Quin B.V. Privacy Statement
We understand how important your privacy is to you. Also, we want you to feel comfortable using our services and when interacting with us. Therefore, protecting your privacy and handling the information you entrust us with, is of utmost importance to us.
We process all personal data in accordance with the General Data Protection Regulation (GDPR). In this Privacy Statement, we explain which personal data we collect, why it is collected, how it is processed, for how long, and which measures we have taken to keep your personal data safe. This pertains to the personal data you provide us with directly as well as the personal data we obtain from other sources via our online health platform (the Quin Platform), via our website, or through third parties. We also explain what rights you have with respect to your personal data we process and how Quin adheres thereto.
This Privacy Statement only concerns the personal data Quin processes (collects, uses, stores, and discloses). In some cases, other parties may process personal data. In such an event, we will notify you hereof. The terms and conditions of these parties will then apply.
We may amend this Privacy Statement from time to time. Therefore, even though we will notify you about each update, we recommend you review this Privacy Statement occasionally. This version is published on 1 August 2024.
I. GENERAL
About Quin
Quin B.V. (Quin, we, or us) is the controller of your personal data within the meaning of the GDPR, as far as it relates to the Quin Platform and our website. Quin is based in the Netherlands, at Stadhouderskade 55, 1072 AB Amsterdam.
We have appointed a Data Protection Officer (DPO). You can reach our DPO by email for all privacy-related questions, comments, or remarks at privacy@quin.md.
Definitions
The definitions used in this Privacy Statement have the following meaning, or as assigned to them in the relevant paragraph:
- AWS: Amazon Web Services EMEA S.A.R.L.
- Controller: the person who determines the means and purposes of a processing activity.
- Cookies: text files that are stored in the internet browser or by the internet browser on your device (computer, tablet, or phone) that collect data on our website.
- GDPR: the General Data Protection Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC.
- GP, your doctor, the Practice: your primary care healthcare provider.
- Identifiers: common personal data that, when used, may allow the identification of the individual to whom the information in question may relate, for example: name, email, date of birth, postal address, gender, identification number, location data, or an online identifier (like IP address).
- Personal data: any information about an identified or identifiable natural person as defined by the as defined in the GDPR.
- Processor: a person processing Personal Data on behalf of the Controller, acting under the authority of the Controller in accordance with the latter’s instructions.
- Pseudonymized /pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Purpose compatibility test: an assessment conducted by Quin to know if the purpose for which your personal data is initially collected, is compatible with a new intended purpose and the new intended processing is therefore allowed.
- Quin, we, us: Quin B.V., with address Stadhouderskade 55, 1072 AB Amsterdam, and registered with the Dutch Chamber of Commerce under number 62575090.
The terms “Special Categories of Personal Data”, “Health Data”, “Data Subject”, “Processing” and “Transfer”, have the meaning assigned to them in the GDPR.
Summary of the Privacy Statement
At Quin, we try to aid healthcare providers to provide healthcare in an easier and more efficient way. Therefore, we find it important to be transparent about how we process your personal data. Privacy statements are long and sometimes annoying to read. Below you will find a summary of the most important items. We do, however, recommend you to also read the full privacy statement.
- To enable you to fully use our services and the Quin Platform, we process your personal data. Due to the nature of our services this includes health data. We collect information about you directly from you and automatically through your use of our website and/or the Quin Platform. To help you protect yourself and your information, we encourage you to provide only that information necessary for using our services. We only process health data after you share it with us and based on your explicit consent that we may process it in accordance with this privacy statement. You can withdraw your consent at any time by deleting your account or sending an email to privacy@quin.md.
- We will only use your personal data for the purposes for which we collect it, and you were informed about. We may furthermore use your personal data when we may legally use this for another reason, and such reason is compatible with the original purpose. This decision will always be based on a purpose compatibility test.
- We do not share your personal data with third parties other than when strictly required for providing you with our services. As an exception hereto, we may use and disclose your personal data when this is legally required and/or allowed, in the following cases:
(i) to comply with applicable laws, which may include laws in force outside your country of residence, to responding to requests from public and governmental authorities, which may be from authorities outside your country of residence, to cooperate with law enforcement authorities or for other legal reasons
(ii) to enforce your compliance to our user terms in the event of a breach; and
(iii) to protect our rights, privacy, safety, or property and/or that of our subsidiaries or affiliates, you, or others.
We do not share any personal data with health care insurers or parties trading data. - When you connect your account to your GP Practice, and book a consult or start a chat, the personal (health) data you provided in the Quin Platform for the performance of the symptom assessment may be shared with your GP to enable your GP to provide you with the right care. We will inform you before any personal data is shared for this purpose.
- Quin and your GP (practice) are separate organizations. Once your account is connected to your GP practice, all the personal data you share with your GP within the services of the Quin Platform will be processed by Quin on behalf of your GP. This means your GP acts as Controller of your personal data and make decisions on the processing thereof and Quin will follow his/her written instructions.
- We always aim to only store personal data within the European Economic Area (EEA). However, some of our processors may store and/or process personal data in the United States of America (USA). When this is the case, we put security measures and additional safeguards in place to ensure an adequate level of protection of your personal data and compliance with GDPR (article 44).
- You have the right to request access to your personal information processed by Quin, its correction, restriction, objection, erasure, and its portability. You also have the right to withdraw your consent at any time, and to object to being subject to any automated decision making that might have any legal effects on you. You can make the relevant request by sending an email to privacy@quin.md.
- Quin will retain your personal data until the purpose for which it was collected has been accomplished, or until its deletion is requested by you, whichever occurs first.
- Our services are not intended for use by minors under sixteen or by persons who have been declared mentally incapacitated and therefore cannot independently use the type of service we provide.
- Our website uses cookies. More information on our use of cookies can be found in our Cookie Statement, which you can find here.
- You can contact our DPO if you have any comments, questions or requests related to our processing of your personal data or if you would like to withdraw your earlier given consent. You can contact our DPO via privacy@quin.md.
II. PERSONAL DATA WE COLLECT, FOR WHICH PURPOSE AND UNDER WHICH LEGAL BASIS
When using the Quin platform in accordance with our user terms
The processing of your personal health-related data for the provision of our services will solely take place after you provided Quin with your explicit consent to do so (article 9 paragraph 2, sub a GDPR).
We will ask you to provide us with personal data when you register on the Quin Platform and create an account (web or app), being your full name, email address, date of birth and your gender. Furthermore, we also process internal identifiers for your account and your login details. These are necessary to provide you with our services. We process them based on the performance of the agreement between you and Quin, in accordance with our terms of use (article 6 paragraph 1, sub b GDPR).
Therefore, when you create your account, we explicitly ask you to agree to the processing of your personal data in accordance with this privacy statement.
When connecting with your GP
When you connect your account to your GP, Quin will share the personal data in your profile with your GP. From there on, we will process personal data related to your health (Special Categories of Personal Data) on your GP’s behalf and under his responsibility. This means that Quin as the Processor will process your personal data under your GP’s instructions (as the Controller). This concerns:
- health related data provided to the GP by you, by Quin and/or by a medical specialist (the latter in the event you are using our service Specialist Consultation). Health data provided to your GP by a medical specialist may include diagnosis (such as X-rays, scans, or blood tests) or advice on (the treatment of) your health care complaint. This processing of your data is based on the performance of the treatment agreement between you and your GP (article 6 paragraph 1, sub b GDPR);
- health related and other personal data provided by you to your GP through our direct messaging feature (chat). This processing is also based on the performance of the treatment agreement between you and your GP (article 6 paragraph 1, sub b GDPR). Your chat conversations will remain private to you and your GP. They will be fully encrypted and processed in the secure environment of our third-party provider (Sendbird). Quin as the processor will ensure the security, integrity, and availability of them. Once chat conversations are finished and closed by the GP, those will remain in your Quin account stored in our database with AWS (in Germany). These conversations will remain available to you until you choose to delete them, or to delete your account entirely;
- images that you share with your GP via direct messaging (chat) will also be processed by Quin for the performance of the treatment agreement between you and your GP (article 6 paragraph 1, sub b GDPR). The images will be stored in our own database with AWS (in Germany). These files will remain private to you and your GP, and will be deleted upon your request;
- identifiers for booking an appointment with your GP and sharing the outcome of Ada’s symptom checker with your GP. This may be required by your GP in order to get to know your complaints and symptoms in advance to be better prepared your appointment. This processing takes place based on the legal ground of the performance of your agreement with Quin (article 6 paragraph 1, sub b GDPR)).
- (via our sub-processor Sendinblue) your full name and email address will be processed when assisting your GP in sending out communications to you regarding (amongst others) service updates related to the GP’s practice and the Quin Platform. This processing is based on the performance of your agreement with your GP (article 6 paragraph 1, sub b GDPR).
By default, personal data will not be stored longer than required for the purpose for which it was collected. It will be deleted earlier if you decide to withdraw your consent to your GP or to delete your Quin account. For any of those scenarios, Quin will always act upon your GP’s instruction or upon your request.
When you contact us
When you contact us on support@quin.md, the data that you share with Quin will be processed by our sub-processor Zendesk. This includes, besides your contact details, also any question or complaint you share with us about our services. The foregoing personal data will be processed for the purpose of providing you with support and under the legal base of the performance of a contract with Quin (article 6 paragraph 1, sub b GDPR). Your data will be stored until it is no longer required for the purpose for which it was collected from you.
When we contact or inform you related to our services
When we inform you about our products or services, we disclose your contact details to our external providers Sendinblue or Hubspot. This concerns newsletters, service updates, conduct post-market surveillance activities or for other marketing purposes. When we use your contact details for these purposes, we will do so on an opt-in basis, and thus your consent (article 6 paragraph 2, sub a GDPR).
Your data will be stored until it is no longer required for the purpose for which it was collected, or until you revoke your consent.
When you provide us with performance reports, feedback and surveys
To deliver a better service to you, we might process your personal data when reporting incidents on the Quin Platform, or when you give us your feedback and/or perform a survey. This data will be processed by our external processors Sentry or Refiner, respectively. This may involve your contact details and sometimes also personal information related to health.
Our legal basis for processing this information is our legitimate interest in doing so (article 6 paragraph 1, sub f GDPR). We may also legally base the processing on your consent, when your medical data is involved (article 9, paragraph 2, sub a GDPR). Your data will be processed and retained solely until the original purpose for which the data was collected has been fully accomplished unless you object the processing or withdraw your consent before that. From that moment, to continuously improve our services, websites, and products, make them safer and compile user statistics, we will only use personal data, including health data, which has been previously anonymized, so that it cannot be linked to you, and it is no longer regarded as personal data.
When you apply for a job in Quin
Our legal basis for processing the information you share or obtain from public sources, including personal information, in the context of your application is based on the consent you gave us when you applied for a job with us. When collecting and processing your personal data for this purpose, we use an external processor, GreenHouse, who will execute the processing on our behalf.
We keep the information you provide us with for your application for a maximum of four weeks after the recruitment process ended, after which your data will be deleted. If, upon our request, you give us explicit permission for this, we may retain your request data for a maximum period of twelve months.
When you visit our website - Cookies
When you visit our website, we may place cookies for improvement of our services or to obtain information on the use of our website. Our cookies may collect personal data, such as the IP address from which you access our website, and when and for how long you visit our website. This processing is conducted by our sub-processor Hubspot, and, where required by law, based on your consent. More information on our use of cookies is provided in our Cookie Statement on the Quin website.
Technical information and analytics
When you use the Quin Platform or visit our website, we may collect some of your identifiers where this is allowed by your device or browser settings. This processing is performed by our sub-processors Matomo and Microsoft Power BI, and is based on Quin’s legitimate interest to perform analytics that will help us better understand our audience. Your data collected in this way is pseudonymized and is not stored together with your other personal data.
Research studies and feature development
When you use the Specialist Consultation service in the platform, Quin sometimes conducts scientific research studies to assess how effective and efficient that service is. For these studies, we can ask your consent to share your healthcare data with medical specialists not directly involved in your treatment, or to use this, after pseudonymization, for the development of new features in our platform and/or analyses. This processing of personal data will be conducted only after you provide us with your explicit consent, which can be withdrawn at any time.
Additional research to improve our services is done through digital interviews with external participants to learn from their personal experience with the healthcare system. When you take part in these studies, Quin may collect personal data from you, including personal data related to health. This processing will be based on your consent (article 6, paragraph 1, sub a GDPR), which can be withdrawn at any time. The processing will involve Microsoft Systems LLC (Ireland) and the storage will be in our database with AWS (in Germany). Your personal data will not be shared and will always be pseudonymized for the research study. All your data will be deleted after studies are finalized or when erasure is requested by you, whichever comes first.
III. WITHDRAWL OF CONSENT
Whenever you provide us with your consent, you can withdraw it at any time by sending an email with this request to our DPO at privacy@quin.md. This will however have consequences for your further use of our services. If you have withdrawn your consent, you may from that moment on not be able to fully use the Quin Platform, or any specific features offered based on your consent.
IV. THIRD PARTIES WITH WHOM WE SHARE PERSONAL DATA
Your GP practice
When you connect to your GP on the Quin Platform, we may share the personal data from your profile and the outcome of the symptom assessment, with your GP practice to provide you with our services. You will always be informed before personal data for this purpose is shared. This information will only become available for the health care providers at your GP practice.
As set out under III.2, your GP practice will act as the Controller of your personal data and Quin as the Processor for the further treatment and medical advice provided by your GP Practice.
Ada Health Gmbh
The symptom assessment included in the Quin Platform is provided by Ada Health GmbH (Ada). Ada and Quin are both regarded independent controllers of the personal data they process.
When conducting a symptom assessment, you will be transferred from the Quin platform to Ada’s environment. The first time you are requested to agree to Ada’s terms and conditions and privacy statement. From there on, Ada is the Controller of the personal data you provide in the performance of the assessment. To improve your user experience, Quin will (after receipt of your consent) share with Ada your full name, gender, birthdate and identifier.
After the performance of the symptom assessment Ada will, after receiving your consent thereto, share the report with Quin. Subsequently, if you decide to contact your GP, Quin will share the report with your GP.
If you decide not to share the report with Quin, you will not receive the option of contacting your GP. Furthermore, you will only be able to download the report to your device at the same moment. The report will not be stored in your Quin account and thus not be available for review or download afterwards.
Medical specialist
When you use the Specialist Consultation service, your GP will share your personal data with the healthcare providers and medical specialists involved in your treatment. This data will always remain private between you and the healthcare providers involved in your treatment.
When you book an appointment with your specialist, some of your identifiers will be shared with Calendly LLC, our appointment management sub-processor.
Other parties
Only in exceptional cases, we could be legally obliged or forced by a competent court to provide personal data to a third party, for example the supervisory authority, the tax authorities, or the police. In those cases, we will not provide more personal data than necessary to comply with such an obligation or judgment. When providing the information, we will ensure its integrity, availability, and confidentiality.
V. CONDITIONS OF PROCESSING
Security of personal data
We process personal data with the necessary care and have taken various measures to protect the personal data entrusted to us, among others encryption, access control, patch management, and mandatory two factor authentication for employees.
Quin is both ISO/IEC 27001:2022 and NEN7510 certified. We also implement Privacy by Design and follow guidelines and recommendations from the European Data Protection Authorities. All the required policies and procedures are in place to guarantee the integrity, availability, and confidentiality of the (personal) data we process.
Retention of personal data
We do not retain the personal data you provided us with for longer than necessary to achieve the purposes for which we collected it. In certain cases, we have a legal obligation to retain personal data for a specific period. This may mean that we must keep your personal data longer, even if you no longer use our services, in accordance with, for example, tax regulations.
We also limit the access to your personal data exclusively to the persons who strictly need to use it for the relevant purpose(s), always in compliance with our access control policy and ensuring its integrity, confidentiality, and availability.
In addition, when the purpose is accomplished and the processing of your personal data is no longer necessary, it will be irreversibly anonymized (no longer regarded as personal data), or securely deleted.
VI. TRANSFERS OF PERSONAL DATA
Sub-processors
Sometimes we engage processors and sub-processors to process personal data on our behalf in the context of our services, such as a software supplier. With these external parties we conclude a written data processing agreement in line with GDPR. This ensures the careful processing of personal data, with safeguards in place to guarantee the adequate protection of our users’ rights and freedoms.
We use the following processors when providing our services:
(i) for cloud data storage – Amazon Web Services EMEA SARL, Luxembourg;(ii) for computer services (including cloud services) and chat summarization – Microsoft Ireland Operations, Ltd., Ireland;
(iii) for our direct messaging service (chat) – Sendbird Inc., USA (data storage takes place within the EEA);
(iv) for conducting questionnaires within Specialist Consultation and other surveys on our website/the Quin Platform – Typeform SL, Spain;
(v) for booking an appointment with your Specialist – Calendly, LLC, USA;
(vi) for sending out GP practice communications – SendinBlue SAS (Brevo), France;
(vii) for providing you with technical support – Zendesk Inc, USA;
(viii) for collecting feedback from your GP – Refiner SASU, France;
(ix) for data analytics – Looker Studio by Google Ireland Limited, Ireland;
(x) for website and cookie management and analysis – Hubspot Inc., USA; and
(xi) for our recruiting process – GreenHouse Software, Inc., USA (only for job applicants).
Transfer outside the EEA
The personal data that we collect from you is stored in the European Union (Germany) on our Cloud Servers with AWS. Whenever we engage other parties for processing data of our users (processors/sub-processors), we aim that they (also) process and store this data only on servers within the EEA. However, some of our processors may store and/or process personal data in the United States of America (USA). In this respect, Quin will ensure compliance with article 44 GDPR. This means that we will obtain adequate contractual commitments from every processor/sub-processor to protect your personal data and take all appropriate and required measures to ensure that an adequate level of protection is guaranteed.
If we believe we cannot provide these appropriate safeguards for your personal data, we will ask for your consent before disclosing it.
The personal data that might be subject to international transfers may involve only your identifiers, but not your health-related data.
Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.
VII. YOUR RIGHTS
Rights relating to personal data
In accordance with GDPR, you have the following rights in connection with Quin processing your personal data:
- Access: you can request us to access your personal data we process, and the details related to the processing;
- Correction: if you want to change the personal data you provided us with, for example because you have moved, you can ask us to adjust this;
- Deletion: you can always ask us to delete the personal data we process on you;
- Restrict: you can request us to restrict the processing of your personal data if (i) you believe that the personal data we process on you is inaccurate or the processing itself is unlawful, (ii) this is required to fulfil a legal claim, or (iii) you have objected to the processing;
- Data portability: you can ask us to transfer your personal data to you or a third party, in a common machine-readable format;
- Objection: if we process your personal data based on our legitimate interest, you can object hereto. You can also object when the processing is based on a task conducted in the public interest or the exercise of official authority vested in Quin;
- Objection against automated decision making (including profiling): you can request us to be excluded form processing based solely on automated decision making or profiling, in the event the decision made affects you legally or in a similar manner; and
- Objection to newsletters, direct marketing: if you no longer wish to receive our newsletter and other (marketing)messages, you can unsubscribe by clicking on the unsubscribe link in the received email. You can also unsubscribe by contacting us.
You can exercise any of these rights by contacting our DPO via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. Our DPO will assess your request and respond. We may however ask you to identify yourself by sending us confirmation from the email address associated with your Quin account, so that we can verify that you are the owner of the account. This is to prevent us from sharing the requested information with unauthorized third parties. All information concerning a data subject request will be processed with Microsoft Ireland Operations Ltd, and retained for a period of two years, unless extension of this term is required due to the content of the request.
Minors or incapacitated persons
The collection and use of your personal data in the provision of our services is largely based on your consent. In connection therewith, our services are not intended for (a) persons under the age of sixteen, and/or (b) people who have been declared legally incapacitated.
VIII. ADDITIONAL INFORMATION
Questions or complaints?
If you have any questions, comments, or suggestions regarding the way in which we handle your personal data, please let us know via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. We are happy to help you, but in some cases, we will request more information.
If you have a complaint we cannot resolve for you, you can file with our supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: www.autoriteitpersoonsgegevens.nl).
Translation
Please note the primary language of our website and the Quin Platform is Dutch. Our translations are prepared with due care and all reasonable efforts are made to provide full accuracy, however incorrections could be made. In the event of inaccuracy or incompleteness, the Dutch Privacy Statement prevails. If you would like to report a translation error or inaccuracy, we are incredibly grateful. Please contact us via privacy@quin.md.