Effective date: July 5, 2019
Last updated: September 10, 2025

1. Introduction

1.1 Who we are
We are Quintaum d.o.o., located at Trnovski pristan 22, 1000 Ljubljana, Slovenia, identification number 8828008000 (“Quintaum”, “we”, “us”, “our”). We act as the data controller with respect to the personal data we collect and process in connection with the Quintaum Corporate Culture & Organizational Health Assessment.

1.2 Our commitment
We are committed to processing personal data in a lawful, fair, and transparent manner, strictly in accordance with the GDPR and applicable national data protection legislation. To this end, Quintaum ensures:

·       that only the minimum amount of data strictly necessary for the stated purposes is processed,

·       that identifying information is collected and stored separately from survey responses,

·       that pseudonymization and anonymization techniques are applied wherever possible, and

·       that strict retention limits are enforced and data is deleted or anonymized once no longer required.

Quintaum does not disclose individually identifiable responses to client organizations, unless the participant has explicitly and unambiguously consented to such disclosure. This ensures the protection of participants while also safeguarding Quintaum’s intellectual property, proprietary methodology, and legitimate business interests.

1.3 Contact information
If you have questions, requests, or complaints about how we handle your data, they should be addressed in writing to:
Email: tk@quintaum.com

2. Data We Collect

When you participate in the assessment, we collect only the data strictly necessary to generate reports and derive organizational insights. We never collect your name or IP address. We separate identifiers from survey responses.

2.1 Identity / Demographic Data

·       No names are collected.

·       We do not record IP addresses.

·       Where required by the client, a custom code may be used (e.g., per participant or per group). This code is managed by the client and is not linked to the algorithm used by Quintaum; thus, results cannot be correlated back to a name.

·       You may optionally provide limited demographic information (for instance, your age group, number of children, marital status). These responses are tied only to the code, not your identity.

2.2 Contact Data

·       Professional email address (optional)

·       Personal email address (optional, subject to your selection)

We collect email addresses only for the purpose of sending you the assessment invitation and delivering your personal report. These email addresses are stored separately from survey responses, never linked to the responses themselves, and deleted automatically after three (3) months.

2.3 Behavioral / Profiling / Special Data

·       Through the assessment, you may share information about your preferences, workplace experiences, well-being, stress level, etc.

·       Some of this data may be considered special categories of personal data (e.g., health, psychological well-being) when taken together or in context.

·       This data is processed only in aggregated, pseudonymized, or anonymized form, so it cannot be traced back to you personally.

2.4 Proprietary information

All survey responses and derived analytical data remain, in anonymous form, the intellectual property of Quintaum, forming part of our proprietary methodology. Data is used exclusively for the purposes set out in this Policy.

3. Purposes of Processing

Quintaum processes your personal data exclusively for the following purposes and on the corresponding legal bases:

·       To perform the diagnostic assessment and process survey responses for organizational analysis

·       To generate individual analytics and personalized reports

·       To deliver the individual report via email, where you have provided your email address for this purpose

·       To produce aggregated organizational insights for the client organization, in which case, no individually identifiable data is disclosed

·       To conduct benchmarking and improve Quintaum’s methodology, in which case data is used only in anonymized or aggregated form

·       To fulfill Quintaum’s legitimate interests in the operation, administration, and continuous improvement of its diagnostic services

4. Legal Basis for Processing

Quintaum processes your personal data on the following legal grounds under the GDPR:

·       Consent: You voluntarily opt in to provide data.

·       Contract / Performance: Where Quintaum is engaged by a client organization, processing is necessary to fulfill the services we provide under contract.

·       Legitimate interest: For producing anonymized organizational insights, improving our services, and ensuring security — provided we balance your rights and interests.

You may withdraw your consent at any time, without affecting processing done before withdrawal.

5. Technical & Organizational Measures

In accordance with Article 32 of the GDPR, Quintaum implements appropriate technical and organizational measures (“TOMs”) to ensure a level of security appropriate to the risk. These include, without limitation:

·       Encryption (in transit and at rest)

·       Access control (role-based, least privilege)

·       Separation of data (responses vs. emails)

·       Pseudonymization / n-1 anonymity exports before analysis

·       Automated deletion / anonymization after retention period

·       Regular security audits, logging, intrusion detection, and backups

·       Processor agreements and audits with third parties (e.g., Research.net)

These measures are subject to continuous monitoring and improvement in order to address evolving security threats and regulatory requirements.

6. Your Rights

Under GDPR, you have the following rights (where applicable):
a. Withdraw consent at any time
b. Object to processing (if based on legitimate interest)
c. Access your personal data and receive information about it
d. Rectify inaccurate data
e. Restrict processing in certain circumstances
f. Erase data (“right to be forgotten”) — or request that it be anonymized
g. Request data portability (receive your data in a machine-readable format)
h. Lodge a complaint with the supervisory authority

Any request can be sent to tk@quintaum.com; we will respond within statutory timeframes (e.g., 30 days). Note: after the retention or anonymization of data, some rights (access, erasure, portability) may no longer be exercisable if the data no longer qualifies as personal data.

Intellectual Property Notice
Please be advised that Quintaum retains all intellectual property rights in and to the Assessment, including but not limited to the content, structure, methodology, diagnostic results, and generated reports. Any use, reproduction, or distribution of such materials in any form or medium requires Quintaum’s prior written approval, irrespective of whether the materials contain personal data.

7. Automated Decision-Making / Profiling

We use algorithmic processing to generate your diagnostic results, scores, and insights. By participating in the assessment, you acknowledge this and consent to such processing. Participation is entirely voluntary. By choosing to participate, you acknowledge and consent to this automated processing. You may withdraw at any time, without penalty. The algorithmic output is provided to you directly (and to your organization only in aggregated or coded form). Quintaum does not engage in automated decision-making that produces legal effects concerning you, or similarly significantly affects you, based solely on profiling. All insights remain subject to interpretation and action by human decision makers.

8. Retention Period

In line with the GDPR storage limitation principle, Quintaum retains personal data only for as long as necessary to provide the assessment services:

·       Emails + Personal Reports: Retained for a maximum of three (3) months (after which they are deleted). Personal Reports cannot be retrieved after this period.

·       After the expiration of the retention period, personal data is either deleted or irreversibly anonymized so that it is no longer qualified as personal data under GDPR. Aggregated and anonymized results may continue to be used for organizational insights, benchmarking, and methodological improvements.

·       Once data is deleted or anonymized, your rights to access, erasure, rectification, and portability no longer apply to that data.

·       Legal obligations: In specific cases, Quintaum may retain limited administrative data (e.g., invoice records) for a longer period where required by applicable financial or tax law.

9. Third-Party Processors & International Transfers

Quintaum engages trusted third-party service providers (“processors”) to support the delivery of its assessments. The primary provider is SurveyMonkey (research.net), which collects and stores responses strictly on Quintaum’s behalf and under our instructions, in accordance with Article 28 GDPR.

SurveyMonkey relies on Standard Contractual Clauses (SCCs) and is certified under the EU–US Data Privacy Framework (DPF), ensuring your data is protected when transferred to the United States.

A full list of subprocessors and details on security and compliance are available here: SurveyMonkey Subprocessor List and SurveyMonkey Trust Center.

Controller responsibility: Quintaum remains the sole data controller and ensures that all processors act only under our documented instructions, subject to contractual obligations and regular compliance checks.

10. Recipients & Data Sharing

·       No disclosure without consent: Quintaum will never disclose your identity or individual responses to your employer, HR, or any third party, unless you have given explicit consent or disclosure is required by law.

·       By default, Quintaum shares only aggregated or pseudonymized results with client organizations. These reports do not allow identification of individual participants.

·       If you grant full or limited consent, your coded individual results may be shared with HR, coaches, or consultants engaged by your organization. Even in this case, results are shared using codes only, never names.

·       Clients, coaches, or HR may hold the mapping list (codes → names). This mapping resides entirely outside of Quintaum’s systems and is not accessible to us.

·       Legal compliance: In exceptional cases, Quintaum may be required to disclose data if mandated by applicable law or a competent authority.

11. Final Provisions & Changes

We may update this Privacy Policy periodically. Any material changes will be clearly communicated (e.g., via email or client portal). Non-material updates (e.g., clarifications, formatting) may be applied without prior notice but will always be reflected in the “last updated” date at the top of this Policy. We encourage you to review this Privacy Policy periodically to stay informed.

Date of last revision: September 10, 2025

Quintaum d.o.o.