Privacy Policy for Quintechs Information Technology (Dynamics 365 HR/Payroll Solution)

Effective Date: November 13, 2025

This Privacy Policy describes how **Quintechs Information Technology** ("we," "us," or "our") processes Personal Data within our specialized HR and Payroll application, the "Application," built on **Microsoft Dynamics 365 Finance and Operations.**

This policy applies to data processing activities related to our clients (employers) and their respective employees (data subjects) in the **Middle East and Arab Gulf (GCC) region**. We commit to handling all data in compliance with relevant local data protection legislation.

1. Our Role in Data Processing

Due to the nature of our Application as a specialized business system, Quintechs Information Technology operates primarily as a Data Processor.

Data Controller (Your Client): The organization (your client/the employer) that purchases and uses the Application to manage its workforce. The Data Controller determines the purposes and means of processing Personal Data.

Data Processor (Our Company): Quintechs Information Technology (us). We process Personal Data strictly on behalf of, and according to the documented instructions of, the Data Controller, as defined in our service agreements.

Data Subject: The individual employee, applicant, or contractor whose Personal Data is being processed within the Application.

2. Personal Data Processed within the Application

The Application processes highly sensitive and comprehensive Personal Data necessary for all aspects of employee management and compensation in the GCC. This includes, but is not limited to:

Identification and Contact Data: Full Name, National ID/Iqama number, Passport details, Date of Birth, Nationality, Religion, Residential Address, Phone Number, and Email Address.

Employment and Contract Data: Job Title, Department, Grade/Level, Employee Contract details, Hire Date, Termination Date, and End of Service data.

Financial and Payroll Data: Salary, Allowances, Deductions, Bank Account details (IBAN), Social Insurance & Security (GOSI/Social Security) details, and Loans Management data.

Time and Attendance Data: Leave and Tickets Management records, Overtime, Absence, and Late Management data.

Sensitive Personal Data: Employee Medical Insurance details, health records (for sick leave and insurance), and details of dependents/family members (for benefits and visa processing).

3. Purpose and Legal Basis for Processing

We process the Personal Data exclusively to provide and maintain the functions of the Application. The Data Controller is responsible for establishing the legal basis for processing, which generally relies on:

Performance of an Employment Contract: Processing data necessary to pay the employee, manage benefits, and fulfill contractual terms.

Compliance with Legal Obligations: Processing required to meet mandatory governmental and labor regulations in the GCC (e.g., GOSI submissions, residency requirements, labor law adherence).

Legitimate Interest: Processing necessary to ensure the security, integrity, and operational health of the Dynamics 365 platform and our service delivery.

Consent: Processing based on the employee's specific, voluntary consent (e.g., for certain Employee Self-Service requests).

4. Data Storage, Security, and Dynamics 365

Platform: Our Application is built on the robust security framework of Microsoft Dynamics 365 Finance and Operations.

Data Location: Data is stored in Microsoft Azure data centers. The specific location of data residency (which may be a regional GCC cloud center) is determined by our client (the Data Controller) during deployment. **Quintechs Information Technology supports its clients in meeting all applicable local data residency and localization requirements.**

Security Measures: We implement and maintain appropriate technical and organizational security measures, including role-based access controls within D365, data encryption, and robust monitoring to protect against unauthorized access, disclosure, alteration, or destruction. We enforce strict access protocols for our support personnel, granting access only on a need-to-know basis for support and maintenance activities.

5. Data Transfer, Sharing, and Integrations

Internal Access: Personal Data is accessed only by **Quintechs Information Technology’s** authorized technical and support staff to perform essential services (including monitoring, bug fixes, support, and enhancements) under strict confidentiality agreements.

Third-Party Sharing (Controller Instruction): We facilitate data sharing with external entities (such as local banks for salary transfers, government authorities for compliance, and insurance providers) *only* as instructed and authorized by the Data Controller through the Application’s integration features (Rest APIs or Business Events).

Cross-Border Transfers: Transfers of Personal Data across borders (outside the Data Controller’s jurisdiction) are managed in compliance with the relevant GCC data protection laws. This may require specific contractual safeguards, regulatory approvals, or reliance on an adequacy mechanism to ensure the data retains a high level of protection.

6. Data Subject Rights and Contact

As a Data Processor, **Quintechs Information Technology** is committed to supporting our clients in upholding the rights of the Data Subjects (employees). These rights typically include the Right of Access, Rectification (Correction), and Erasure (Deletion), subject to legal retention limits for payroll data.

To exercise these rights, the Data Subject must direct their request to their employer (the Data Controller).

The Data Controller will then officially instruct **Quintechs Information Technology** to take the necessary action within the Application, provided such action does not violate local labor or tax laws that mandate record keeping.

7. Data Retention

Personal Data is retained within the Application for the period required by the Data Controller, in accordance with the mandatory data retention periods stipulated by the local labor and statutory laws of the GCC countries where they operate. We will delete or anonymize the data upon formal instruction from the Data Controller once those legal periods expire.

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our service offerings or in response to new regulatory developments in the GCC region. We will post the revised policy on this website and update the "Effective Date" at the top.

9. Contact Information

If you have any questions or concerns about this Privacy Policy or our role as a Data Processor, please contact our Data Protection/Compliance team:

Company Name: Quintechs Information Technology

Contact Email: info@quintechs.com