judicial authorities or judicial police.

Personal data is stored on servers located in Italy, within the European Union.

ISI Abroad uses the Google Drive service. The data is therefore also processed by the Google Inc. data processor, 1600 Amphitheater Parkway Mountain View, CA 94043 USA, at its operating offices,
in compliance with the applicable legal provisions, and with the provisions of the articles 44 and following of EU Regulation 679/16.

ISI Abroad uses the Cloudflare service. The data is therefore also processed by the Cloudflare Data Processor, Inc.101 Townsend St. San Francisco, CA 94107 (represented in Europe by Cloudflare
Germany GmbH Rosental 7 – 80331 München under Art 27 GDPR), at its operating offices, in compliance with the applicable legal provisions, and with the provisions of articles 44 and compliance with EU Regulation 679/16.

ISI Abroad use HubSpot services. The data is therefore also processed by HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States Software as Service provider in support of marketing activities.

In any case, it is understood that the undersigned Data Controller, if necessary, will have the right to move servers (and data) even outside the EU. In this case, the extra-EU data transfer will take place in compliance with the applicable legal provisions, and with the provisions of articles 44 and following of EU Regulation 679/16.

Pursuant to EU Regulation 679/16, you can exercise the following rights as an interested party:

  1.  the right to obtain confirmation from the Data Controller that the processing of personal data concerning you is underway and, in this case, to obtain access to personal data and information provided by art. 15 (e.g. information relating to the purposes of the processing, to the categories of personal data in question, to the recipients or categories of recipients to whom the personal data have been or will be communicated, to the retention period, to their own rights, to the origin of the data where not collected from the interested party, to the existence of an automated decision-making process, etc);
  2.  the right to obtain, if inaccurate, the correction of personal data concerning you, as well as the integration of the same if deemed incomplete, always in relation to the purposes of the processing (art. 16);
  3.  right to delete data (“right to be forgotten”), if any of the cases referred to in art. 17 applies;
  4.  right to limit the treatment, in the cases provided for by art. 18;
  5.  data portability right, pursuant to art. 20;
  6.  right to object to the processing, pursuant to art. 21;
  7.  where the legal basis for the processing is consent, the right to revoke the consent at any time and applicable from the date of request without jeopardizing the lawfulness of the processing based on the consent given before the revocation.

The Data Controller does not adopt automated decision-making processes; the rights pursuant to Article 22 of the EU Regulation 679/16 apply to the interested party.

The interested party is also entitled to be informed, where applicable, of the intention of the Data Controller to transfer the data to a third country or to an international organization and the existence or absence of a decision of adequacy of the Commission or in the hypothesis of transfers pursuant to art. 46, 47 and 49 c.2, reference to appropriate guarantees and the means to obtain a copy of such data or the place where they were made available.

All the aforementioned rights can be exercised through a request addressed to the Data Controller (e.g. by contacting us by e-mail or by telephone).

The interested parties are always entitled to lodge a complaint with a supervisory authority (Article 77 EU Regulation 679/16 – Art 140 bis and following Legislative Decree 196/2003).

Personal data will be stored only for the time strictly necessary to carry out the aforementioned purposes and to fulfill the obligations provided for by law (e.g. for administrative, fiscal and accounting purposes up to ten years pursuant to art. 2220 and 2946 of the Italian Civil Code), without prejudice to any issues of an accounting or contentious nature that may extend this period.

Any “special data pursuant to Article 9 of EU Regulation 679/16” will be kept exclusively for the time strictly necessary, therefore for the period of the student’s stay at ISI Abroad. Personal data will be stored for the aforementioned direct marketing purposes during the student’s stay at ISI Abroad.

The images recorded by means of a video surveillance system are canceled after 72 hours, except holidays, closure of the financial year or at the request of the judicial police. In hypotheses related to specific needs, according to the indications of the Guarantor Authority, a storage period not exceeding one week may be considered legitimate.

The International Studies Institute LLC
(DBA ISI Florence, The Umbra Institute, ISI Abroad)


Privacy Policy for Website & Smartphone App

ISI Abroad (ISI Florence and Umbra Institute) understands the importance of protecting personal information. This Privacy Policy outlines how ISI Abroad collects, uses, and discloses your personal information. You will also find information on how we protect your personal information.

1. What information do we collect?
Account information: When you apply to one of our programs or install our App, we collect your user name and email address. We use this information for account identification and email communication about the account status.

Device information: When you install the mobile app to your mobile device, we collect device ID/name and model. We use this information for device identification.

Location information: When you run the Umbra or ISI Florence mobile app in your device, we collect location data through GPS, wifi, or cellular triangulation. We use this information to provide location tracking service on our web site. We maintain this data only so long as is reasonable to provide our service. Out-of-date data is removed from our database.

Payment information: We do not store your payment card details. When you purchase service upgrade, that information is provided directly to our third-party payment processors (Paypal or Authorize.net) whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council. PCI-DSS requirements help ensure the secure handling of payment information.

Log files: Our server automatically gathers some anonymous information about visitors, including IP addresses, browser type, language, and the times and dates of web page visits. The data collected does not include personally identifiable information and is used for server performance analysis and troubleshooting purpose.

Cookies: We use cookies to keep you logged in and save your visit preferences.

2. How long do we retain your information?
We will retain your information for as long as is reasonable to provide our service. Out-of-date information will be removed from our database. We will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain log files for internal analysis purposes. Log files are generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our service, or we are legally obligated to retain this data for longer time periods.

3. Where do we store your information?
We host our database and servers in A2 Hosting servers and Google Workspace Drivesin the US.

4. How do we protect your information?
We protect your data on-line. Data access is protected by an account authentication process. Only account holder who knows the account credential can access to your own data in your account. Other users cannot access your data unless you have opted in location sharing.
We protect your data off-line. Your account and location data are stored in our secured database. Only employee who needs the information to perform a specific job is granted access. The server in which we store our database is hosted with Amazon Web Service, Google Workspace and Inmotion Hosting in a secure environment.

5. Do we share your information to outside parties?
We do not share your personal data with third parties, other than as necessary to fulfill our services. We do not sell your personal data to any third parties. We may be required to disclose an individual’s personal data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. For example, we may share information to respond to a court order, subpoena, or request from a law enforcement agency.

6. Google Analytics
We use Google Analytics to collect information about use of this site. Google Analytics collects information such as how often users visit this site, what pages they visit, when they do so, and what other sites they used prior to coming to this site. We use the information only to improve this site. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. Google Analytics uses cookie on your web browser to identify you as a unique user. Google’s ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser.

7. General Data Protection Regulation (GDPR)
see above

7.1. Collection and use of personal data
See section 1. What information do we collect?

7.2. Protection of your personal data
See section 4. How do we protect your information?

7.3. Disclose of your personal data
We do not share your personal data with third parties, other than as necessary to fulfill our services. We do not sell your personal data to any third parties. We may be required to disclose an individual’s personal data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. For example, we may share information to respond to a court order, subpoena, or request from a law enforcement agency.

7.4. Legal basis for processing personal data
GDPR states that a company may process personal data under the following conditions:

Consent: As a website visitor (cookies enabled), an applicant, program participant or app user, you have given your consent for processing personal data for one or more specific purposes.

Performance of a contract: Provision of personal data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
Legal obligations: Processing personal data is necessary for compliance with a legal obligation to ISI Abroad is subject.
Vital interests: Processing personal data is necessary in order to protect your vital interests or of another natural person.
Public interests: Processing personal data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the company.
Legitimate interests: Processing personal data is necessary for the purposes of the legitimate interests pursued by ISI Abroad.

In order to collect, use and process your personal data, we rely on the following legal bases as appropriate and relevant in the specific context:

Performance of a contract.
7.5. Your rights
We respect the confidentiality of your personal data. If you are within the EEA, you have the following rights:

  • The right to access, update or delete the information we have on you.
  • Request correction of the personal data that we hold about you: You have the right to have any incomplete or inaccurate information we hold about you corrected.
  • Object to processing of your personal data: This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your personal data on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request erasure of your personal data: You have the right to ask us to delete or remove personal data when there is no good reason for us to continue processing it.
  • Request the transfer of your personal data: We will provide to a third-party you have chosen your personal data in a structured, commonly used, machine-readable format.
  • Withdraw your consent: You have the right to withdraw your consent on using your personal data. If you withdraw your consent, We may not be able to provide you with access to our programs or services.

7.6. Removing your personal data
If you need to remove your account immediately, please email us at [email protected].
Otherwise, when your program ends, your App account will be terminated and all location data is also removed from the App. 

7.7. Addressing compliance to GDPR
The following actions are undertaken to ensure that ISI Abroad complies at all times with the accountability principle of GDPR:

  • The legal basis for the processing of personal data is clear and unambiguous.
  • All staff involved in handling personal data understand their responsibilities for following good data protection practice.
  • Rules regarding consent are followed.
  • Routes are available to data subjects wishing to exercise their rights regarding personal data, and such inquiries are handled effectively.
  • Regular reviews of procedures involving personal data are carried out.
  • Privacy by design is adopted for all new or changed systems and processes.

8. Contact us
If you have questions or concerns regarding this Privacy Policy, you should first email us at [email protected].

9. How often do we update this Privacy Policy?
We may modify this Privacy Policy from time to time. Please see the revised date at the top of this page to see when this Privacy Policy was last revised.


Click here to read more about the EU’s GDPR laws.