Privacy Policy
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is any data that can be used to personally identify you. Detailed information on data protection can be found in our privacy policy below.
Data Collection
Who is responsible? Data processing is carried out by the website operator. Contact details can be found in the Legal Notice.
How do we collect your data? Partly through information you provide (e.g. via email or phone), partly automatically by our IT systems (technical data such as browser, operating system, time of access).
Your Rights
You have the right at any time to free information about the origin, recipient, and purpose of your data, as well as the right to rectification, deletion, or restriction of processing. You also have the right to lodge a complaint with the competent supervisory authority.
What do we use your data for?
The data is collected to ensure error-free provision of the website. No analysis of your user behavior takes place.
Analytics Tools and Third-Party Tools
This website does not use any analytics tools, tracking cookies, or third-party scripts. No statistical evaluation of your browsing behavior takes place.
2. General Information and Mandatory Disclosures
Data Protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.
When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.
We would like to point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.
Responsible Party
ALTENBRAND Datentechnik GmbH
represented by Managing Director Frank Altenbrand
Am Gelicht 5, D-35279 Neustadt, Germany
+49 (0) 6692 202290
The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).
Revocation of Your Consent to Data Processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. An informal notification by email to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to Object to Data Collection (Art. 21 GDPR)
Right to Object
If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation; this also applies to profiling based on these provisions.
If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (objection pursuant to Art. 21(1) GDPR).
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing (objection pursuant to Art. 21(2) GDPR).
Right to Lodge a Complaint with the Supervisory Authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of data to another controller, this will only be done to the extent technically feasible.
Information, Deletion, and Rectification
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to rectification or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given in the Legal Notice.
Right to Restriction of Processing
You have the right to request the restriction of the processing of your personal data. The right exists in the following cases:
- If you dispute the accuracy of your data stored by us, we need time to verify. For the duration of the verification, you can request restriction.
- If the processing of your data was/is unlawful, you can request restriction of processing instead of deletion.
- If we no longer need your data, but you need it to exercise, defend, or assert legal claims, you can request restriction instead of deletion.
- If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you can request restriction.
If you have restricted processing, these data may only be processed – apart from being stored – with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Objection to Advertising Emails
The use of contact data published as part of the legal notice obligation for the purpose of sending unsolicited advertising and information materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.
3. Data Collection on Our Website
Cookies and Local Storage
This website does not set any of its own HTTP cookies. In particular, no tracking cookies, analytics cookies, or marketing cookies are used.
To store your design preference (e.g. light or dark color scheme), the website uses your browser's localStorage. This is not an HTTP cookie but a client-side storage mechanism that remains exclusively on your device and is not transmitted to our servers. You can delete this data at any time via your browser settings.
It is possible that the hosting provider (Microsoft Azure Static Web Apps) may set technically necessary cookies as part of the technical infrastructure (e.g. for load balancing or security features). These cookies serve exclusively technical infrastructure purposes and do not contain personal data. The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in the technically error-free provision of the website).
A cookie consent banner is not required, as neither tracking nor marketing cookies are used.
Hosting
This website is hosted on Microsoft Azure Static Web Apps in the West Europe region (Netherlands). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is automatically included in our Azure contract via the Microsoft Product Terms.
Server Log Files
The hosting provider (Microsoft Azure) automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- Browser type and browser version
- Operating system used
- Referrer URL
- Hostname of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose, the server log files must be collected.
Storage duration: Server log files are automatically deleted by Microsoft Azure after 30 days.
Inquiry by Email, Phone, or Fax
If you contact us by email, phone, or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.
The processing of this data is based on Art. 6(1)(b) GDPR, if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6(1)(a) GDPR) and/or on our legitimate interests (Art. 6(1)(f) GDPR).
The data sent to us by you via contact inquiries will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage ceases to apply (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
4. Analytics Tools and Advertising
This website does not use any analytics tools, tracking cookies, or advertising services. No third-party scripts are embedded and no evaluation of your user behavior takes place.
Automated Decision-Making
No automated decision-making including profiling pursuant to Art. 22 GDPR takes place.
5. Data Processing in the merchantCENTRAL Software
The following information relates to the processing of personal data in connection with the use of our software merchantCENTRAL — an extension (app) for Microsoft Dynamics 365 Business Central. This data processing occurs independently of your visit to our website.
Responsible Party
The party responsible for the data processing described below is ALTENBRAND Datentechnik GmbH (see Section 2 of this privacy policy).
a) License Validation
Scope of Data Processing
When using merchantCENTRAL, an automatic license check is performed at regular intervals. The following data is transmitted to our license server:
- License key (transmitted in encrypted form)
- Microsoft Entra Tenant ID of your Business Central environment
- Name of the Business Central environment
- Environment type (Production or Sandbox)
Purpose of Processing
License validation serves to verify the authorization to use the software and to activate the licensed modules.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract). The license check is technically necessary to provide the contractually agreed software functions.
b) Heartbeat (Usage Signal)
Scope of Data Processing
merchantCENTRAL sends an automatic usage signal ("heartbeat") to our license server once per day. The following data is transmitted:
- License key (transmitted in encrypted form)
- Microsoft Entra Tenant ID
- Name of the Business Central environment
- Environment type (Production or Sandbox)
- Timestamp of the transmission
Purpose of Processing
The heartbeat serves to detect active installations, prevent license misuse, and provide usage statistics for license management.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in ensuring proper license usage).
c) Demo Registration
Scope of Data Processing
When you register for the free demo mode of merchantCENTRAL, the following data is collected via a registration wizard within the software and transmitted to our license server:
- Company name
- Contact person name
- Email address
- Country
- Phone number (optional)
- Street, city, and postal code
- VAT registration number (optional)
- Website (optional)
- Microsoft Entra Tenant ID
- Name and type of the Business Central environment
- List of installed merchantCENTRAL modules
- Your GDPR consent (consent timestamp)
Purpose of Processing
The data is used to set up your demo access, to contact you regarding the demo usage, and to convert to a production license.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(a) GDPR (consent). You actively grant your consent in the registration wizard. You may revoke your consent at any time with effect for the future by contacting us at info@altenbrand.de.
d) Data Recipients and Storage Location
All data collected in connection with licensing is stored on Microsoft Azure servers in the Germany West Central region (Frankfurt, Germany). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement (DPA) is automatically included in our Azure contract via the Microsoft Product Terms.
The data is stored in Azure Table Storage and processed via a secured API (Azure Functions with API key authentication). All transmissions are exclusively via encrypted HTTPS connections.
For payment processing via Stripe and for automated email sending, additional service providers are used; details can be found in sections i) and j).
e) Storage Duration
| Data Category | Storage Duration |
|---|---|
| License validation data | For the duration of the license agreement, up to 12 months after contract termination |
| Heartbeat data | 12 months, then automatically deleted |
| Demo registration data | 6 months after expiration of the demo period, unless a production license is acquired |
| Activity log (BC-internal) | 180 days, then automatically deleted |
| Contact and payment data in BC | Up to 12 months after contract termination; anonymization available on request at any time |
After the storage period expires, data is automatically deleted unless statutory retention obligations apply.
f) Your Rights
You are entitled to the rights described in Section 2 of this privacy policy (information, rectification, deletion, restriction of processing, data portability, objection). Please contact info@altenbrand.de for this purpose.
To exercise your right to erasure (Art. 17 GDPR) regarding contact data stored in our license management system (name, email address, phone, address), an informal request by email is sufficient. The anonymization of personal fields is carried out technically in our license management software; license history and billing records are retained for statutory reasons.
g) Necessity of Data Provision
The provision of the data described in a) and b) is technically required for the use of merchantCENTRAL. Without license validation, the software functions cannot be activated.
The provision of the data described in c) is voluntary. However, without demo registration, you cannot use the free demo mode.
h) Payment Processing via PayPal
Scope of Data Processing
If you choose the PayPal subscription payment method, the following data is processed as part of payment processing:
- Email address of your PayPal account
- PayPal subscription ID
- PayPal transaction IDs (per payment)
- Payment amount and currency
- Payment status and date
- Next billing date
Data Recipient
Payment processing is carried out by:
PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449 Luxembourg
PayPal processes your payment data as an independent controller in accordance with its own PayPal Privacy Statement.
Purpose of Processing
The processing serves to execute recurring subscription payments for your licensed merchantCENTRAL modules.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract). Payment processing is an integral part of the license agreement.
Storage Duration
Payment data is retained for the duration of the subscription and 10 years after contract termination (§ 147 AO, § 257 HGB — statutory retention obligations under German tax law).
Voluntariness
The use of PayPal is voluntary. As an alternative, payment by SEPA direct debit or Stripe is available. The choice of payment method has no effect on the price or the functionality of the software.
i) Payment Processing via Stripe
Scope of Data Processing
If you choose the Stripe subscription payment method, the following data is processed as part of payment processing:
- Stripe subscription ID
- Stripe transaction IDs (per payment)
- Payment amount and currency
- Payment status and date
- Next billing date
Data Recipient
Payment processing is carried out by:
Stripe Payments Europe Ltd. 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Stripe processes your payment data as an independent controller in accordance with its own Stripe Privacy Policy.
Purpose of Processing
The processing serves to execute recurring subscription payments for your licensed merchantCENTRAL modules.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract).
Storage Duration
Payment data is retained for the duration of the subscription and 10 years after contract termination (§ 147 AO, § 257 HGB — statutory retention obligations under German tax law).
Voluntariness
The use of Stripe is voluntary. As an alternative, payment by SEPA direct debit or PayPal is available.
j) Automated Email Notifications
Scope of Data Processing
merchantCENTRAL automatically sends email notifications in the following situations:
- Demo expiry warning: An email is sent approximately 7 days before a demo access expires to the email address provided during demo registration.
- Payment reminder: In the event of outstanding payments, a reminder is sent to the stored email address.
The following data is processed: contact person name, email address, Tenant ID (pseudonymized), and affected module information.
Sending Infrastructure
Emails are sent via Microsoft Azure Communication Services (ACS) in the Germany West Central region (Frankfurt, Germany). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is automatically included in our Azure contract via the Microsoft Product Terms.
Purpose of Processing
The notifications serve to timely inform about expiring demo accesses and to provide reminders of outstanding payments.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract) for demo expiry warnings, and Art. 6(1)(f) GDPR (legitimate interest) for payment reminders.
k) Activity Log (Internal BC Log)
Scope of Data Processing
merchantCENTRAL maintains an internal activity log within your Business Central database. The following data is stored therein:
- Microsoft Entra Tenant ID (pseudonymized)
- Customer name (company name)
- Module code and type of activity (e.g. demo start, license activation, suspension)
- Timestamp and executing user
Purpose of Processing
The log serves the internal traceability of license actions and the operational security of license management.
Legal Basis
Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in the traceability of license operations and troubleshooting).
Storage Duration
Activity log entries are automatically deleted after 180 days.
© 2026 ALTENBRAND Datentechnik GmbH. All rights reserved.