Privacy Policy
1Introduction
Qity bv respects the privacy of visitors to its website, clients, prospective clients, suppliers, partners, job applicants, trainees, social media users and other persons with whom Qity interacts.
This Privacy Policy explains how Qity collects, uses, shares, protects and retains personal data in connection with its website, online forms, submitted questions, email communications, social media presence, commercial activities, recruitment activities, consultancy services, iQMS-related services, data protection services, training, support activities and related business operations.
This Privacy Policy applies to personal data processed by Qity as controller. Where Qity processes personal data on behalf of a client, Qity normally acts as processor and the client remains responsible for providing the applicable privacy information to the relevant data subjects, unless otherwise agreed in writing.
2Controller
The controller for the processing described in this Privacy Policy is:
Qity bvOudenaardsesteenweg 256 box 3
9420 Erpe-Mere
Belgium
Enterprise / VAT number: BE 0767.822.603
Privacy contact: dpo@qity.be
For questions about this Privacy Policy, the processing of your personal data, or the exercise of your data protection rights, you can contact Qity at dpo@qity.be.
3Scope of this Privacy Policy
This Privacy Policy applies to personal data processed by Qity in connection with:
- the Qity website;
- website contact forms, submitted questions, requests for information and project enquiries;
- email, telephone, meeting and other business communications;
- commercial follow-up, proposals, statements of work, contracts and client relationship management;
- consultancy, audit, quality management, regulatory, cybersecurity, privacy, PIMS, DPO-as-a-Service, training, support, onboarding and iQMS-related activities;
- job applications and recruitment communications;
- supplier, partner and contractor relationships;
- Qity's pages, profiles and activity on social media and professional networking platforms;
- legal, compliance, security, accounting, quality and administrative obligations.
This Privacy Policy does not replace a client's own privacy notice where Qity processes personal data on behalf of that client as processor.
4Personal Data Qity Processes
Qity processes different categories of personal data depending on the relationship, context and purpose.
5Identification and Contact Data
Qity may process your name, job title, organisation, department, business address, email address, telephone number, professional profile information, communication preferences and correspondence details.
6Data Submitted Through Website Forms
When you submit a question, message, contact request, project enquiry, demo request, meeting request or similar form through the Qity website, Qity may process the data provided in that form.
This may include your name, email address, telephone number, organisation, role, country, project description, question, message content, preferred contact method, website metadata, timestamp and any additional information you choose to include.
You must not submit confidential, sensitive, special category, patient, employee, clinical, health, regulatory, cybersecurity, client-controlled or third-party personal data through general website forms unless Qity has expressly requested it or a secure channel has been agreed.
Where a website submission contains excessive, irrelevant, confidential, special category or third-party personal data that is not necessary for handling the request, Qity may delete, restrict, return or otherwise limit the processing of that information.
7Data Submitted by Email
When you contact Qity by email, Qity may process your email address, name, organisation, message content, attachments, signature block, technical email metadata and related correspondence history.
If your email concerns a client project, support request, regulatory matter, privacy matter, audit, complaint, incident, job application, proposal or commercial discussion, Qity may retain the correspondence as part of the relevant operational, legal, quality, privacy, security, recruitment or commercial record.
You should not send confidential, sensitive, special category, patient, employee, clinical, health, regulatory, cybersecurity or client-controlled information by unsecured email unless Qity has requested it or agreed that email is an appropriate channel for that purpose.
8Job Application Data
If you apply for a role at Qity, Qity may process personal data included in your application and recruitment communications.
This may include your name, contact details, CV, cover letter, employment history, education, qualifications, certifications, portfolio, professional profile links, salary expectations, availability, interview notes, assessment results, references, right-to-work information and any other information you provide during the recruitment process.
Qity asks applicants not to include unnecessary sensitive information in their application. This includes national identification numbers, medical information, family information, political views, religious beliefs, trade union information, criminal record information, financial information or other special category data, unless this is specifically required by law or expressly requested by Qity for a lawful reason.
Where an applicant voluntarily provides unnecessary sensitive information, Qity may disregard, delete or restrict the processing of that information unless there is a lawful reason to retain it.
9Commercial and Client Relationship Data
Qity may process personal data relating to enquiries, proposals, statements of work, contracts, orders, subscriptions, invoices, payment follow-up, client contacts, meeting notes, relationship history, service interests, account management and commercial communications.
This data is used to manage professional relationships, understand client needs, prepare proposals, deliver services, administer contracts and maintain appropriate business records.
10Website and Technical Data
Qity may process technical information relating to visits to the Qity website.
This may include IP address, browser type, device information, pages visited, time of visit, referring website, approximate location derived from technical data, cookie identifiers and related analytics information, subject to the applicable cookie settings.
Qity uses this data to operate, secure, maintain and improve the website, and to understand how visitors interact with the website where this is permitted by law.
11Service Delivery Data
Qity may process personal data during consultancy, audit, regulatory, cybersecurity, quality management, privacy, PIMS, DPO-as-a-Service, training, support, onboarding, configuration, data migration or iQMS-related activities.
Depending on the engagement, this may include names and professional contact details of client personnel, audit participants, project stakeholders, system users, supplier contacts, trainees, reviewers, approvers, support requesters and other persons involved in the relevant project or service.
Where client-controlled information is processed during service delivery, Qity processes that information in accordance with the applicable agreement, statement of work, confidentiality obligations, data processing agreement and project instructions.
12Account, Access and Support Data
Where Qity manages, configures, administers or supports access to platforms, portals or Atlassian-based environments, Qity may process user names, email addresses, roles, permissions, activity records, support tickets, configuration records, access logs, subscription information and related administrative records.
This data is used to manage access, support users, maintain system security, configure services, verify subscription scope, support onboarding and offboarding, and preserve evidence of service delivery.
13Supplier, Partner and Contractor Data
Qity may process personal data relating to suppliers, partners and contractors.
This may include names, roles, professional contact details, contractual information, due diligence records, security or privacy assessment records, invoice details, bank or payment administration details, communication records and performance-related information.
14Social Media and Professional Networking Data
Qity may maintain pages, profiles or accounts on social media and professional networking platforms, including platforms used for business communication, recruitment, marketing, professional updates, thought leadership, events and client engagement.
When you interact with Qity through social media, Qity may process your username, profile name, public profile information, comments, reactions, messages, shared content, professional information, connection status, engagement metadata and any information you choose to send to Qity through the platform.
Qity may process this data to manage its social media presence, respond to messages or comments, communicate with professional contacts, publish relevant updates, promote Qity services, manage recruitment visibility, understand engagement with Qity content and protect Qity's rights and reputation.
The relevant social media platform also processes personal data for its own purposes under its own privacy information. Qity does not control how those platforms process personal data for their own purposes.
Where a platform provides aggregated page statistics, audience insights or engagement analytics to Qity, Qity may use those statistics to understand the performance of Qity content and improve professional communication. Depending on the platform and feature used, Qity and the platform may be separately responsible or jointly involved in certain processing activities, in accordance with the applicable platform terms and data protection arrangements.
If Qity uses paid social media advertising, audience targeting, lead generation forms, tracking pixels, uploaded contact lists, remarketing or similar tools, Qity will ensure that the relevant legal basis, transparency information and platform arrangements are in place before using those features.
15Special Category Data
Qity does not seek to collect special category data through its general website forms, general email contact channels or public social media channels.
Qity may receive or process special category data in limited circumstances, for example where this is necessary for a client engagement in the medical, clinical, health technology, quality, regulatory, privacy or data protection context, where a person voluntarily provides such information, or where Qity is instructed to support a lawful activity involving such data.
Where special category data is processed by Qity as controller, Qity identifies an Article 6 legal basis and, where required, an Article 9 condition. Where special category data is processed by Qity as processor, Qity processes it under the client's documented instructions and the applicable data processing agreement.
Qity applies stricter access, confidentiality, security and purpose limitation controls to special category data.
16How Qity Collects Personal Data
Qity may collect personal data directly from you when you:
- visit the Qity website;
- submit a question, message, contact request, project enquiry, support request, demo request or meeting request;
- contact Qity by email, telephone, social media, professional networking platform or another communication channel;
- send Qity documents, attachments, specifications, project information or background material;
- enter into or perform a contract with Qity;
- participate in a project, audit, workshop, training session, meeting or support activity;
- use a Qity-managed or Qity-supported platform or portal;
- apply for a role at Qity;
- exercise a data protection right;
- otherwise communicate with Qity.
Qity may also receive personal data from clients, employers, suppliers, partners, contractors, public sources, professional networks, event organisers, recruitment sources, service providers, client-controlled systems or platforms used for project delivery.
17Personal Data Received From Other Sources
Qity may receive personal data about you from another source where this is relevant to Qity's business operations or service delivery.
This may include:
- a client providing contact details of project stakeholders, reviewers, approvers, trainees, audit participants or system users;
- an employer registering personnel for training, workshops, audits, support or system access;
- a supplier or partner providing contact details of personnel involved in delivery;
- a professional contact referring you to Qity;
- an event organiser providing attendee or participant information;
- a recruitment source, referee or professional network providing applicant-related information;
- public professional sources, such as company websites, public registers, professional profiles or publicly available business contact information;
- client-controlled systems, records or project environments made available to Qity for a service engagement.
Where Qity receives personal data from another source and acts as controller, Qity provides the information required by applicable law within the required timeframe, unless an exemption applies. An exemption may apply, for example, where you already have the information, where providing the information would be impossible or involve disproportionate effort, or where the data must remain confidential because of a legal or professional obligation.
18Purposes and Legal Bases
Qity processes personal data only where there is a lawful basis for doing so.
The table below describes the main purposes and usual legal bases. The applicable legal basis may depend on the specific context.
| Purpose | Examples | Usual legal basis |
|---|---|---|
| Responding to general questions and website messages | Contact forms, general enquiries, requests for information | Legitimate interests |
| Handling proposal, project or demo requests | Project enquiries, discovery calls, proposal preparation, pre-contractual discussions | Steps prior to entering into a contract, legitimate interests |
| Managing email correspondence | Business communications, attachments, follow-up, technical or commercial clarification | Legitimate interests, contract performance where linked to an existing contract |
| Managing client relationships | CRM, account management, service discussions, relationship history | Legitimate interests, contract performance |
| Preparing and performing contracts | Proposals, statements of work, orders, service delivery, invoicing | Contract performance, legitimate interests, legal obligation for accounting and tax records |
| Delivering consultancy, audit, regulatory, cybersecurity, quality, privacy, PIMS, DPO, training, support and iQMS services | Project delivery, workshops, audits, implementation, support, documentation, training | Contract performance, legitimate interests, legal obligation where applicable |
| Managing platform access and support | User access, roles, permissions, tickets, configuration, subscription checks | Contract performance, legitimate interests |
| Managing security, quality and compliance | Access logs, audit trails, incident records, controlled documentation, evidence management | Legitimate interests, legal obligation where applicable |
| Operating and securing the website | Technical operation, troubleshooting, security, fraud prevention | Legitimate interests |
| Website analytics and non-essential cookies | Measuring website performance, improving website content, preference or analytics cookies | Consent where required, legitimate interests where legally permitted |
| Marketing to professional contacts | Newsletters, event invitations, service updates, relevant B2B communication | Consent where required, legitimate interests where legally permitted |
| Managing social media presence | Posts, comments, messages, engagement, page statistics, professional networking | Legitimate interests, consent where required by the platform feature or applicable law |
| Paid social media campaigns or targeting | Sponsored posts, audience targeting, campaign statistics, lead generation forms | Consent or legitimate interests depending on the feature, applicable law and platform arrangement |
| Recruitment | Reviewing applications, interviews, assessments, references, hiring decisions | Steps prior to entering into a contract, legitimate interests, legal obligation where applicable, consent where needed |
| Supplier and partner management | Due diligence, contracting, invoices, performance review | Contract performance, legitimate interests, legal obligation |
| Handling legal claims or disputes | Evidence preservation, legal advice, claim defence or enforcement | Legitimate interests, legal obligation |
| Handling data protection rights and complaints | Access, rectification, erasure, objection, restriction, portability, complaints | Legal obligation |
| Managing records and retention | Archiving, deletion, auditability, evidence of compliance and service delivery | Legitimate interests, legal obligation |
19Legitimate Interests
Where Qity relies on legitimate interests, those interests may include:
- responding to business enquiries;
- managing client, supplier, partner and professional relationships;
- preparing and delivering services;
- maintaining appropriate commercial, contractual, quality and operational records;
- securing Qity's systems, website, platforms, records and communications;
- preventing misuse, fraud, unauthorised access or unlawful activity;
- managing Qity's professional reputation and social media presence;
- communicating with professional contacts about relevant Qity services, events or updates where legally permitted;
- improving Qity's website, services, processes and client experience;
- handling disputes, enforcing rights and defending legal claims;
- demonstrating compliance with legal, contractual, quality, regulatory and professional obligations.
Before relying on legitimate interests, Qity considers whether those interests are overridden by the rights and freedoms of the persons concerned.
20Submitted Questions, Project Enquiries and Contact Forms
When you submit a question, project enquiry, contact form or similar message through the Qity website, Qity uses the information to understand your request, respond to you, assess whether Qity can assist, prepare follow-up questions, schedule a meeting, prepare a proposal or route the request internally.
Qity may record the enquiry in its internal systems, including CRM, email, project intake, sales, support or service delivery tools.
If the enquiry leads to a client relationship, proposal, support request, project or other service activity, the information may become part of the relevant commercial, contractual, project, quality or support record.
Qity does not use general website enquiries to make decisions based solely on automated processing that produce legal effects or similarly significant effects.
21Job Applications
When you apply for a role at Qity, Qity uses your personal data to assess your suitability, communicate with you, organise interviews, evaluate qualifications and experience, perform recruitment administration and decide whether to offer employment or another form of collaboration.
Qity may share application data internally with personnel involved in recruitment and selection. Qity may also use recruitment platforms, email, calendar tools, document management tools or professional advisers where necessary for the recruitment process.
Qity will only contact referees where this is appropriate and lawful. Where possible, Qity will ask you before contacting a referee.
If your application is unsuccessful, Qity will retain recruitment data for a limited period to manage follow-up questions, demonstrate fair handling of the recruitment process and defend possible legal claims. Qity may retain your application for a longer period only where this is lawful, for example where you consent to remain in a recruitment reserve.
If you are hired, relevant recruitment data may become part of your personnel file and will be managed under Qity's internal personnel privacy information.
22Social Media
Qity may use social media and professional networking platforms to communicate about Qity, its services, events, publications, training, recruitment, business updates and areas of expertise.
If you interact with Qity on social media, Qity may process personal data visible through that interaction. This includes comments, reactions, messages, shares, tags, profile names, public professional information and the content of your communication.
Qity may respond to public comments, direct messages or professional enquiries. If a social media interaction becomes a business enquiry, support matter, recruitment matter, complaint, legal matter or client-related communication, Qity may transfer the relevant information into its internal systems for appropriate handling.
Qity may use aggregated statistics made available by social media platforms to understand how users interact with Qity's pages, posts or campaigns. These statistics may include aggregated information about reach, engagement, audience characteristics, location, sector, professional role or interaction trends, depending on the platform.
Qity does not control the processing performed by social media platforms for their own purposes. You should read the privacy information of the relevant platform before interacting with Qity through that platform.
Qity does not intend to collect sensitive personal data through social media. You should not send confidential, special category, patient, client-controlled, security-sensitive or regulatory information to Qity through social media channels.
23Cookies and Similar Technologies
Qity may use cookies or similar technologies to operate its website, secure the website, remember preferences, measure website performance and understand how visitors interact with the website.
Strictly necessary cookies may be used where needed to make the website function.
Analytics, preference or marketing cookies are used only where permitted by law and, where required, based on your consent.
Where Qity uses a cookie banner or preference tool, you can use it to manage non-essential cookies. You may also be able to manage cookies through your browser settings.
Qity should maintain a separate Cookie Policy or cookie overview identifying the cookies used, their provider, purpose, duration and type.
24Marketing Communications
Qity may contact business contacts about services, events, insights, training, product updates or other information relevant to Qity's activities.
Where required, Qity will ask for your consent before sending marketing communications. You can unsubscribe or object to marketing communications at any time by using the unsubscribe link in the relevant message or by contacting Qity at dpo@qity.be.
Qity does not sell personal data for marketing purposes.
25When Qity Acts as Processor
In many client engagements, Qity processes personal data on behalf of a client. This may occur, for example, when Qity supports a client's iQMS, privacy management system, audit programme, quality management system, regulatory documentation, cybersecurity assessment, support process, data migration activity or controlled project environment.
In those cases, the client determines the purposes and means of the processing, and Qity processes personal data under the client's documented instructions and the applicable data processing agreement.
This Privacy Policy does not replace the client's own privacy notice for processing activities where the client acts as controller.
26Recipients and Sharing of Personal Data
Qity may share personal data with the following categories of recipients where necessary and lawful:
- Qity personnel, contractors and authorised collaborators who need access for their role;
- clients, where this is necessary for service delivery or project governance;
- suppliers and service providers supporting hosting, communication, collaboration, accounting, CRM, recruitment, ticketing, security, analytics, document management, training or other business operations;
- professional advisers, including legal, accounting, audit, insurance or compliance advisers;
- public authorities, courts, regulators or law enforcement bodies where required by law or necessary to protect Qity's rights;
- platform providers used for delivery, including providers of project management, documentation, communication, support, hosting or productivity tools;
- social media and professional networking platforms where Qity maintains pages, profiles, campaigns or communications.
Qity requires service providers that process personal data on Qity's behalf to apply appropriate confidentiality, security and data protection safeguards.
27International Transfers
Qity primarily aims to use service providers and hosting arrangements that process personal data within the European Economic Area or countries recognised as providing an adequate level of protection.
Where personal data is transferred outside the European Economic Area, Qity applies an appropriate transfer mechanism where required, such as an adequacy decision, Standard Contractual Clauses or another lawful transfer mechanism.
Where required, Qity may assess whether supplementary measures are needed, taking into account the nature of the data, the processing activity, the country of destination, the recipient and the service provider involved.
You may contact Qity at dpo@qity.be for further information about the safeguards applied to relevant international transfers.
28Security
Qity applies technical and organisational measures designed to protect personal data against unauthorised access, unlawful processing, accidental loss, destruction, alteration or disclosure.
Depending on the processing activity, these measures may include access control, role-based permissions, authentication controls, confidentiality obligations, supplier review, secure configuration, logging, backup controls, incident management, document control, personnel awareness, controlled onboarding and offboarding, and periodic review.
No system is completely risk-free. Qity therefore maintains procedures to identify, assess, contain and respond to security and personal data incidents.
29Retention
Qity retains personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.
Retention periods depend on the type of data, the purpose of processing, the contractual relationship, legal obligations, limitation periods, audit requirements, regulatory expectations and the need to preserve evidence of services delivered.
The following retention periods are indicative and may be adapted where a longer or shorter period is required by law, contract, dispute, audit requirement, regulatory need or documented retention decision.
| Data category | Indicative retention approach |
|---|---|
| General website enquiries and submitted questions | Retained for the time needed to respond and follow up, then deleted or archived unless the enquiry becomes a commercial, support, project or legal record |
| Proposal and commercial records | Retained for the duration of the commercial relationship and for the period needed to evidence negotiations, contractual decisions and legitimate business interests |
| Contracts, statements of work and accounting records | Retained in accordance with contractual, tax, accounting and legal limitation requirements |
| Client project and service delivery records | Retained for the period needed to demonstrate delivery, quality, auditability, regulatory support, contractual performance and legal defence |
| Support records and platform administration records | Retained according to operational, security, contractual and evidence-retention needs |
| Website analytics records | Retained according to the applicable cookie settings, analytics configuration and Cookie Policy |
| Social media messages and interactions | Retained on the relevant platform according to platform settings and, where moved into Qity systems, according to the purpose for which they are retained |
| Recruitment records for unsuccessful applicants | Retained for a limited period after the recruitment process unless a longer period is required by law, needed for legal claims or agreed with the applicant |
| Recruitment reserve records | Retained only where the applicant has agreed or where another lawful basis applies |
| Supplier and partner records | Retained for the duration of the relationship and the period needed for contractual, accounting, legal, audit and business purposes |
| Data protection requests and complaints | Retained for the period needed to demonstrate lawful handling of the request or complaint |
| Incident and breach records | Retained for the period needed to demonstrate investigation, decision-making, remediation, notifications and accountability |
| Marketing preferences and suppression records | Retained as needed to respect consent, unsubscribe and objection choices |
Where data is no longer required, Qity deletes, anonymises or archives it in accordance with applicable retention and deletion controls.
30Your Rights
Subject to the conditions and limits set by applicable law, you may have the following rights in relation to your personal data:
- the right to access your personal data;
- the right to correct inaccurate or incomplete personal data;
- the right to request erasure of your personal data;
- the right to request restriction of processing;
- the right to object to processing based on legitimate interests;
- the right to object to direct marketing;
- the right to data portability, where applicable;
- the right to withdraw consent, where processing is based on consent;
- the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects or similarly significant effects.
To exercise your rights, contact Qity at dpo@qity.be.
Qity may need to verify your identity before responding to a request. Qity will respond within the period required by applicable law. Where a request is complex or where Qity receives multiple requests, Qity may extend the response period where permitted by law.
31Right to Object to Direct Marketing
You have the right to object to direct marketing at any time.
Where you object to direct marketing, Qity will stop processing your personal data for that purpose.
You can object by using the unsubscribe link in the relevant communication, where available, or by contacting Qity at dpo@qity.be.
32Consent Withdrawal
Where Qity relies on consent, you may withdraw your consent at any time.
Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
You can withdraw consent by using the available preference tool, unsubscribe mechanism or by contacting Qity at dpo@qity.be.
33Requirement to Provide Personal Data
In most website and social media contexts, you are not legally required to provide personal data to Qity.
If you choose not to provide the personal data needed to handle a request, Qity may be unable to respond, provide information, prepare a proposal, deliver a service, process an application, manage a contract or comply with a legal obligation.
Where personal data is required by law, contract or operational necessity, Qity will process only the data that is necessary for the relevant purpose.
34Automated Decision-Making
Qity does not use personal data collected through its website, website forms, social media channels or job application channels to make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals.
If this changes for a specific service or processing activity, Qity will provide appropriate information before the processing takes place.
35Children
Qity's website and services are directed at professional and business users.
Qity does not knowingly seek to collect personal data from children through its website, business contact forms or social media channels.
If Qity becomes aware that a child has submitted personal data through a general website or business contact channel without an appropriate reason, Qity may delete or restrict the processing of that information.
36Complaints
If you have a concern about how Qity processes your personal data, Qity asks that you contact Qity first at dpo@qity.be so that the matter can be reviewed.
You also have the right to lodge a complaint with the Belgian Data Protection Authority:
Gegevensbeschermingsautoriteit / Autorité de protection des donnéesRue de la Presse 35
1000 Brussels
Belgium
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be
37Links to Third-Party Websites and Platforms
The Qity website may contain links to third-party websites, platforms or services.
Qity is not responsible for the privacy practices, security or content of those third parties. You should read the privacy information provided by those third parties before providing personal data to them.
Where Qity links to or uses social media platforms, those platforms process personal data under their own privacy terms and technical settings.
38Changes to this Privacy Policy
Qity may update this Privacy Policy from time to time to reflect changes in its services, website, legal obligations, technologies, suppliers, social media use, recruitment practices or internal processes.
The latest version will be published on the Qity website and will indicate the effective date. Where required by law, Qity will provide additional notice of material changes.
39Contact
For questions about this Privacy Policy or the processing of your personal data by Qity, contact:
Qity bvOudenaardsesteenweg 256 box 3
9420 Erpe-Mere
Belgium
Enterprise / VAT number: BE 0767.822.603
Privacy contact: dpo@qity.be