Application Privacy Policy
This Privacy Policy explains how Qintil Technology Limited t/a Qintil ("Qintil", "we", "us" or "our") processes personal data in connection with the provision and operation of the Qintil recruitment, staffing, and learning application (the "Application"). This Privacy Policy has been drafted to mirror the structure, sequencing, and level of legal and operational detail of the OneTouch Health App Privacy Policy and forms part of the wider OneTouch Health Group governance framework.
This Privacy Policy is intended to provide transparency to regulators, customers, and data subjects regarding how personal data is processed within the Application. It should be read in conjunction with the applicable Master Services Agreement ("MSA") and the Qintil Data Processing Agreement ("DPA"). Where there is any inconsistency between this Privacy Policy and the DPA, the DPA shall prevail.
1. Who we are
Qintil Technology Limited t/a Qintil is a company incorporated under the laws of England and Wales, with its registered office at Unit 25 Bradmarsh Business Centre, Rotherham, South Yorkshire, S60 1BY, United Kingdom.
Qintil operates as a specialist technology provider within the OneTouch Health Group. While part of the Group, Qintil operates independently and determines its own operational and compliance arrangements. For the purposes of the Application, Qintil primarily acts as a data processor on behalf of its customers.
2. Scope of this Privacy Policy
This Privacy Policy applies to the processing of personal data through the Qintil Application, including all associated mobile and web-based components, system logs, audit records, and support tooling directly connected to the Application.
This Privacy Policy does not apply to third-party websites, platforms, or services that may be linked to or integrated with the Application. Such third-party services operate under their own privacy policies and contractual terms, and Qintil does not control or accept responsibility for their data protection practices.
3. Roles and responsibilities under data protection law
3.1 Processing roles
For the purposes of the Application:
· Qintil acts as a Data Processor when processing personal data on behalf of its customers in accordance with their documented instructions.
· Customers act as Data Controllers in respect of all personal data uploaded to, generated within, or otherwise processed through the Application for their own business purposes.
· Qintil acts as an independent Data Controller only in limited and clearly defined circumstances, including the processing of its own business contact data, contractual contacts, billing information, compliance records, and security-related operational data.
These roles are contractually defined in the DPA and reflect the allocation of responsibilities under UK GDPR and EU GDPR.
3.2 Customer responsibilities
Customers are responsible for determining the purposes and lawful bases for processing personal data within the Application, for providing appropriate privacy notices to data subjects, and for ensuring that any special category or criminal offence data processed through the Application is supported by a valid legal condition.
Qintil does not determine the content uploaded to the Application by customers and does not independently assess the lawfulness of customer-configured processing activities.
4. Categories of data subjects
Depending on customer configuration and use, the Application may process personal data relating to:
· Employees, workers, contractors, and agency staff of customer organisations
· Candidates, applicants, and prospective workers managed through recruitment workflows
· Learners, trainees, and individuals subject to mandatory or optional training and compliance requirements
· Customer administrators, managers, and authorised system users
· Limited customer and supplier contact persons where Qintil acts as Data Controller
5. Categories of personal data processed
5.1 General personal data
The Application may process a wide range of general personal data, including but not limited to:
· Names, addresses, email addresses, telephone numbers, and other contact details
· Dates of birth and internal identifiers
· Employment details, job roles, work history, qualifications, certifications, and training records
· Recruitment records, application materials, interview notes, and outcomes
· User credentials, role-based access permissions, and authentication records
· Communications, support interactions, and system-generated correspondence
5.2 Special category data
Where determined by the Data Controller and supported by a valid Article 9 GDPR condition, the Application may process special category data, including:
· Health information relevant to fitness to work, training requirements, or occupational compliance
· Equality, diversity, and inclusion data
· Religious or philosophical belief data where recorded by the Data Controller
Qintil processes such data strictly on the instructions of the Data Controller and does not independently verify the necessity or proportionality of its use.
5.3 Criminal offence data
Criminal offence data may be processed through the Application only where the Data Controller has identified and documented an appropriate lawful basis and, where applicable, a condition under Schedule 1 of the UK Data Protection Act 2018 or equivalent EU Member State legislation.
5.4 Technical, usage, and operational data
In order to operate, secure, and maintain the Application, Qintil processes technical and operational data including:
· IP addresses, device identifiers, browser types, and operating system information
· Application access logs, authentication events, and session data
· Time-stamped audit trails recording user activity and system actions
· Performance metrics, error logs, and diagnostic data
· Security monitoring and incident detection data
This data is processed to ensure service availability, integrity, confidentiality, and regulatory accountability.
6. Purposes of processing
Qintil processes personal data strictly in accordance with the documented instructions of Data Controllers for purposes including:
· Recruitment management, candidate tracking, and workforce onboarding
· Staffing, scheduling, compliance monitoring, and workforce oversight
· Learning management, training delivery, assessment, and certification tracking
· System administration, access control, and service delivery
· Security monitoring, incident prevention, and audit readiness
· Customer support, troubleshooting, and service improvement
7. Lawful bases for processing
7.1 Processing as Data Processor
Where Qintil acts as a Data Processor, the lawful bases for processing are determined by the Data Controller. Qintil relies on the Data Controller to ensure that appropriate lawful bases and, where required, special category conditions are in place.
7.2 Processing as Data Controller
Where Qintil processes personal data as an independent Data Controller, processing is carried out on the basis of:
· Performance of a contract or steps taken at the request of a contracting party
· Compliance with legal and regulatory obligations
· Legitimate interests in operating, securing, and improving the business and Application, balanced against the rights of individuals
8. Data retention
Personal data processed within the Application is retained in accordance with the documented instructions of the Data Controller, customer configuration settings, contractual requirements, and applicable legal obligations.
Qintil does not independently determine retention periods for customer application data and supports deletion, return, or destruction in line with the DPA.
9. Data security
Qintil implements and maintains appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures include, but are not limited to:
· An Information Security Management System certified to ISO 27001
· Cyber Essentials Plus certification
· Role-based access controls and least-privilege principles
· Encryption of data in transit and at rest where appropriate
· Comprehensive logging, monitoring, and audit trail capabilities
· Regular vulnerability assessment, testing, and risk management processes
Further detail on security measures is set out in Annex 2 of the DPA.
10. Sub-processors
Qintil engages carefully selected sub-processors to support the delivery and operation of the Application.
An up-to-date list of approved sub-processors is maintained in the OneTouch Health Group Sub-processor Register, available at https://www.onetouchhealth.net/sub-processor-register/. This is a group-wide register covering all OneTouch Health Group entities, of which Qintil is a member. The register identifies sub-processors used across the Group and the services to which they relate.
Customers are notified of material changes to applicable sub-processors and are afforded objection rights in accordance with the Qintil Data Processing Agreement.
11. International data transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, Qintil ensures that appropriate safeguards are in place, including the use of Standard Contractual Clauses, the UK International Data Transfer Agreement, or other lawful transfer mechanisms recognised under GDPR.
International transfers are governed by the DPA and monitored as part of Qintil’s ongoing compliance obligations.
12. Data subject rights
Data subjects have rights under GDPR, including:
· The right of access to their personal data
· The right to rectification of inaccurate or incomplete data
· The right to erasure, where applicable
· The right to restriction of processing
· The right to data portability, where applicable
· The right to object to processing
As Qintil acts primarily as a Data Processor, requests to exercise these rights should be directed to the relevant Data Controller. Qintil provides reasonable assistance to Data Controllers in responding to rights requests in accordance with the DPA.
13. Incident management and breach notification
Qintil maintains documented procedures for identifying, managing, and responding to personal data incidents and security breaches.
Where an incident affecting personal data processed on behalf of a customer occurs, Qintil will notify the relevant Data Controller without undue delay and will cooperate fully to support investigation, mitigation, and regulatory notification obligations, in accordance with the DPA.
14. Supervisory authorities
Data subjects have the right to lodge a complaint with a competent supervisory authority, including:
· The Information Commissioner’s Office in the United Kingdom
· The Data Protection Commission in Ireland
· The supervisory authority in their EU Member State of residence or work
15. Data Protection Officer and contact details
Qintil has appointed a Data Protection Officer at Group level within OneTouch Health Group.
If you have any questions about this Privacy Policy, please contact us:
By email:
dataprotection@onetouchhealth.net
16. Changes to this Privacy Policy
This Privacy Policy may be updated from time to time to reflect changes in legal requirements, regulatory guidance, or operational practices. Where required, material changes will be communicated to customers and users through appropriate channels.
Updated on: 12/02/2026
Thank you!