QUIN B.V. PRIVACY STATEMENT

We understand how important your privacy is to you. Therefore, protecting your privacy and handling the information you entrust us with, is of utmost importance to us. We process all personal data in accordance with the General Data Protection Regulation (“GDPR”). In this Privacy Statement, we explain what personal data we collect, why it is collected, how it is processed, and which measures we have taken to keep this personal data safe. This pertains to the personal data you provide us with directly as well as the personal data we obtain from other sources via our online health platform (the “Quin Platform”) and our website. We also explain what rights you have with respect to your personal data we process.

This privacy statement only pertains to your personal data we process. In some cases personal data may be processed by other parties. In such event, we will notify you hereof. The terms and conditions of these parties will then apply.

We may amend this Privacy Statement from time to time. Therefore, we recommend you to review it occasionally. This Privacy Statement was most recently amended on the date of publishing of this document, 1 April 2023.

I. ABOUT QUIN

Quin B.V. (together with its subsidiaries “Quin, “we” or “us”) is the controller of your personal data within the meaning of the GDPR, insofar as it relates to the Quin Platform and our website.

Quin is based in the Netherlands, at Stadhouderskade 55, 1072 AB Amsterdam.
Quin has appointed a Data Protection Officer (“DPO”). Our DPO can be reached by email for any privacy-related questions at privacy@quin.md.

II. SUMMARY OF THE PRIVACY POLICY

At Quin, we try to provide healthcare in an easier way. Also, we find it important to be transparent about how we process your personal data. Privacy statements are long and sometimes annoying to read. Therefore, we made a summary of the most important items. We do however recommend you to also read the full privacy statement.

  1. To enable you to fully use our services and the Quin Platform, we process your personal data. Due to the nature of our services this includes health data. We only process health data after you share it with us and on the basis of your explicit consent that we may process this in accordance with this privacy statement. You can withdraw your consent at any time.
  2. We will only use your personal data for the purposes for which we collected it, unless we reasonably believe that we should use it for another reason and that reason is compatible with the original purpose.
  3. We do not share your personal data with third parties, including health care insurers or parties trading data, for commercial purposes or any other purpose other than when required for providing you with our services.
  4. For some of our services, the personal (health) data you provided in the Quin Platform will be shared with your General Practitioner practice (GP) to enable your GP to provide you with the right care. You will be informed before any data is shared for this purpose. Data you share with your GP during a video consult will remain between you and your GP. The video consult will not be recorded.
  5. Quin and your GP (practice) are separate organizations. Once your account is connected to your GP practice, all the personal data you share with the GP within the services of the Quin Platform will be processed by Quin on behalf of the GP, who will act as the controller of your personal data.
  6. We always aim to only store personal data within the European Economic Area (EEA). If - in very rare cases - this is not possible and personal data is stored outside of the EEA, we ensure the principles as set out in the GDPR related to processing of data outside of the EEA are adhered to and security measures and additional safeguards to ensure an adequate level of protection of your personal data are in place. Currently, all personal data processed for the Quin Platform is stored in the EEA and only meta data for analytics and service improvement is stored elsewhere.
  7. As an exception to us not sharing your personal data with third parties as set out above, we may use and disclose your personal information when we believe this to be required and unavoidable in the following cases:
  8. to comply with applicable laws, which may include laws in force outside your country of residence, to responding to requests from public and governmental authorities, which may be from authorities outside your country of residence, to cooperate with law enforcement authorities or for other legal reasons;
  9. to enforce your compliance to our user terms in the event of a breach; and
  10. to protect our rights, privacy, safety or property and/or that of our subsidiaries or affiliates, you or others.
  11. Our services are not intended for use by minors (under 18) or by persons who have been declared mentally incapacitated and therefore cannot independently use the type of service we provide.
  12. We use cookies. More information on our use of cookies can be found in our Cookie Statement, which you can findhere.
  13. We have a Data Privacy Officer (DPO) who you can contact directly if you have any questions related to our processing of your personal data or when you would like to withdraw your earlier given consent. You can contact our DPO viaprivacy@quin.md.

If you have any questions, remarks, and/or suggestions for our privacy statement or our processing of personal data, please do not hesitate to contact our DPO. 

III. PERSONAL DATA WE COLLECT, FOR WHICH PURPOSE AND UNDER WHICH LEGAL BASE 

1. When using the Quin Platform in accordance with our user terms

We will ask you to provide us with certain personal data when you register on the Quin Platform and create an account, being your full name, email address, IP address, date of birth, your gender and the name of your GP. You will then also be asked to provide (general) lifestyle and health data. When you provide this last data this will improve the quality of our services. Furthermore, we also process internal identifiers for your account and your login details. These are necessary to provide you with our services. We process all aforementioned  personal data to provide you with our services and thus perform the agreement between you and Quin in accordance with our terms of use (article 6 paragraph 1, sub b GDPR). 

When you create your account, you are requested to consent to processing of your data in accordance with this privacy statement (article 6 paragraph 1, sub a GDPR).

2. When connecting with your GP 

When you connect your account to your GP, we process personal data related to your identity and health on your GP’s behalf and under his responsibility, for the execution by your GP of the treatment agreement with you (article 6 paragraph 1, sub b GDPR). This concerns:

  1. health related data provided to the GP by you and/or by a medical specialists, the latter in the event you are using our service Specialist Care. Health data provided to your GP by a medical specialist can include diagnosis (such as X‑rays, scans or blood tests) or advice on (the treatment of) your health care complaint;
  2. identification data collected through our ID verification tool. This will only be the minimum required data for your identification, being first name, last name, BSN number and date of birth. No image or other data from your ID will be stored;
  3. health related and other personal data provided by you to your GP through our direct messaging feature. Your messages will remain private to you and your GP. Quin as the processor will ensure the security, integrity and availability of them. The chats will be stored in your account until this is deleted; and
  4. personal data required by the GP during a video consult to provide you with medical advice, being name, gender, date of birth, mobile number, care question and symptom assessment report. Any information you include in the care question field directly before the video consultation, will be shared with your GP and stored by Quin on his behalf. The purpose of the care question is to enable your GP to provide you with a better and more accurate medical advice.

When you engage in a video consult, Quin will however also act as controller for the processing of personal data. This solely concerns the following personal data: email, IP address, time, location, duration, the required device settings, the sound and video quality, and internal identifier. Processing of this personal data is required to enable us to provide you with the service (article 6 paragraph 1, sub b GDPR).

3. When you contact us  

We will process the data you share with us when you contact us. Not only your contact details, but also, for instance, any question or complaint about our services. This personal data will be processed under the legal base of the performance of the agreement between you and Quin (article 6 paragraph 1, sub b GDPR). 

4. When we contact or inform you related to our services 

Sometimes we use your personal data to inform you on our products or services. We may use the contact details you provided us with to send you newsletters, service updates, conducting post-market surveillance activities or for other marketing purposes. When we use your contact details for these purposes, we will do so on the basis opt-in, and thus your consent (article 6 paragraph 1, sub a GDPR). Also, this is subject to an opt-out (objection) regime, insofar as our communications relate to our own products and services.

5. For improving our service 

To provide you with better service, we might process some of the personal data you provided to us. 

Our legal basis for processing information to improve our services is based on our legitimate interest to do so (article 6 paragraph 1, sub f GDPR), and solely until the original purpose for which the data was collected has been fully accomplished. From that moment, in order to continuously improve our services, websites and products, make them safer and compile user statistics, we will only use personal data, including health data, that has been previously anonymized, so that it cannot be linked to an identifiable person.  

6. When processing job applications  

Our legal basis for processing the information you share or obtain from public sources, including personal information, in the context of your application is based on the consent you gave us when you applied for a job with us. When collecting and processing your personal data for this purpose, we use an external processor, GreenHouse who will carry on the processing on our behalf.   

We keep the information you provide us for your application for a maximum of 90 days, after which your data will be deleted. In certain cases, if you give us explicit permission for this, we may retain your request data for a maximum period of twelve months.   

7. Use of cookies  

When you visit our website, we may place cookies, for instance to improve our services or to obtain information on the use of our website. Our cookies may collect personal data, such as the IP address from which you access our website, and when and for how long you visit our website. More information on our use of cookies is provided in our Cookie Statement on the Quin website.  

IV. WITHDRAWL OF CONSENT

You can withdraw your consent at any time by sending an email with this request to our DPO at privacy@quin.md. This will however have consequences for your further use of our services. If you have withdrawn your consent, you will no longer be able to use the Quin Platform or any features offered by it. Furthermore, withdrawing your consent will not affect our use of your personal data in the period prior to this withdrawal, but only our future use of your personal data.

V. THIRD PARTIES WITH WHOM WE SHARE PERSONAL DATA

1. Your GP practice

When your GP is connected to the Quin Platform, we may share your personal data, including health data, with your GP practice in providing our services. You will always be informed before information for this purpose is shared.

This information will become available for all health care providers at your GP practice involved in your treatment. When you book a(n) (video) appointment, this will be the GP, for other contact options, such as direct messaging, this can also be the assistant.

For the further treatment and medical advice provided by your GP practice, your GP practice will act as the controller of your personal data and Quin will act as the processor.

Information you share with your GP during a video consultation will remain between you and your GP. The video consult will not be recorded. Quin will only act as controller for the data to set up the video connection.

2. Ada Health GmbH – symptom assessment

The symptom assessment included in the Quin Platform is provided by Ada Health GmbH (Ada).  When conducting a symptom check for the first time, you are requested to agree to their terms and conditions and privacy statement. Ada is the controller of the personal data you include in the symptom assessment. To enable Ada to provide you with high quality urgency advice, Quin will, after receipt of your consent, share the following personal data from your Quin account with Ada: gender, date of birth, smoker, diabetes and blood pressure. In the event the aforementioned data is not (correctly) received by Ada, the symptom assessment requests this information before it can be conducted. After receipt of your consent, Ada will share the assessment report with Quin. Subsequently, Quin will share this with your GP, if you decide to contact the GP.

3. Pharmeon – UwzorgOnline

In the event your GP practice is connected to the Quin Platform as well as the UwzorgOnline platform provided by Pharmeon B.V. (Pharmeon), you will be able to use the services of Quin via your account in UwzorgOnline. To enable this, Quin receives your Pharmeon ID, name, date of birth, gender, email address and mobile phone number from Pharmeon, after you provided your consent thereto and agreed to the Quin Terms and Conditions as well as this privacy statement. When you book a video consult via the Quin services, the date and time thereof will be shared by Quin with Pharmeon, in the event you check your appointment overview.

4. Medical specialist

When you use our service Specialist Care, we share your personal data with the healthcare providers and medical specialists involved in your treatment. We will only do this with your explicit consent.

5. Other parties

Only in exceptional cases, we could be legally obliged or forced by a competent court to provide personal data to a third party, for example the supervisory authority, the tax authorities, or the police. In those cases, we will not provide more personal data than necessary to comply with such an obligation or judgment. When providing the information, we will ensure its integrity, availability and confidentiality.

VI. MINORS OR INCAPACITATED PERSONS

The collection and use of your personal data in the provision of our services is largely based on your consent. In connection therewith, our services are not intended for (a) persons under the age of 18, and/or (b) people who have been declared legally incapacitated.

VII. TRANSFER TO COUNTRIES OUTSIDE THE EEA

In principle, we only process personal data within the EEA. When we engage processors, we require that they also only store personal data on servers within the EEA. Should in isolated cases the processing of data within the EEA not be possible, we will take all appropriate and required measures to ensure that an adequate level of protection is ensured with regard to the processed data (such as, but not limited to, standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under article 49 GDPR). The measures will always be in line with applicable legislation and according to EEA standards. Currently, all personal data processed for the Quin Platform is stored in the EEA and only meta data for analytics and service improvement is stored elsewhere.

VIII. SECURITY OF PERSONAL DATA

We process personal data with the necessary care and have taken various measures to protect the personal data entrusted to us. Quin is both ISO/IEC 27001:2013 and NEN7510 certified. We also follow guidelines and recommendations from the European Data Protection Authorities and have procedures in place to guarantee the integrity, availability and confidentiality of the data that we process.

IX. RETENTION OF PERSONAL DATA

We do not retain the personal data you have provided for longer than necessary to achieve the purposes for which we collected it. In certain cases, we have a legal obligation to retain personal data for a certain period of time. This may mean that we have to keep your personal data longer, even if you no longer use our services. In addition, when the purpose of the processing is accomplished, we can anonymize your personal data. This happens with the meta data of your video consult (Quin ID, time, duration, location and quality) as well as the symptom checker report. As a result, this data is no longer regarded as personal data.

X. PROCESSORS AND SUB-PROCESSORS

Sometimes we engage other parties (“processors”) to process personal data on our behalf in the context of our services, such as a software supplier. With these processors we conclude a written data processing agreement in line with the GDPR. This ensures the careful processing of personal data, with safeguards in place to guarantee the adequate protection of our users rights and freedoms.

We use the following processors when providing our services:

  1. for data storage – Amazon Web Services EMEA SARL (AWS), Luxembourg;
  2. for computer services (including cloud services) – Microsoft Ireland Operations, Ltd., Ireland;
  3. for our direct messaging service – Sendbird Inc., USA (data storage however takes place within the EEA);
  4. for analytics – Matomo (InnoCraft Ltd.), New Zealand;
  5. for failure reports on our system – Sentry (Functional Software, Inc.), USA;
  6. for GP practices that use BriksHuisartsen HIS: managing appointments between patients and GPs – Tetra B.V., Netherlands; and
  7. for our recruiting process – GreenHouse Software, Inc., USA (only for job applicants).

XI. RIGHTS RELATING TO PERSONAL DATA

In accordance with GDPR, you have the following rights in connection with Quin processing your personal data:

  1. Access: you can request from us to access your personal data we process and the details related to the processing;
  2. Correction: if you want to change the personal data you provided us with, for example because you have moved, you can ask us to adjust this;
  3. Deletion: you can always ask us to delete the personal data we process on you;
  4. Restrict: you can request us to restrict the processing of your personal data if (i) you believe that the personal data we process on you is inaccurate or the processing itself is unlawful, (ii) this is required to fulfil a legal claim, or (iii) you have objected to the processing;
  5. Data portability: you can ask us to transfer your personal data to you or a third party, in a common machine-readable format;
  6. Objection: if we process your personal data on the basis of our legitimate interest, you can object hereto. You can also object when the processing is based on a task carried out in the public interest or the exercise of official authority vested in Quin;
  7. Objection against automated decision making (including profiling): you can request us to be excluded form processing based solely on automated decision making or profiling, in the event the decision made affects you legally or in a similar manner; and
  8. Objection to newsletters, direct marketing: if you no longer wish to receive our newsletter and other (marketing)messages, you can unsubscribe by clicking on the unsubscribe link in the received email. You can also unsubscribe by contacting us.

If you have a request regarding your personal data, you can contact our DPO via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. Our DPO will assess your request and respond. Before responding, we may however ask you to identify yourself. This is to prevent us from sharing the requested information with unauthorized third parties. All information concerning a data subject request will be retained for a period of two years, unless extension of this term is required due to the content of the request.

XII. QUESTIONS OR COMPLAINTS?

If you have any questions, comments or suggestions regarding the way in which we handle your personal data, please let us know via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. We are of course happy to help you, but in some cases we will request you for additional information.

If you have a complaint we cannot resolve for you, you can file with our supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: www.autoriteitpersoonsgegevens.nl).

XIII. DISCLAIMER 

Please note the primary language of our website and the Quin Platform is Dutch. Our translations are prepared by third party translators. While all reasonable efforts are made to provide accurate translations, incorrections could be made. No liability is assumed by Quin for any errors, omissions, or ambiguities in the translations provided. Any person or entity that relies on translated content does so at their own risk. Quin shall not be liable for any losses caused by reliance on the accuracy or reliability of translated information. If you would like to report a translation error or inaccuracy, please contact us via privacy@quin.md.

Copyright © Quin B.V. 2022