Quin B.V. Privacy Statement
We understand how important your privacy is to you. Therefore, protecting your privacy and handling the information you entrust us with, is of utmost importance to us. We process all personal data in accordance with the General Data Protection Regulation (GDPR). In this Privacy Statement, we explain what personal data we collect, why it is collected, how it is processed, for how long, and which measures we have taken to keep this personal data safe. This pertains to the personal data you provide us with directly as well as the personal data we obtain from other sources via our online health platform (the Quin Platform), via our website, or through third parties. We also explain what rights you have with respect to your personal data we process.
This privacy statement only pertains to your personal data we process. In some cases, personal data may be processed by other parties. In such an event, we will notify you hereof. The terms and conditions of these parties will then apply.
We may amend this Privacy Statement from time to time. Therefore, we recommend you to review it occasionally. This Privacy Statement was most recently amended on the date of publishing of this document, 26 July 2023.
I. ABOUT QUIN
Quin B.V. (Quin, we, or us) is the controller of your personal data within the meaning of the GDPR, insofar as it relates to the Quin Platform and our website.
Quin is based in the Netherlands, at Stadhouderskade 55, 1072 AB Amsterdam.
Quin has appointed a Data Protection Officer (DPO). Our DPO can be reached by email for any privacy-related questions at firstname.lastname@example.org.
At Quin, we try to provide healthcare in an easier way. Also, we find it important to be transparent about how we process your personal data. Privacy statements are long and sometimes annoying to read. Therefore, we made a summary of the most important items. We do, however, recommend you to also read the full privacy statement.
1. To enable you to fully use our services and the Quin Platform, we process your personal data. Due to the nature of our services this includes health data. We only process health data after you share it with us and based on your explicit consent that we may process this in accordance with this privacy statement. You can withdraw your consent at any time.
2. We will only use your personal data for the purposes for which we collected it, unless we reasonably believe that we should use it for another reason and that reason is compatible with the original purpose. This decision will always be based on a ‘purpose compatibility test’.
3. We do not share your personal data with third parties, including health care insurers or parties trading data, for commercial purposes or any other purpose other than when required for providing you with our services.
4. When you connect your account to your General Practitioner practice (GP), the personal (health) data you provided in the Quin Platform will for some of our services be shared with your GP to enable your GP to provide you with the right care. You will be informed before any data is shared for this purpose. Data you share with your GP during a video consult will remain between you and your GP.
5. Quin and your GP (practice) are separate organizations. Once your account is connected to your GP practice, all the personal data you share with the GP within the services of the Quin Platform will be processed by Quin on behalf of the GP. Your GP will act as the controller of your personal data and make decisions on the processing thereof.
6. We always aim to only store personal data within the European Economic Area (EEA). However, some of our processor store and/or process personal data in the United States of America (USA). Furthermore, we of course ensure the principles as set out in the GDPR related to processing of data outside of the EEA are adhered to and security measures and additional safeguards to ensure an adequate level of protection of your personal data are in place.
7. As an exception to us not sharing your personal data with third parties as set out above, we may use and disclose your personal information when we believe this to be required and unavoidable in the following cases:
(i) to comply with applicable laws, which may include laws in force outside your country of residence, to responding to requests from public and governmental authorities, which may be from authorities outside your country of residence, to cooperate with law enforcement authorities or for other legal reasons;
(ii) to enforce your compliance to our user terms in the event of a breach; and
(iii) to protect our rights, privacy, safety, or property and/or that of our subsidiaries or affiliates, you, or others.
8. Our services are not intended for use by minors (under 18) or by persons who have been declared mentally incapacitated and therefore cannot independently use the type of service we provide.
10. We have a Data Privacy Officer (DPO) who you can contact directly if you have any comments, questions or requests related to our processing of your personal data or if you would like to withdraw your earlier given consent. You can contact our DPO via email@example.com.
If you have any questions, remarks, and/or suggestions regarding our privacy statement or our processing of personal data, please do not hesitate to contact our DPO.
III. PERSONAL DATA WE COLLECT, FOR WHICH PURPOSE AND UNDER WHICH LEGAL BASE
1. When using the Quin Platform in accordance with our user terms
When you create your account, you acknowledge the processing of your personal data in accordance with this privacy statement (article 6 paragraph 1, sub a GDPR).
2. When connecting with your GP
When you connect your account to your GP, we process personal data related to your health on your GP’s behalf and under his responsibility, for the execution by your GP of the treatment agreement with you (article 6 paragraph 1, sub b GDPR). This concerns:
i. health related data provided to the GP by you, by Quin and/or by a medical specialist, the latter in the event you are using our service Specialist Consultation. Health data provided to your GP by a medical specialist can include diagnosis (such as X‑rays, scans or blood tests) or advice on (the treatment of) your health care complaint;
ii. health related and other personal data provided by you to your GP through our direct messaging feature. Your messages will remain private to you and your GP and will be processed in the secured environment of our third-party provider (Sendbird). Quin as the processor will ensure the security, integrity, and availability of them. Closed chats will be stored in your account until you choose to delete these, or delete your account; and
iii. personal data required by the GP during a video consult to provide you with medical advice, being name, gender, date of birth, mobile number, care question and symptom assessment report. Any information you include in the care question field directly before the video consultation, will be shared with your GP and stored by Quin on his behalf. The purpose of the care question is to enable your GP to provide you with better and more accurate medical advice.
Furthermore, your name and email address will be processed (i) when you book an appointment with your GP (in the performance of our agreement with you (article 6 paragraph 1, sub b GDPR)), and (ii) when we assist your GP in sending out communications to you regarding (amongst others) updates on (the services of) the practice and the Quin Platform (in the performance of our agreement with your GP (article 6 paragraph 1, sub b GDPR)).
Finally, through our connection with the MedMij network, it is possible to use your account as personal healthcare environment (Persoonlijke Gezondheidsomgeving – PGO). Thereto, you can import your medical record from any GP practice in the Netherlands in your account. It is required that the relevant GP practice is connected to the MedMij network. If you choose to do so, Quin will import your medical record into your account for your convenience. Quin will conduct this processing based on your consent (article 6 paragraph 1, sub a GDPR).
3. When you contact us
We will process the data you share with us when you contact us. Not only your contact details, but also, for instance, any question or complaint about our services. The foregoing personal data will be processed under the legal base of the performance of the agreement between you and Quin (article 6 paragraph 1, sub b GDPR).
When you contact us through our website appointment tool, we collect your contact details and requested date and time of appointment. The legal basis for this processing is our legitimate interest to do so (article 6 paragraph 1, sub f GDPR).
4. When we contact or inform you related to our services
Sometimes we use your personal data to inform you about our products or services. We may use the contact details you provided us with to send you newsletters, service updates, conduct post-market surveillance activities or for other marketing purposes. When we use your contact details for these purposes, we will do so on the basis opt-in, and thus your consent (article 6 paragraph 1, sub a GDPR). Also, this is subject to an opt-out (objection) regime, insofar as our communications relate to our own products and services.
5. For improving our service
To provide you with better service, we might process some of the personal data you provided to us.
Our legal basis for processing information to improve our services is based on our legitimate interest in doing so (article 6 paragraph 1, sub f GDPR), and solely until the original purpose for which the data was collected has been fully accomplished. From that moment, to continuously improve our services, websites, and products, make them safer and compile user statistics, we will only use personal data, including health data, that has been previously anonymized, so that it cannot be linked to an identifiable person.
6. When processing job applications
Our legal basis for processing the information you share or obtain from public sources, including personal information, in the context of your application is based on the consent you gave us when you applied for a job with us. When collecting and processing your personal data for this purpose, we use an external processor, GreenHouse, who will carry on the processing on our behalf.
We keep the information you provide us with for your application for a maximum of 90 days, after which your data will be deleted. In certain cases, if you give us explicit permission for this, we may retain your request data for a maximum period of twelve months.
IV. WITHDRAWL OF CONSENT
You can withdraw your consent at any time by sending an email with this request to our DPO at firstname.lastname@example.org. This will however have consequences for your further use of our services. If you have withdrawn your consent, you will no longer be able to use the Quin Platform, or any features offered by it. Furthermore, withdrawing your consent will not affect our use of your personal data in the period prior to this withdrawal, but only our future use of your personal data.
V. THIRD PARTIES WITH WHOM WE SHARE PERSONAL DATA
1. Your GP practice
When you connect to your GP on the Quin Platform, we may share your personal data, including health data, with your GP practice in providing our services. You will always be informed before information for this purpose is shared.
This information will become available for all health care providers at your GP practice involved in your treatment. When you book a(n) (video) appointment, this will be the GP, for other contact options, such as direct messaging, this can also be the assistant.
For the further treatment and medical advice provided by your GP practice, your GP practice will act as the controller of your personal data and Quin will act as the processor.
Information you share with your GP during a video consultation will remain between you and your GP.
2. Ada Health GmbH – symptom assessment
The symptom assessment included in the Quin Platform is provided by Ada Health GmbH (Ada). When conducting a symptom check for the first time, you are requested to agree to Ada’s terms and conditions and privacy statement. Ada is the controller of the personal data you include in the symptom assessment. To enable Ada to provide you with high quality urgency advice, Quin will, after receipt of your consent, share the following personal data from your Quin account with Ada: gender, date of birth and if you are a smoker. After receipt of your consent, Ada will share the assessment report with Quin. Subsequently, Quin will share this with your GP, if you decide to contact the GP.
3. Pharmeon – UwZorgOnline
In the event your GP practice is connected to the Quin Platform as well as the UwZorgOnline platform provided by Pharmeon B.V. (Pharmeon), you will be able to use the services of Quin via your account in UwZorgOnline. To enable this, Quin will create an account for you upon receipt of your Pharmeon ID, name, date of birth, gender, email address and mobile phone number from Pharmeon. The aforementioned data will only be shared by Pharmeon after you provided your consent thereto and you agreed to the Quin Terms and Conditions as well as this privacy statement. When you book a video consult via the Quin services, the date, time, and reason for this consult will be shared by Quin with Pharmeon, in the event you check your appointment overview in the UwZorgOnline portal.
4. Medical specialist
When you use our service Specialist Consultation, we share your personal data with the healthcare providers and medical specialists involved in your treatment. We will only do this after you provided your GP with your explicit consent to initiate this service.
Furthermore, Quin sometimes conducts scientific research studies to assess how effective and efficient our service Specialist Consultation is. For these studies, Quin can also share your healthcare data with medical specialists not involved in your treatment or use this, after pseudonymization, for analyses. Quin will only do so after you provided your explicit consent.
5. Other parties
Only in exceptional cases, we could be legally obliged or forced by a competent court to provide personal data to a third party, for example the supervisory authority, the tax authorities, or the police. In those cases, we will not provide more personal data than necessary to comply with such an obligation or judgment. When providing the information, we will ensure its integrity, availability, and confidentiality.
VI. MINORS OR INCAPACITATED PERSONS
The collection and use of your personal data in the provision of our services is largely based on your consent. In connection therewith, our services are not intended for (a) persons under the age of 18, and/or (b) people who have been declared legally incapacitated.
VII. TRANSFER TO COUNTRIES OUTSIDE THE EEA
Quin safely processes and stores its personal data within the boundaries of the EU (the EEA), ensuring the minimum standard of protection for our users. When we engage other parties for processing of our data (processors), we aim that they (also) only store personal data on servers within the EEA. However, some of our processors may store and/or process personal data in the United States of America (USA). The European Commission recently recognized the USA as an adequate country/region for personal data processing. In this respect, Quin only engages processers that are certified under the US Department of Commerce (DoC) for the ‘EU-US Data Privacy Framework’, and thus commit themselves to comply such privacy obligations to guarantee safe processing and storage of our user’s personal data. Furthermore, we will obtain adequate contractual commitments from our processor to protect your personal data and take all appropriate and required measures to ensure that an adequate level of protection is guaranteed (such as, but not limited to, standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under article 49 GDPR). The measures will always be in line with applicable legislation and according to EEA standards.
VIII. SECURITY OF PERSONAL DATA
We process personal data with the necessary care and have taken various measures to protect the personal data entrusted to us. Quin is both ISO/IEC 27001:2013 and NEN7510 certified. We also follow guidelines and recommendations from the European Data Protection Authorities and have procedures in place to guarantee the integrity, availability, and confidentiality of the data that we process.
IX. RETENTION OF PERSONAL DATA
We do not retain the personal data you have provided for longer than necessary to achieve the purposes for which we collected it. In certain cases, we have a legal obligation to retain personal data for a certain period of time. This may mean that we must keep your personal data longer, even if you no longer use our services. In addition, when the purpose of the processing is accomplished, we can anonymize your personal data. This happens with for example the meta data of your video consult (Quin ID, time, duration, location, and quality) as well as the symptom checker report. As a result, this data is no longer regarded as personal data.
X. PROCESSORS AND SUB-PROCESSORS
Sometimes we engage processors to process personal data on our behalf in the context of our services, such as a software supplier. With these processors we conclude a written data processing agreement in line with GDPR. This ensures the careful processing of personal data, with safeguards in place to guarantee the adequate protection of our users’ rights and freedoms.
We use the following processors when providing our services:
i. for data storage – Amazon Web Services EMEA SARL (AWS), Luxembourg;
ii. for computer services (including cloud services) – Microsoft Ireland Operations, Ltd., Ireland;
iii. for our direct messaging service – Sendbird Inc., USA (data storage however takes place within the EEA);
iv. for our video consultation service – Vonage B.V., the Netherlands;
v. for conducting questionnaires within Specialist Consultation and other surveys on our website/the Quin Platform – Typeform SL, Spain;
vi. for booking an appointment with your GP – Calendly, LLC, USA;
vii. for managing appointments between patients and GPs for GP practices that use BriksHuisartsen HIS – Tetra B.V., the Netherlands;
viii. for sending out GP practice communications – SendinBlue SAS (Brevo), France;
ix. for providing customer technical support – Zendesk Inc, USA;
x. for collecting feedback from your GP – Refiner SASU, France;
xi. for collecting feedback from you – Momentive Netherlands B.V. (Survey Monkey), the Netherlands;
xii. for analytics – Matomo (InnoCraft Ltd.), New Zealand;
xiii. for failure reports on our system – Sentry (Functional Software, Inc.), USA;
xiv. for website analyses and cookie management – Hubspot Inc., USA; and
xv. for our recruiting process – GreenHouse Software, Inc., USA (only for job applicants).
XI. RIGHTS RELATING TO PERSONAL DATA
In accordance with GDPR, you have the following rights in connection with Quin processing your personal data:
i. Access: you can request from us to access your personal data we process, and the details related to the processing;
ii. Correction: if you want to change the personal data you provided us with, for example because you have moved, you can ask us to adjust this;
iii. Deletion: you can always ask us to delete the personal data we process on you;
iv. Restrict: you can request us to restrict the processing of your personal data if (i) you believe that the personal data we process on you is inaccurate or the processing itself is unlawful, (ii) this is required to fulfil a legal claim, or (iii) you have objected to the processing;
v. Data portability: you can ask us to transfer your personal data to you or a third party, in a common machine-readable format;
vi. Objection: if we process your personal data based on our legitimate interest, you can object hereto. You can also object when the processing is based on a task carried out in the public interest or the exercise of official authority vested in Quin;
vii. Objection against automated decision making (including profiling): you can request us to be excluded form processing based solely on automated decision making or profiling, in the event the decision made affects you legally or in a similar manner; and
viii. Objection to newsletters, direct marketing: if you no longer wish to receive our newsletter and other (marketing)messages, you can unsubscribe by clicking on the unsubscribe link in the received email. You can also unsubscribe by contacting us.
If you have a request regarding your personal data, you can contact our DPO via email@example.com or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. Our DPO will assess your request and respond. Before responding, we may however ask you to identify yourself. This is to prevent us from sharing the requested information with unauthorized third parties. All information concerning a data subject request will be retained for a period of two years, unless extension of this term is required due to the content of the request.
XII. QUESTIONS OR COMPLAINTS?
If you have any questions, comments, or suggestions regarding the way in which we handle your personal data, please let us know via firstname.lastname@example.org or via mail at the following address: Stadhouderskade 55, 1072 AB Amsterdam. We are of course happy to help you, but in some cases, we will request additional information.
If you have a complaint we cannot resolve for you, you can file with our supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: www.autoriteitpersoonsgegevens.nl).
Please note the primary language of our website and the Quin Platform is Dutch. Our translations are prepared by third party translators. While all reasonable efforts are made to provide accurate translations, incorrections could be made. No liability is assumed by Quin for any errors, omissions, or ambiguities in the translations provided. Any person or entity that relies on translated content does so at their own risk. Quin shall not be liable for any losses caused by reliance on the accuracy or reliability of translated information. If you would like to report a translation error or inaccuracy, please contact us via email@example.com.
 The European Commission recently recognized the USA as an adequate country/region for personal data processing.