Quin B.V. Privacy Statement

We understand how important your privacy is to you, and we want you to feel confident and comfortable using our services and when interacting with us. Protecting your privacy and handling the personal data you entrust to us with care and integrity, therefore, is of utmost importance to us.

We process all personal data in accordance with the General Data Protection Regulation (GDPR). In this Privacy Statement, we explain what personal data we collect, for what purposes, how we process it, how long we retain it and the measures we take to safeguard your personal data. This statement applies to personal data you provide us with directly, as well as the personal data we obtain from other sources via our ZorgvraagHulp platform, our website, or through third parties. We also explain your rights you have in relation to the personal data we process and how Quin ensures compliance with those rights.

This Privacy Statement applies only to the processing of the personal data by Quin (including the collection, use, storage, and disclosure of personal data). In certain circumstances, third parties may process personal data independently. Where this is the care, we will inform you accordingly, and the privacy statements or terms and conditions of those third parties will apply.

We may update this Privacy Statement from time to time, for example to reflect changes in our services, legal requirements, or regulatory guidance. We will notify you of material changes, but we encourage you to review this Privacy Statement periodically. This version was last updated on 19 December 2025.

 

I. GENERAL

About Quin

Quin B.V. (referred to as “Quin”, “we”, or “us”) is the data controller within the meaning of GDPR for the processing of personal data relating to the Quin platforms (including ZorgvraagHulp) and our website.

  • Registered office: Stadhouderskade 55, 1072 AB Amsterdam, the Netherlands.
  • Dutch Chamber of Commerce number: 62575090.

Quin has a dedicated Compliance team responsible for quality, regulatory and information security compliance. If you have any questions, comments or concerns regarding privacy or the processing of your personal data, can contact our Compliance team at privacy@quin.md.


Definitions

Unless stated otherwise, terms used in this Privacy Statement have the meaning assigned to them in the GDPR. In addition:

  • AWS: Amazon Web Services EMEA S.A.R.L.
  • Controller: the person who determines the means and purposes of a processing activity.
  • Cookies: text files which are stored in the internet browser or by the internet browser on your device (computer, tablet, or phone) that collect data on our website.
  • GDPR: the General Data Protection Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC.
  • GP, your doctor, the Practice: your primary care healthcare provider.
  • Identifiers: common personal data that, when used, may allow the identification of the individual to whom the information in question may relate, for example: name, email, date of birth, postal address, gender, identification number, location data, or an online identifier (like IP address).
  • Personal data: any information about an identified or identifiable natural person as defined in the GDPR.
  • Processor: a person processing Personal Data on behalf of the Controller, acting under the authority of the Controller in accordance with the latter’s instructions.
  • Pseudonymized /pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

 

Summary

At Quin, we try to aid healthcare providers to provide healthcare in an easier and more efficient way. Therefore, we find it important to be transparent about how we process your personal data. Privacy statements are long and sometimes annoying to read. Below you will find a summary of the most important items. We do, however, recommend you to also read the full privacy statement.

  1. To enable you to fully use our services and the Quin Platform, we process your personal data. Due to the nature of our services this includes health data. We collect information about you directly from you and automatically through your use of our website and/or the Quin Platform(s). To help you protect yourself and your information, we encourage you to provide only that information necessary for using our services. We only process health data after you share it with us and based on your explicit consent that we may process it in accordance with this privacy statement. You can withdraw your consent at any time by deleting your account or sending an email to privacy@quin.md.
  2. We will only use your personal data for the purposes for which we collect it, and you were informed about. We may use your personal data when we may legally use this for another reason, and such reason is compatible with the original purpose. This decision will always be based on a purpose compatibility test.
  3. We do not share your personal data with third parties other than when strictly required for providing you with our services. As an exception hereto, we may use and disclose your personal data when this is legally required and/or allowed, in the following cases:
    (i) to comply with applicable laws, which may include laws in force outside your country of residence, to responding to requests from public and governmental authorities, which may be from authorities outside your country of residence, to cooperate with law enforcement authorities or for other legal reasons.
    (ii) to enforce your compliance to our user terms in the event of a breach; and
    (iii) to protect our rights, privacy, safety, or property and/or that of our subsidiaries or affiliates, you, or others.
  4. We do not share any personal data with healthcare insurers or parties trading data.
  5. ZorgvraagHulp is always provided within the context of a specific GP practice. When you use ZorgvraagHulp, you interact with the platform in connection with that practice.

    If you choose to contact the practice (for example by logging in, booking a consultation, or starting a chat), the personal data you have provided during your interaction with ZorgvraagHulp, including the outcome of the symptom assessment, may be shared with the GP practice in order to enable the practice to provide you with appropriate care. You will be informed before any personal data is shared for this purpose.

    At an aggregated level, GP practices may have access to anonymised insights via the Quin dashboard, such as the number of completed symptom checks and the distribution of urgency outcomes. This information is fully anonymised and cannot be traced back to individual patients.

  6. Quin and your GP practice are separate organisations with distinct responsibilities under the GDPR.

    For aggregated and anonymised dashboard insights, no personal data is processed, and this information cannot be linked to you as an individual.

    When you choose to log in and contact the GP practice via the Quin Platform, the information shared becomes linked to you as a patient. From that point onward, the GP practice acts as the data controller for the processing of your personal data in connection with your care and medical advice.

    In this context, Quin acts solely as a data processor on behalf of the GP practice and processes your personal data strictly in accordance with the GP practice’s documented instructions.
  7. We always aim to only store personal data within the European Economic Area (EEA). However, some of our Processors may store and/or process personal data in the United States of America (USA). When this is the case, we put security measures and additional safeguards in place to ensure an adequate level of protection of your personal data and compliance with GDPR (article 44).
  8. You have the right to request access to your personal information processed by Quin, its correction, restriction, objection, erasure, and its portability. You also have the right to withdraw your consent at any time, and to object to being subject to any automated decision making that might have any legal effects on you. You can make the relevant request by sending an email to privacy@quin.md.
  9. Quin will retain your personal data until the purpose for which it is collected has been accomplished, or until its deletion is requested by you, whichever occurs first.
  10. Our services are not intended for use by minors under sixteen or by persons who have been declared mentally incapacitated and therefore cannot independently use the type of service we provide.
  11. Our website uses cookies. More information on our use of cookies can be found in our Cookie Statement, which you can find here.
  12. You can contact our Compliance team if you have any comments, questions or requests related to our processing of your personal data or if you would like to withdraw your earlier given consent, at privacy@quin.md.

 

II. PERSONAL DATA WE COLLECT, FOR WHICH PURPOSE AND UNDER WHICH LEGAL BASIS

When using the Quin Platform in accordance with our user terms

When you create an account, we process:

  • Full name
  • Email address
  • Date of birth
  • Gender
  • Account identifiers and login credentials

We process them based on the performance of the agreement between you and Quin, in accordance with our terms of use (Article 6(1)(b) GDPR). When you create your account we, therefore, explicitly ask you to agree to the processing of your personal data in accordance with this privacy statement.

Health data entered during symptom assessments is processed only after you provide explicit consent (Article 9(2)(a) GDPR). You may withdraw this consent at any time by deleting your account or contacting us.

When connecting with your GP

When you connect your account to your GP practice, Quin will share relevant personal data from your profile and symptom assessment with your GP.

From that moment onward:

  • Your GP practice acts as the data controller
  • Quin acts strictly as a data processor, following the documented instructions of the GP practice

This processing is based on the treatment agreement between you and your GP (Article 6(1)(b) GDPR), in combination with Article 9(2)(h) GDPR where applicable.

This concerns:

  1. Health related data provided to your GP by (a) you, (b) Quin and/or (c) a medical specialist (the latter in the event you are using our service Specialist Consultation). Health data provided to your GP by a medical specialist may include diagnosis (such as X-rays, scans, or blood tests) or advice on (the treatment of) your healthcare complaint. This processing of your data is based on the performance of the treatment agreement between you and your GP (Article 6 (1) (b) GDPR).
  2. Health related and other personal data provided to your GP by you through our direct messaging feature (chat). This processing is also based on the performance of the treatment agreement between you and your GP (Article 6 [1b] GDPR). Your chat conversations will remain private to you and your GP. They will be fully encrypted and processed in the secure environment of our third-party provider Sendbird. Quin as the Processor will ensure the security, integrity, and availability of them. Once chat conversations are finished and closed by the GP, the GP can choose to have them summarized to include this summary in your medical record. In this event, the content will be anonymized and our sub-processor Microsoft provides this summary. The full chat conversations will remain in your Quin account, stored in our database with AWS (in Germany). These conversations will remain available to you until you choose to delete them, or to delete your account entirely.
  3. Images you share with your GP via direct messaging (chat) will also be processed by Quin for the performance of the treatment agreement between you and your GP (Article 6 [1b] GDPR). The images will be stored in our own database with AWS (in Germany). These files will remain private to you and your GP, and will be deleted upon your request.
  4. Identifiers for booking an appointment with your GP and sharing the outcome of Infermedica’s symptom checker with your GP. This may be required by your GP to get to know your complaints and symptoms in advance to better prepare your appointment. This processing takes place based on the legal ground of the performance of your agreement with Quin (Article 6 [1b] GDPR).

Chat messages, images, and related communications are securely processed and stored. Once a conversation is closed, your GP may choose to generate a summary for your medical record. Full chat content remains available in your Quin account unless you delete it.

By default, personal data will not be stored longer than required for the purpose for which it was collected. It will be deleted earlier if you decide to withdraw your consent to your GP or to delete your Quin account. For any of those scenarios, Quin will always act upon your GP’s instruction or upon your request.

 

Integration with Pharmeon – UwZorgOnline.

If your GP practice uses both Quin and UwZorgOnline (Pharmeon), you may access Quin services through your UwZorgOnline account. Personal data is shared only after you provide explicit consent and are informed about:

  • Which data will be transferred
  • The purpose of the transfer
  • Quin’s Privacy Statement and Terms

 

 

When you contact us

When you contact us via support@quin.md, the personal data you provide will be processed by our sub-processor Zendesk. This includes your contact details as well as the content of your enquiry or complaint about our services. We process this personal data for the purpose of handling and responding to your request for support, based on the legal ground of performance of a contract between you and Quin (Article 6(1)(b) GDPR).

Your personal data will be retained only for as long as necessary to fulfil this purpose.

 

When we contact or inform you related to our services

With your consent (Article 6(1)(a) GDPR), we may send:

  • Newsletters
  • Service updates
  • Post-market surveillance communications

We use HubSpot for these communications. You can withdraw your consent at any time.

 

When you provide us with performance reports, feedback, and surveys

To improve our services, we may process your personal data when you report incidents on a Quin Platform, provide feedback, or participate in surveys. For these purposes, your personal data is processed by our external processor Refiner. This may include your contact details and, in some cases, information relating to your health.

The processing of this personal data is based on our legitimate interest in improving and safeguarding our services (Article 6(1)(f) GDPR). Where health data or other special category personal data is involved, the processing is based on your explicit consent (Article 9(2)(a) GDPR).

Your personal data will be processed and retained only for as long as necessary to fulfil the purpose for which it was collected, or until you withdraw your consent. After this period, we will only retain and use data that has been anonymised in such a way that it can no longer be linked to you and is therefore no longer considered personal data. This anonymised data is used to continuously improve our services, enhance safety, and compile aggregated user statistics.

Recruitment

Job application data is processed based on your consent and handled by Homerun B.V. Data is retained for up to four weeks after completion of the recruitment process, or up to twelve months with your consent.

Cookies

When you visit our website, we may place cookies for improvement of our services or to obtain information on the use of our website. Our cookies may collect personal data, such as the IP address from which you access our website, and when and for how long you visit our website. This processing is conducted by our sub-processor Hubspot, and, where required by law, based on your consent. More information on our use of cookies is provided in our Cookie Statement on the Quin website.

Technical information and analytics

When you use a Quin Platform or visit our website, we may collect some of your identifiers - where this is allowed by your device or browser settings. This processing is performed by our sub-processors, Datadog and Mixpanel, and is based on Quin’s legitimate interest to perform analytics that will help us better understand our audience. Your data collected in this way is pseudonymized and is not stored together with your other personal data.

 

Research studies and feature development

When you use the Specialist Consultation service in the platform, Quin sometimes conducts scientific research studies to assess how effective and efficient that service is. For these studies, we can ask your consent to share your healthcare data with medical specialists not directly involved in your treatment, or to use this, after pseudonymization, for the development of new features in the Quin Platform and/or analyses. This processing of personal data will be conducted only after you provide us with your explicit consent, which can be withdrawn at any time.

Additional research to improve our services is done through digital interviews with external participants to learn from their personal experience with the healthcare system. When you take part in these studies, Quin may collect personal data from you, including personal data related to health. This processing will be based on your consent (Article 6(1) (a) GDPR), which can be withdrawn at any time. The processing will involve Microsoft Systems LLC (Ireland) and the storage will be in our database with AWS (in Germany). Your personal data will not be shared and will always be pseudonymized for the research study. All your data will be deleted after studies are finalized or when erasure is requested by you, whichever comes first.

III. WITHDRAWAL OF CONSENT

Withdrawal

Where we process your personal data on the basis of your consent, you may withdraw that consent at any time by contacting our Compliance team at privacy@quin.md. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. However, withdrawing your consent may limit your ability to use certain features of the Quin Platform or, in some cases, the platform as a whole, where such features rely on your consent to function.

IV. THIRD PARTIES WITH WHOM WE SHARE PERSONAL DATA

Your GP practice

When you connect with your GP via the Quin Platform, we may share personal data from your profile and the outcome of the symptom assessment with your GP practice in order to provide you with our services. You will always be informed before any personal data is shared for this purpose. The shared information will be accessible only to authorised healthcare professionals within your GP practice.

GP practices are independent data controllers for medical treatment.

 

Infermedica Sp. z o.o. – symptom checker

The symptom checker is provided by Infermedica Sp. z o.o. Quin and Infermedica act as independent controllers. Data is shared only with your consent and in accordance with Infermedica’s privacy statement.

When you initiate a symptom assessment, you will be redirected from the Quin Platform to Infermedica’s environment. Upon first use, you will be asked to accept our terms and conditions and privacy statement.

To facilitate a smooth user experience, Quin may - subject to your prior consent - share your full name, gender, date of birth, and a unique identifier with Infermedica. After the symptom assessment has been completed, Infermedica may (subject to your consent) share the assessment report with Quin. If you subsequently choose to contact your GP via the Quin Platform, Quin will share the report with your GP practice for that purpose.

If you choose not to share the assessment report with Quin, you will not be able to contact your GP through the Quin Platform. In that case, you will only have the option to download the report to your device at that time. The report will not be stored in your Quin account and will not be available for later review or download.

 

Medical specialist

When you use the Specialist Consultation service, your GP will share your personal data with the healthcare providers and medical specialists involved in your treatment. This data will always remain private between you and the healthcare providers involved in your treatment.

 

Other parties

Only in exceptional cases, we could be legally obliged or forced by a competent court to provide personal data to a third party, for example the supervisory authority, the tax authorities, or the police. In those cases, we will not provide more personal data than necessary to comply with such an obligation or judgment. When providing the information, we will ensure its integrity, availability, and confidentiality.

V. CONDITIONS OF PROCESSING

Security of personal data

We process personal data with the necessary care and have taken various measures to protect the personal data entrusted to us. These measures include encryption, access control, patch management, and mandatory two factor authentication for employees.

Quin is certified in accordance with ISO/IEC 27001:2022 and NEN 7510, demonstrating that we have implemented a robust information security management system that meets internationally and nationally recognised standards for the protection of (health) data.

In addition, Quin applies the principles of Privacy by Design and Privacy by Default and follows applicable guidelines and recommendations issued by the European Data Protection Board and national data protection authorities.

We have implemented appropriate technical and organisational measures, supported by documented policies and procedures, to ensure the confidentiality, integrity, and availability of the personal data we process, and to protect such data against unauthorised access, loss, misuse, or alteration.

 

 

Retention of personal data

We do not retain the personal data you provided us with for longer than necessary to achieve the purposes for which we collected it. In certain cases, we have a legal obligation to retain personal data for a specific period. This may mean that we must keep your personal data longer, even if you no longer use our services, in accordance with, for example, tax regulations.

We also limit the access to your personal data exclusively to the persons who strictly need to use it for the relevant purpose(s), always in compliance with our access control policy and ensuring its integrity, confidentiality, and availability.

In addition, when the purpose is accomplished and the processing of your personal data is no longer necessary, it will be irreversibly anonymized (no longer regarded as personal data), or securely deleted.

 

VI. TRANSFERS OF PERSONAL DATA

Sub-processors

Sometimes we engage processors and sub-processors to process personal data on our behalf in the context of our services, such as a software supplier. With these external parties we conclude a written data processing agreement in line with GDPR. This ensures the careful processing of personal data, with safeguards in place to guarantee the adequate protection of our users’ rights and freedoms.

We use the following processors when providing our services:

  1. for cloud data storage – Amazon Web Services EMEA SARL, Luxembourg;
  2. for computer services (including cloud services) and chat summarization – Microsoft Ireland Operations, Ltd., Ireland;
  3. for our direct messaging service (chat) – Sendbird Inc., USA (data storage takes place within the EEA);
  4. for conducting questionnaires within Specialist Consultation and other surveys on our website/the Quin Platform – Typeform SL, Spain;
  5. for providing you with technical support – Zendesk Inc, USA (data storage takes place within the EEA);
  6. for collecting feedback from your GP – Refiner SASU, France;
  7. for data analytics – Mixpanel, Inc., USA and Datadog, Inc., USA; (data storage takes place within the EEA);
  8. for website and cookie management and analysis – Hubspot Inc., USA (data storage takes place within the EEA from February 2026); and
  9. for our recruiting process – Homerun B.V, the Netherlands.

Transfer outside the EEA

The personal data that we collect from you is stored in the European Union (Germany) on our Cloud Servers with AWS. Whenever we engage other parties for processing data of our users (processors/sub-processors), we aim that they (also) process and store this data only on servers within the EEA.

However, some of our processors may store and/or process personal data in the United States of America (USA). In this respect, Quin will ensure compliance with article 44 GDPR. This means that we will obtain adequate contractual commitments from every processor/sub-processor to protect your personal data and take all appropriate and required measures to ensure that an adequate level of protection is guaranteed.

Where data is processed outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs)
  • Additional safeguards and transfer impact assessments

Health data is not transferred outside the EEA without explicit safeguards and consent.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

 

VII. YOUR RIGHTS

Rights relating to personal data

In accordance with GDPR, you have the following rights in connection with Quin processing your personal data:

  1. Access: you can request us to access your personal data we process, and the details related to the processing;
  2. Correction: if you want to change the personal data you provided us with, for example because you have moved, you can ask us to adjust this;
  3. Deletion: you can always ask us to delete the personal data we process on you;
  4. Restrict: you can request us to restrict the processing of your personal data if (i) you believe that the personal data we process on you is inaccurate or the processing itself is unlawful, (ii) this is required to fulfil a legal claim, or (iii) you have objected to the processing;
  5. Data portability: you can ask us to transfer your personal data to you or a third party, in a common machine-readable format;
  6. Objection: if we process your personal data based on our legitimate interest, you can object hereto. You can also object when the processing is based on a task conducted in the public interest or the exercise of official authority vested in Quin;
  7. Objection against automated decision making (including profiling): you can request us to be excluded form processing based solely on automated decision making or profiling, in the event the decision made affects you legally or in a similar manner; and
  8. Objection to newsletters, direct marketing: if you no longer wish to receive our newsletter and other (marketing)messages, you can unsubscribe by clicking on the unsubscribe link in the received email. You can also unsubscribe by contacting us.

You can exercise any of these rights by contacting our Compliance team via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam.

Our team will assess your request and respond. We may, however, ask you to identify yourself by sending us confirmation from the email address associated with your Quin account, so that we can verify that you are the owner of the account. This is to prevent us from sharing the requested information with unauthorized third parties.

All information concerning a data subject request will be processed with Microsoft Ireland Operations Ltd, and retained for a period of two years, unless extension of this term is required due to the content of the request.

Minors or incapacitated persons

Our services are not intended for individuals under the age of 18 or for persons who are legally incapacitated. We do not knowingly process their personal data without appropriate consent. 

VIII. ADDITIONAL INFORMATION

Questions or complaints?

If you have any questions, comments, or suggestions regarding the way in which we handle your personal data, please let us know via privacy@quin.md or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. We are happy to help you, but in some cases, we will request more information.

If you have a complaint we cannot resolve for you, you can file with our supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: www.autoriteitpersoonsgegevens.nl).

 

Translation

Please note that the primary language of our website and the Quin Platform is Dutch. While we prepare translations with due care and make reasonable efforts to ensure their accuracy, discrepancies or inaccuracies may occur. In the event of any inconsistency or incompleteness, the Dutch version of the Privacy Statement shall prevail.

If you identify a translation error or inaccuracy, we would appreciate you bringing this to our attention by contacting us at privacy@quin.md.