Skip to content

Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is any data that can be used to personally identify you. Detailed information on data protection can be found in our privacy policy below.

Data Collection

Who is responsible? Data processing is carried out by the website operator. Contact details can be found in the Legal Notice.

How do we collect your data? Partly through information you provide (e.g. via email or phone), partly automatically by our IT systems (technical data such as browser, operating system, time of access).

Your Rights

You have the right at any time to free information about the origin, recipient, and purpose of your data, as well as the right to rectification, deletion, or restriction of processing. You also have the right to lodge a complaint with the competent supervisory authority.

What do we use your data for?

The data is collected to ensure error-free provision of the website. No analysis of your user behavior takes place.

Analytics Tools and Third-Party Tools

This website does not use any analytics tools, tracking cookies, or third-party scripts. No statistical evaluation of your browsing behavior takes place.


2. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.

Responsible Party

ALTENBRAND Datentechnik GmbH

represented by Managing Director Frank Altenbrand

Am Gelicht 5, D-35279 Neustadt, Germany

+49 (0) 6692 202290

info@altenbrand.de

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. An informal notification by email to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Object to Data Collection (Art. 21 GDPR)

Right to Object

If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation; this also applies to profiling based on these provisions.

If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (objection pursuant to Art. 21(1) GDPR).

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing (objection pursuant to Art. 21(2) GDPR).

Right to Lodge a Complaint with the Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of data to another controller, this will only be done to the extent technically feasible.

Information, Deletion, and Rectification

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to rectification or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given in the Legal Notice.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. The right exists in the following cases:

  • If you dispute the accuracy of your data stored by us, we need time to verify. For the duration of the verification, you can request restriction.
  • If the processing of your data was/is unlawful, you can request restriction of processing instead of deletion.
  • If we no longer need your data, but you need it to exercise, defend, or assert legal claims, you can request restriction instead of deletion.
  • If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you can request restriction.

If you have restricted processing, these data may only be processed – apart from being stored – with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Objection to Advertising Emails

The use of contact data published as part of the legal notice obligation for the purpose of sending unsolicited advertising and information materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.


3. Data Collection on Our Website

Cookies and Local Storage

This website does not set any of its own HTTP cookies. In particular, no tracking cookies, analytics cookies, or marketing cookies are used.

To store your design preference (e.g. light or dark color scheme), the website uses your browser's localStorage. This is not an HTTP cookie but a client-side storage mechanism that remains exclusively on your device and is not transmitted to our servers. You can delete this data at any time via your browser settings.

It is possible that the hosting provider (Microsoft Azure Static Web Apps) may set technically necessary cookies as part of the technical infrastructure (e.g. for load balancing or security features). These cookies serve exclusively technical infrastructure purposes and do not contain personal data. The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in the technically error-free provision of the website).

A cookie consent banner is not required, as neither tracking nor marketing cookies are used.

Hosting

This website is hosted on Microsoft Azure Static Web Apps in the West Europe region (Netherlands). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is automatically included in our Azure contract via the Microsoft Product Terms.

Server Log Files

The hosting provider (Microsoft Azure) automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources.

The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose, the server log files must be collected.

Storage duration: Server log files are automatically deleted by Microsoft Azure after 30 days.

Inquiry by Email, Phone, or Fax

If you contact us by email, phone, or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6(1)(a) GDPR) and/or on our legitimate interests (Art. 6(1)(f) GDPR).

The data sent to us by you via contact inquiries will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage ceases to apply (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.


4. Analytics Tools and Advertising

This website does not use any analytics tools, tracking cookies, or advertising services. No third-party scripts are embedded and no evaluation of your user behavior takes place.

Automated Decision-Making

No automated decision-making including profiling pursuant to Art. 22 GDPR takes place.


5. Data Processing in the merchantCENTRAL Software

The following information relates to the processing of personal data in connection with the use of our software merchantCENTRAL — an extension (app) for Microsoft Dynamics 365 Business Central. This data processing occurs independently of your visit to our website.

Responsible Party

The party responsible for the data processing described below is ALTENBRAND Datentechnik GmbH (see Section 2 of this privacy policy).

a) License Validation

Scope of Data Processing

When using merchantCENTRAL, an automatic license check is performed at regular intervals. The following data is transmitted to our license server:

  • License key (transmitted in encrypted form)
  • Microsoft Entra Tenant ID of your Business Central environment
  • Name of the Business Central environment
  • Environment type (Production or Sandbox)

Purpose of Processing

License validation serves to verify the authorization to use the software and to activate the licensed modules.

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract). The license check is technically necessary to provide the contractually agreed software functions.

b) Heartbeat (Usage Signal)

Scope of Data Processing

merchantCENTRAL sends an automatic usage signal ("heartbeat") to our license server once per day. The following data is transmitted:

  • License key (transmitted in encrypted form)
  • Microsoft Entra Tenant ID
  • Name of the Business Central environment
  • Environment type (Production or Sandbox)
  • Timestamp of the transmission

Purpose of Processing

The heartbeat serves to detect active installations, prevent license misuse, and provide usage statistics for license management.

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in ensuring proper license usage).

c) Demo Registration

Scope of Data Processing

When you register for the free demo mode of merchantCENTRAL, the following data is collected via a registration wizard within the software and transmitted to our license server:

  • Company name
  • Contact person name
  • Email address
  • Country
  • Phone number (optional)
  • Street, city, and postal code
  • VAT registration number (optional)
  • Website (optional)
  • Microsoft Entra Tenant ID
  • Name and type of the Business Central environment
  • List of installed merchantCENTRAL modules
  • Your GDPR consent (consent timestamp)

Purpose of Processing

The data is used to set up your demo access, to contact you regarding the demo usage, and to convert to a production license.

Processing is carried out on the basis of Art. 6(1)(a) GDPR (consent). You actively grant your consent in the registration wizard. You may revoke your consent at any time with effect for the future by contacting us at info@altenbrand.de.

d) Data Recipients and Storage Location

All data collected in connection with licensing is stored on Microsoft Azure servers in the Germany West Central region (Frankfurt, Germany). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement (DPA) is automatically included in our Azure contract via the Microsoft Product Terms.

The data is stored in Azure Table Storage and processed via a secured API (Azure Functions with API key authentication). All transmissions are exclusively via encrypted HTTPS connections.

For payment processing via Stripe and for automated email sending, additional service providers are used; details can be found in sections i) and j).

e) Storage Duration

Data Category Storage Duration
License validation data For the duration of the license agreement, up to 12 months after contract termination
Heartbeat data 12 months, then automatically deleted
Demo registration data 6 months after expiration of the demo period, unless a production license is acquired
Activity log (BC-internal) 180 days, then automatically deleted
Contact and payment data in BC Up to 12 months after contract termination; anonymization available on request at any time

After the storage period expires, data is automatically deleted unless statutory retention obligations apply.

f) Your Rights

You are entitled to the rights described in Section 2 of this privacy policy (information, rectification, deletion, restriction of processing, data portability, objection). Please contact info@altenbrand.de for this purpose.

To exercise your right to erasure (Art. 17 GDPR) regarding contact data stored in our license management system (name, email address, phone, address), an informal request by email is sufficient. The anonymization of personal fields is carried out technically in our license management software; license history and billing records are retained for statutory reasons.

g) Necessity of Data Provision

The provision of the data described in a) and b) is technically required for the use of merchantCENTRAL. Without license validation, the software functions cannot be activated.

The provision of the data described in c) is voluntary. However, without demo registration, you cannot use the free demo mode.

h) Payment Processing via PayPal

Scope of Data Processing

If you choose the PayPal subscription payment method, the following data is processed as part of payment processing:

  • Email address of your PayPal account
  • PayPal subscription ID
  • PayPal transaction IDs (per payment)
  • Payment amount and currency
  • Payment status and date
  • Next billing date

Data Recipient

Payment processing is carried out by:

PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449 Luxembourg

PayPal processes your payment data as an independent controller in accordance with its own PayPal Privacy Statement.

Purpose of Processing

The processing serves to execute recurring subscription payments for your licensed merchantCENTRAL modules.

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract). Payment processing is an integral part of the license agreement.

Storage Duration

Payment data is retained for the duration of the subscription and 10 years after contract termination (§ 147 AO, § 257 HGB — statutory retention obligations under German tax law).

Voluntariness

The use of PayPal is voluntary. As an alternative, payment by SEPA direct debit or Stripe is available. The choice of payment method has no effect on the price or the functionality of the software.

i) Payment Processing via Stripe

Scope of Data Processing

If you choose the Stripe subscription payment method, the following data is processed as part of payment processing:

  • Stripe subscription ID
  • Stripe transaction IDs (per payment)
  • Payment amount and currency
  • Payment status and date
  • Next billing date

Data Recipient

Payment processing is carried out by:

Stripe Payments Europe Ltd. 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland

Stripe processes your payment data as an independent controller in accordance with its own Stripe Privacy Policy.

Purpose of Processing

The processing serves to execute recurring subscription payments for your licensed merchantCENTRAL modules.

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract).

Storage Duration

Payment data is retained for the duration of the subscription and 10 years after contract termination (§ 147 AO, § 257 HGB — statutory retention obligations under German tax law).

Voluntariness

The use of Stripe is voluntary. As an alternative, payment by SEPA direct debit or PayPal is available.

j) Automated Email Notifications

Scope of Data Processing

merchantCENTRAL automatically sends email notifications in the following situations:

  • Demo expiry warning: An email is sent approximately 7 days before a demo access expires to the email address provided during demo registration.
  • Payment reminder: In the event of outstanding payments, a reminder is sent to the stored email address.

The following data is processed: contact person name, email address, Tenant ID (pseudonymized), and affected module information.

Sending Infrastructure

Emails are sent via Microsoft Azure Communication Services (ACS) in the Germany West Central region (Frankfurt, Germany). Microsoft acts as a data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is automatically included in our Azure contract via the Microsoft Product Terms.

Purpose of Processing

The notifications serve to timely inform about expiring demo accesses and to provide reminders of outstanding payments.

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract) for demo expiry warnings, and Art. 6(1)(f) GDPR (legitimate interest) for payment reminders.

k) Activity Log (Internal BC Log)

Scope of Data Processing

merchantCENTRAL maintains an internal activity log within your Business Central database. The following data is stored therein:

  • Microsoft Entra Tenant ID (pseudonymized)
  • Customer name (company name)
  • Module code and type of activity (e.g. demo start, license activation, suspension)
  • Timestamp and executing user

Purpose of Processing

The log serves the internal traceability of license actions and the operational security of license management.

Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in the traceability of license operations and troubleshooting).

Storage Duration

Activity log entries are automatically deleted after 180 days.


© 2026 ALTENBRAND Datentechnik GmbH. All rights reserved.