Summary
This privacy policy describes how 3f-solutions – Felix Lößl ("we", "us", "3f-solutions") collects, uses, stores, shares, and protects personal data of users and customers of our Independent Software Vendor (ISV) products distributed via the Microsoft Marketplace for Microsoft Dynamics 365 Finance and Operations. We comply with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Microsoft Publisher Agreement.
1. Controller
The data controller responsible for the processing of personal data in connection with 3f-solutions ISV products is:
3f-solutions – Felix Lößl
Cologne area, Germany
Email: felix.loessl@3f-solutions.de
Phone: +49 160 96989171
2. Scope of This Policy
This privacy policy applies to personal data processed by 3f-solutions in connection with the licensing, delivery, and support of ISV software products ("the Software") for Microsoft Dynamics 365 Finance and Operations, distributed via the Microsoft Marketplace, as well as to visitors of the offer-related pages at www.3f-solutions.de/isv.
This policy does not apply to data processed within Microsoft's own services (Microsoft Dynamics 365, Microsoft Azure, Microsoft Marketplace). For those services, please refer to Microsoft's privacy documentation.
3. Personal Data We Collect
We collect personal data only when you actively interact with us. Data is collected in distinct stages depending on the type of interaction:
3.1 Initial inquiry (via the Microsoft Marketplace or direct contact). When you submit a "Contact me" request through the Microsoft Marketplace, or contact us directly via email or phone, we receive the lead data provided by you or forwarded by the Microsoft Marketplace. This typically includes: name, job title, business email address, business phone number, company name, and country.
3.2 Licensing and contracting. If you decide to license the Software, we additionally collect the data required to issue and deliver the license: full company billing address, VAT identification number where applicable, the Microsoft Entra tenant identifier of the target Microsoft Dynamics 365 Finance and Operations environment (required to generate a tenant-specific license file), and the name and email of a technical contact for deployment.
3.3 Support and ongoing relationship. During the support period we process the content of your communication with us (emails, call notes, support tickets) and any technical information you voluntarily share to enable us to reproduce or resolve a reported issue.
3.4 The Software itself. The Software does not contain telemetry, analytics, tracking, or "phone-home" components. It operates entirely within your own Microsoft Dynamics 365 Finance and Operations tenant. No customer data, business data, or end-user data processed by the Software is transmitted to 3f-solutions.
3.5 Website. The pages under www.3f-solutions.de/isv do not set tracking cookies, do not use analytics tools, and do not embed third-party tracking scripts. Web fonts are served from our own infrastructure; no third-party content delivery networks are used on these pages. Standard server access logs (IP address, user agent, timestamp) are kept by the hosting provider for technical operation and abuse prevention only, and are not used to identify individual visitors. See section 9.
4. Purposes and Use of Personal Data
We use personal data exclusively for the following purposes:
Replying to inquiries and providing requested information about our offers · Negotiating and concluding license agreements · Generating tenant-specific license files · Delivering deployable packages and updates · Providing technical support during the support period · Fulfilling statutory bookkeeping, invoicing, and tax-reporting obligations · Informing licensees about security-relevant updates or material changes affecting their license
We do not use personal data for profiling, automated decision-making, advertising, or marketing without your prior consent.
5. Legal Basis for Processing
We process personal data on the following legal bases under the GDPR:
Article 6(1)(b) GDPR – Processing necessary for the performance of a contract or pre-contractual steps (license delivery, support, inquiries).
Article 6(1)(c) GDPR – Processing necessary for compliance with legal obligations (invoicing, tax records, bookkeeping).
Article 6(1)(f) GDPR – Legitimate interests (follow-up communication regarding support or product updates, defense against abuse of our services).
6. Data Storage and Security
Storage location. Personal data is stored on systems located within the European Union. Our primary processing location is Germany. Business communication and document storage are processed via Microsoft 365 within Microsoft's Germany and Europe data center regions. Source code and deployment artefacts are hosted on GitHub.
Security measures. In accordance with Article 32 GDPR and the Microsoft Publisher Agreement, we apply reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include: transport encryption (TLS) for all data in transit, encryption at rest for stored data (provided by Microsoft 365 and the underlying platforms), strict access controls based on the principle of least privilege, multi-factor authentication on administrative and email accounts, regular software patching, and confidentiality obligations for all persons involved.
Software security. The Software itself is signed and delivered as a sealed deployable package and is reviewed under the Microsoft Marketplace certification process. It does not bypass standard Microsoft Dynamics 365 security boundaries and operates within your tenant's permission model.
7. Data Retention
Contract and invoice data is retained for 10 years in accordance with German commercial and tax law (§ 257 HGB, § 147 AO). Support and communication data is deleted within 3 years after the end of the business relationship unless a legal retention obligation applies. Server access logs are deleted by the hosting provider within standard operational retention periods.
8. Sharing of Personal Data
We do not sell or rent personal data, and we do not share it with third parties for marketing purposes. Personal data may be disclosed only to:
Microsoft Corporation – to the extent required for the Microsoft Marketplace offer listing, license validation, and the operation of Microsoft Dynamics 365 services (subject to Microsoft's own privacy terms; Microsoft acts as an independent controller, not a joint controller, as set out in the Microsoft Publisher Agreement).
Tax advisors, auditors, and legal counsel – where required by German law, under professional secrecy obligations.
Public authorities – where we are legally obliged to disclose information (e.g., tax authorities, courts).
9. Sub-processors and Service Providers
We use the following categories of service providers to operate our business. Where they process personal data on our behalf, this is governed by written data processing agreements pursuant to Article 28 GDPR:
Microsoft Corporation (Microsoft 365, Microsoft Azure) – business email, document storage, identity, and (for the website) Azure Static Web Apps hosting · Strato AG (Germany) – domain registration · GitHub, Inc. – source code hosting and deployment automation (no customer data) · Tax advisor (Germany) – statutory bookkeeping support.
10. International Transfers
Personal data is primarily processed within the European Union. Where data is transferred to Microsoft services or other providers hosted outside the EU, this occurs under appropriate safeguards pursuant to Chapter V GDPR – in particular the EU Standard Contractual Clauses (SCCs) under Article 46 GDPR and, where applicable, the EU-U.S. Data Privacy Framework.
11. Your Rights
Under the GDPR, you have the right to: access your personal data (Art. 15) · rectification (Art. 16) · erasure / "right to be forgotten" (Art. 17) · restriction of processing (Art. 18) · data portability (Art. 20) · object to processing based on legitimate interests (Art. 21) · withdraw consent at any time where processing is based on consent (Art. 7(3)).
To exercise any of these rights, contact us at felix.loessl@3f-solutions.de. You also have the right to lodge a complaint with your local data protection supervisory authority. The competent authority for 3f-solutions is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.
12. Children
Our ISV products and the related offer pages are directed exclusively at business customers and their professional staff. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this policy to reflect changes in our products or applicable law. The current version is always available at www.3f-solutions.de/isv/privacy-policy. Material changes will be communicated to active licensees by email.
14. Contact
For any question regarding this privacy policy or the processing of your personal data, contact us at felix.loessl@3f-solutions.de.