top of page

Privacy Policy and Data Processing Addendum for Extensions Lab Business Central Apps

Version: 1.1
Last updated: May 20, 2026
Effective date: May 20, 2026

This Privacy Policy and Data Processing Addendum (“Policy”) explains how Extensionsforce Limited, trading as Extensions Lab, located at Gkoura 6, 4040 Germasogeia, Limassol, Cyprus (“Extensions Lab”, “Publisher”, “we”, “us”, or “our”), collects, uses, discloses, stores, protects, transfers, and otherwise processes personal data and customer data in connection with our websites, Microsoft Dynamics 365 Business Central applications, Microsoft Marketplace listings, support services, partner programs, trials, demos, integrations, and related services.

This Policy applies to all Extensions Lab applications, extensions, modules, add-ons, integrations, and services for Microsoft Dynamics 365 Business Central, including but not limited to:

  1. Shipper TMS;

  2. TMS for Logistics Service Providers; and

  3. any other Extensions Lab application, extension, module, add-on, integration, or service for Microsoft Dynamics 365 Business Central.

This Policy should be read together with our End User License Agreement for Extensions Lab Business Central Apps (“EULA”). The EULA governs the license and use of our Products. This Policy governs privacy and data processing.

Where we process Customer Personal Data on behalf of a Customer as a processor, Schedule B — Data Processing Addendum applies.

1. Contact Details and Responsible Entity

 

The responsible entity for this Policy is:

Extensionsforce Limited
Trading as Extensions Lab
Gkoura 6, 4040 Germasogeia
Limassol, Cyprus

Website: https://www.extensions-lab.com
Support page: https://www.extensions-lab.com/support
General contact: info@extensionsforce.com
Support contact: support@extensionsforce.com
Privacy contact: info@extensionsforce.com

If a dedicated privacy email address is published on our website or in our documentation, you may also use that address.

We have not appointed a statutory Data Protection Officer unless expressly stated on our website or in a separate agreement. We have designated an internal privacy contact to handle privacy and data protection requests.

 

2. Scope of This Policy

This Policy applies when we process data in connection with:

  1. our public websites, landing pages, documentation pages, support pages, and partner pages;

  2. Microsoft AppSource, Microsoft Marketplace, Microsoft 365 admin center, Microsoft Partner Center, CSP, private offers, CSP private offers, and Authorized Reseller orders;

  3. Extensions Lab applications for Microsoft Dynamics 365 Business Central;

  4. product trials, demos, sandbox environments, partner demo licenses, evaluation licenses, and pre-sales activities;

  5. support, troubleshooting, implementation assistance, configuration assistance, and professional services;

  6. telemetry, diagnostics, logging, error reporting, usage analytics, entitlement checks, and security monitoring;

  7. integrations with Microsoft services, Third-Party Services, APIs, maps, routing, telematics, carrier systems, reporting tools, and AI/Copilot services;

  8. communications with customers, prospects, partners, resellers, vendors, and users;

  9. legal, compliance, billing coordination, licensing, entitlement, fraud prevention, and security activities.

This Policy does not govern Microsoft Dynamics 365 Business Central, Microsoft 365, Microsoft Azure, Microsoft Entra ID, Microsoft Marketplace, Microsoft AppSource, Microsoft Partner Center, CSP services, Google services, telematics providers, carrier systems, or other third-party services that are not owned or controlled by us. Those services are governed by their own terms and privacy policies.

3. Microsoft Services and Business Central Data

Our Products are applications, extensions, modules, add-ons, or integrations for Microsoft Dynamics 365 Business Central.

 

Customer’s use of Microsoft Dynamics 365 Business Central, Microsoft 365, Microsoft Entra ID, Microsoft Azure, Microsoft AppSource, Microsoft Marketplace, Microsoft Partner Center, CSP services, Microsoft Copilot, and other Microsoft products or services is governed by

Customer’s separate agreements with Microsoft or the applicable Microsoft reseller.

Microsoft’s processing of Customer Data and Personal Data in Microsoft services is governed by Microsoft’s applicable terms, including the Microsoft Privacy Statement, Microsoft Product Terms, Microsoft Products and Services Data Protection Addendum, Microsoft Customer Agreement, Microsoft Online Subscription Agreement, Microsoft Marketplace terms, and other applicable Microsoft documentation.

This Policy governs only the processing activities performed by Extensions Lab as publisher of the Products, including Product licensing, Product telemetry under our control, support, troubleshooting, integrations configured through our Products, partner/reseller coordination, and data that Customer provides to us.

Most operational Customer Data used by our Products remains in Customer’s Microsoft Dynamics 365 Business Central environment. We do not host Customer’s Business Central tenant, and we do not control Microsoft’s hosting, backup, retention, data residency, security, service availability, or deletion practices for Microsoft services.

Where Microsoft processes data as Customer’s service provider under Customer’s Microsoft agreement, Microsoft is not our subprocessor.

Where we separately use Microsoft Azure, Application Insights, Azure OpenAI Service, email, support, monitoring, or other Microsoft services for our own Product operations, Microsoft may act as our service provider or subprocessor for those specific processing activities.

For convenience, we provide references to selected Microsoft privacy, compliance, and Business Central resources in Schedule D — Microsoft Privacy and Compliance Resources. Those resources are provided for informational purposes only and do not replace Customer’s agreements with Microsoft.

4. Definitions

For purposes of this Policy:

Authorized Reseller” means a Microsoft Cloud Solution Provider partner, CSP Direct Bill partner, CSP Indirect Provider, CSP Indirect Reseller acting through an Indirect Provider, Microsoft partner, Business Central implementation partner, or other channel partner authorized through Microsoft Marketplace, Microsoft Partner Center, a Microsoft-approved commerce channel, a private offer, CSP private offer, or written agreement with Publisher to resell, facilitate, manage, support, or assist with Customer’s acquisition of the Product.

Authorized User” means an individual user account in Customer’s organization to whom Customer has assigned, or for whom an Authorized Reseller has assigned or facilitated assignment of, a valid Product license through Microsoft 365 admin center or another Microsoft-approved license assignment mechanism.

 

Business Central” means Microsoft Dynamics 365 Business Central Online or another Microsoft Dynamics 365 Business Central environment supported by the Product.

 

Customer” means the organization or legal entity that purchases, installs, accesses, enables, assigns licenses to, or uses the Product.

 

Customer Data” means data, records, documents, configuration, files, transactions, transport orders, freight orders, shipment information, customer and vendor information, carrier information, driver information, vehicle information, rates, routes, delivery information, invoices, settlement data, telemetry-related business data, and other content entered into, generated in, processed by, or stored in Customer’s Business Central environment or provided by Customer for support, implementation, configuration, troubleshooting, or related services.

 

Customer Personal Data” means any Personal Data included in Customer Data.

“Marketplace Order” means the Microsoft Marketplace, AppSource, Microsoft 365 admin center, CSP, CSP private offer, Microsoft private offer, Microsoft Partner Center, Authorized Reseller order, or other Microsoft-approved order, subscription, plan, billing term, license quantity, price, renewal, cancellation, and related transaction terms accepted by Customer or purchased on Customer’s behalf by an Authorized Reseller.

 

Personal Data” means any information relating to an identified or identifiable natural person.

 

Product” means any Extensions Lab application, extension, module, add-on, integration, or service for Microsoft Dynamics 365 Business Central.

 

Third-Party Services” means services, platforms, APIs, applications, data providers, mapping services, telematics services, AI services, carrier systems, external

websites, and other third-party or Microsoft services that are not owned or controlled by Publisher.

Usage Data” means technical, diagnostic, telemetry, usage, performance, entitlement, security, and operational information generated through use of the Product, website, support channels, or related services.

5. Our Roles Under Data Protection Laws

Depending on the processing activity, we may act as a controller, processor, or independent controller.

5.1 Customer as controller

Customer is generally the controller of Customer Data and Customer Personal Data stored in Customer’s Business Central environment.

Customer decides:

  1. what data is entered into Business Central;

  2. which users access the Product;

  3. which companies, environments, records, roles, and permissions are configured;

  4. which integrations, APIs, maps, telematics, AI features, reports, and workflows are enabled;

  5. whether data is shared with Microsoft, Authorized Resellers, Third-Party Services, carriers, customers, vendors, or other recipients;

  6. what legal basis applies to Customer’s processing of Customer Personal Data;

  7. how Customer Data is retained, exported, deleted, backed up, or archived in Business Central.

 

5.2 Publisher as processor

We act as Customer’s processor when we process Customer Personal Data on Customer’s behalf and under Customer’s instructions, for example when:

  1. Customer provides Customer Data to us for support or troubleshooting;

  2. we access Customer’s Business Central environment through Customer-authorized delegated admin, support access, screen sharing, remote session, or similar access;

  3. we process Customer Personal Data solely to provide configured Product functionality on Customer’s behalf;

  4. we process Customer Personal Data under a separate statement of work, implementation agreement, support agreement, or data processing agreement.

In those cases, Schedule B — Data Processing Addendum applies.

 

5.3 Publisher as controller or independent controller

We act as controller or independent controller for processing activities where we determine the purposes and means of processing, such as:

  1. website operation and analytics;

  2. responding to inquiries;

  3. sales and marketing communications;

  4. customer relationship management;

  5. Microsoft Marketplace, CSP, Authorized Reseller, and licensing administration;

  6. product telemetry, diagnostics, security monitoring, fraud prevention, entitlement verification, and product improvement;

  7. billing coordination and commercial administration;

  8. partner program administration;

  9. legal compliance, recordkeeping, dispute management, and enforcement of our rights;

  10. security incident investigation.

 

5.4 Microsoft, Authorized Resellers, and Third-Party Services

Microsoft, Authorized Resellers, CSP partners, implementation partners, Google, telematics providers, carrier systems, AI providers, and other Third-Party Services may act as separate controllers, processors, or independent controllers under their own agreements and privacy policies.

We are not responsible for the privacy practices of Microsoft, Authorized Resellers, or Third-Party Services unless they process data as our subprocessors under our instructions.

6. Data We Collect and Process

We may collect or process the following categories of data. Not every category applies to every Product, Customer, user, or scenario.

 

6.1 Website, contact, and inquiry data

We may collect:

  1. name;

  2. business email address;

  3. phone number;

  4. company name;

  5. job title;

  6. country or region;

  7. message content;

  8. form submissions;

  9. meeting requests;

  10. demo requests;

  11. newsletter or marketing preferences;

  12. IP address;

  13. device and browser information;

  14. website usage information;

  15. cookie and analytics data.  

6.2 Customer account, commercial, and Marketplace data

 

We may receive or process data from Microsoft Marketplace, Microsoft AppSource, Microsoft 365 admin center, Microsoft Partner Center, CSP channels, private offers, CSP private offers, or Authorized Resellers, including:

  1. customer organization name;

  2. tenant ID;

  3. domain name;

  4. subscription ID;

  5. offer ID;

  6. plan ID;

  7. product name;

  8. license quantity;

  9. subscription status;

  10. billing term;

  11. country or market;

  12. purchase, renewal, cancellation, or trial status;

  13. administrator contact details;

  14. entitlement data;

  15. partner or reseller association data;

  16. transaction or order metadata made available to us.

We do not normally receive full payment card details from Microsoft Marketplace or Authorized Resellers.

6.3 Product licensing, entitlement, and configuration data

To license, enable, restrict, support, and verify Product use, we may process:

  1. tenant identifiers;

  2. environment identifiers;

  3. company identifiers;

  4. user identifiers;

  5. user role or permission information;

  6. assigned license information;

  7. entitlement status;

  8. plan information;

  9. subscription status;

  10. app version;

  11. product configuration;

  12. feature enablement status;

  13. trial, demo, or sandbox status;

  14. error and diagnostic information;

  15. license validation events.

 

6.4 Customer Data in Business Central

 

Depending on the Product and Customer configuration, Customer Data may include:

  1. customer and vendor records;

  2. contact names and business contact details;

  3. employee, driver, dispatcher, planner, warehouse, operator, or consultant information;

  4. carrier and subcontractor records;

  5. vehicle, trailer, container, or equipment data;

  6. shipment, transport, freight, warehouse, sales, purchase, service, or logistics records;

  7. addresses, pickup points, delivery points, GPS coordinates, routes, stops, distances, and delivery windows;

  8. rates, tariffs, surcharges, freight costs, settlement data, invoices, margins, and financial information;

  9. notes, comments, attachments, documents, images, or files;

  10. API payloads, integration data, and synchronization records;

  11. reporting, analytics, Power BI, or export data;

  12. user activity and audit-related data;

  13. other data entered into, generated by, or connected to the Product.

Most operational Customer Data is stored in Customer’s Business Central environment under Customer’s Microsoft arrangements. We do not host Customer’s Business Central tenant.

 

6.5 Support and troubleshooting data

When Customer requests support, we may process:

  1. contact details of the requester;

  2. support ticket content;

  3. screenshots;

  4. error messages;

  5. logs;

  6. diagnostic data;

  7. product configuration;

  8. Business Central tenant, environment, and company details;

  9. app version and object information;

  10. reproduction steps;

  11. sample data;

  12. remote session recordings, if agreed;

  13. screen sharing data, if used;

  14. files or exports voluntarily provided by Customer;

  15. communications with Customer, users, administrators, or Authorized Resellers.

Customer should avoid sending sensitive or unnecessary personal data in support requests unless required for the support issue.

 

6.6 Telemetry, diagnostics, and usage data

 

We may collect telemetry, diagnostics, and usage data to operate, maintain, secure, support, and improve the Product. This may include:

  1. tenant ID;

  2. environment ID;

  3. company ID or non-human-readable company reference;

  4. app ID;

  5. app version;

  6. object IDs or feature identifiers;

  7. event names;

  8. feature usage;

  9. operation duration;

  10. performance metrics;

  11. error messages;

  12. exception details;

  13. stack traces or technical diagnostic fields;

  14. configuration status;

  15. entitlement or license status;

  16. API call metadata;

  17. integration status;

  18. security events;

  19. timestamp;

  20. region or environment metadata;

  21. pseudonymous user identifiers where needed for diagnostics or licensing.

We aim to minimize telemetry and avoid collecting unnecessary Customer Data through telemetry. However, error messages or diagnostic logs may sometimes contain limited personal data or business data depending on Customer’s configuration, customizations, integrations, support scenarios, and the nature of the issue.

 

6.7 Maps, routing, geocoding, and location data

 

If Customer enables maps, routing, geocoding, distance calculation, route optimization, ETA, traffic, or similar features, the Product or Customer configuration may process or transmit:

  1. addresses;

  2. postal codes;

  3. pickup and delivery locations;

  4. GPS coordinates;

  5. route stops;

  6. route sequences;

  7. distance requests;

  8. duration requests;

  9. map display data;

  10. vehicle or driver location data;

  11. planned routes;

  12. actual routes;

  13. delivery time windows;

  14. related transport information.

Such data may be shared with Microsoft Azure Maps, Google Maps, or another mapping/routing provider configured or used by Customer.

 

6.8 Telematics, fleet, vehicle, and driver data

If Customer enables telematics or fleet integrations, the Product may process or transmit data such as:

  1. vehicle IDs;

  2. driver IDs;

  3. route assignments;

  4. dispatch information;

  5. planned stops;

  6. actual stops;

  7. GPS location;

  8. tracking events;

  9. odometer readings;

  10. delivery status;

  11. proof-of-delivery references;

  12. device data;

  13. sensor or event data;

  14. other data provided by telematics systems.

Telematics integrations may involve providers such as Geotab, Samsara, Webfleet, or similar providers, depending on Customer’s configuration.

 

6.9 API, integration, and external system data

If Customer enables integrations, APIs, web services, data exchange, reporting, Power BI, carrier systems, warehouse systems, finance systems, or other external systems, we may process technical or business data necessary to configure, monitor, troubleshoot, or support those integrations.

The data exchanged depends on Customer’s configuration and the relevant integration.

 

6.10 AI and Copilot data

If Customer enables or uses AI, Copilot, natural language, text generation, classification, summarization, recommendation, data extraction, routing assistance, or similar features, the Product may process:

  1. prompts;

  2. user instructions;

  3. selected business records;

  4. context data from Business Central;

  5. generated outputs;

  6. feedback;

  7. safety signals;

  8. diagnostic data;

  9. usage logs;

  10. configuration data.

AI Features may use Microsoft Azure OpenAI Service, Microsoft Copilot, or other AI-related services, depending on Product configuration and availability.

Unless expressly stated otherwise, we do not intentionally use Customer Data or prompts to train our general AI models without Customer’s prior notice or consent.

6.11 Partner, reseller, CSP, and demo data

 

For partner programs, CSP resale, demo licenses, sandbox plans, private offers, CSP private offers, partner enablement, or pre-sales activities, we may process:

  1. partner company name;

  2. partner contact details;

  3. Microsoft Partner identifiers;

  4. tenant IDs;

  5. customer or prospect references;

  6. demo or sandbox environment details;

  7. private offer details;

  8. CSP private offer details;

  9. reseller margin or commercial information;

  10. training participation;

  11. partner support requests;

  12. partner onboarding data;

  13. partner program communications.

7. Sources of Data

We may collect data from:

  1. Customer;

  2. Authorized Users;

  3. Customer administrators;

  4. Microsoft Marketplace;

  5. Microsoft AppSource;

  6. Microsoft 365 admin center;

  7. Microsoft Partner Center;

  8. CSP channels;

  9. Authorized Resellers;

  10. Business Central environments;

  11. Product telemetry and diagnostics;

  12. support communications;

  13. website forms;

  14. email, chat, meetings, and calls;

  15. Third-Party Services configured or used by Customer;

  16. public business sources, where lawful and relevant;

  17. partners, vendors, and service providers;

  18. security, monitoring, and analytics tools.

 

8. How We Use Data

We use data for the following purposes.

8.1 To provide and operate the Product

We use data to:

  1. install, configure, enable, operate, and maintain the Product;

  2. provide Product functionality;

  3. verify subscription and license entitlements;

  4. enforce plan, license, and feature restrictions;

  5. authenticate and authorize access where applicable;

  6. operate integrations configured by Customer;

  7. support maps, routing, telematics, APIs, reporting, and AI Features where enabled;

  8. process Product configuration;

  9. maintain compatibility with Business Central;

  10. provide updates, patches, and improvements.

 

8.2 To support Customers and users

 

We use data to:

  1. respond to support requests;

  2. diagnose issues;

  3. reproduce errors;

  4. investigate incidents;

  5. provide configuration guidance;

  6. communicate with Customer and Authorized Resellers;

  7. manage support cases;

  8. provide implementation or professional services where agreed;

  9. escalate technical issues;

  10. improve support quality.

 

8.3 To manage licensing, Marketplace, CSP, and reseller relationships

 

We use data to:

  1. verify subscriptions;

  2. manage license status;

  3. coordinate with Microsoft Marketplace;

  4. coordinate with CSP partners and Authorized Resellers;

  5. support private offers and CSP private offers;

  6. manage trials, renewals, cancellations, and plan changes;

  7. manage partner demo or sandbox licenses;

  8. prevent unauthorized use;

  9. detect licensing abuse;

  10. maintain commercial records.

 

8.4 To secure and improve the Product

 

We use data to:

  1. monitor performance;

  2. detect errors;

  3. detect security threats;

  4. investigate misuse;

  5. prevent fraud;

  6. improve reliability;

  7. improve Product features;

  8. prioritize fixes;

  9. analyze aggregate or de-identified usage patterns;

  10. validate product quality;

  11. support compliance and audit activities.

When we act as processor, we use Customer Personal Data only under Customer’s instructions and as permitted by the applicable agreement. Product improvement activities involving Customer Personal Data are performed only where permitted by law, contract, Customer instructions, or by using aggregated, anonymized, or de-identified data.

 

8.5 To communicate with Customers, prospects, and partners

 

We use data to:

  1. respond to inquiries;

  2. provide product information;

  3. schedule demos;

  4. manage partner onboarding;

  5. send administrative notices;

  6. send support communications;

  7. send security notices;

  8. send product updates;

  9. send marketing communications where permitted;

  10. manage opt-outs and preferences.

 

8.6 To comply with legal and business obligations

 

We use data to:

  1. comply with applicable laws;

  2. maintain accounting and tax records;

  3. respond to lawful requests;

  4. enforce agreements;

  5. resolve disputes;

  6. protect our rights;

  7. protect Customer, Microsoft, partners, and users;

  8. investigate violations;

  9. maintain required records;

  10. conduct corporate transactions such as mergers, acquisitions, restructuring, or sale of assets.

9. Legal Bases for Processing

Where GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases.

Processing activity- Legal basis

  • Providing the Product and related services -> Performance of contract; legitimate interests; processor processing on Customer’s instructions

  • Licensing, entitlement verification, Marketplace, CSP, and reseller administration -> Performance of contract; legitimate interests; legal obligations

  • Support and troubleshooting -> Performance of contract; legitimate interests; processor processing on Customer’s instructions

  • Telemetry, diagnostics, product security, and reliability -> Legitimate interests; performance of contract; legal obligations where applicable

  • Website operation and necessary cookies -> Legitimate interests; performance of contract where applicable

  • Analytics cookies and non-essential tracking -> Consent where required; legitimate interests where permitted

  • Marketing communications -> Consent where required; legitimate interests where permitted

  • Partner program administration -> Performance of contract; legitimate interests

  • Legal compliance, recordkeeping, tax, accounting, dispute handling -> Legal obligations; legitimate interests

  • Security monitoring and fraud prevention -> Legitimate interests; legal obligations

  • AI Features configured or used by Customer -> Performance of contract; legitimate interests; processor processing on Customer’s instructions; consent where required

  • Maps, routing, telematics, APIs, and integrations configured by Customer -> Performance of contract; legitimate interests; processor processing on Customer’s instructions

  • International transfers -> Contractual necessity; legitimate interests; Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms

When we act as processor, Customer is responsible for determining the applicable legal basis for Customer’s processing of Customer Personal Data.

10. Customer Data Ownership and Control

Customer retains all right, title, and interest in Customer Data.

We do not acquire ownership of Customer Data.

Most operational Customer Data remains in Customer’s Business Central environment under Customer’s Microsoft arrangements.

Customer controls:

  1. what Customer Data is entered into Business Central;

  2. which users can access it;

  3. what permissions apply;

  4. which integrations are enabled;

  5. what data is exported;

  6. what data is shared with Third-Party Services;

  7. what data is provided to us for support;

  8. how Customer Data is retained, exported, deleted, or backed up in Business Central.

We process Customer Data only as described in this Policy, the EULA, the applicable agreement, Customer’s instructions, Product configuration, or applicable law.

 

11. Marketplace, CSP, and Authorized Reseller Data

The Product may be purchased, licensed, provisioned, assigned, managed, renewed, cancelled, or supported through Microsoft Marketplace, AppSource, Microsoft 365 admin center, Microsoft Partner Center, CSP, CSP private offers, Microsoft private offers, Authorized Resellers, or other Microsoft-approved commerce channels.

In these scenarios, we may receive or share data necessary to:

  1. identify the Customer tenant;

  2. verify Product entitlement;

  3. confirm license quantity;

  4. confirm plan and subscription status;

  5. process trials, renewals, cancellations, or plan changes;

  6. coordinate with Microsoft, CSP partners, and Authorized Resellers;

  7. support private offers and CSP private offers;

  8. prevent unauthorized use;

  9. provide support;

  10. maintain commercial records.

Authorized Resellers may act as independent controllers or processors under their own agreements with Customer. We are not responsible for the privacy practices of Authorized Resellers unless they process data as our subprocessors under our instructions.

 

12. Support Access and Customer-Provided Data

We access Customer’s Business Central environment or Customer Data only where reasonably necessary and permitted, including:

  1. when Customer provides data to us;

  2. when Customer opens a support ticket;

  3. when Customer authorizes delegated admin access;

  4. when Customer authorizes a remote session or screen sharing;

  5. when Customer provides logs, screenshots, files, exports, or sample data;

  6. when access is technically necessary to provide configured Product functionality;

  7. when access is required for security, fraud, misuse, or licensing investigations;

  8. when required by law.

Customer should avoid providing unnecessary personal data, sensitive data, credentials, secrets, API keys, or confidential information in support requests unless necessary to resolve the issue.

If credentials, API keys, secrets, or tokens are provided to us for support, Customer should rotate or revoke them after the support activity where appropriate.

 

13. Telemetry, Diagnostics, and Product Improvement

Business Central platform telemetry and Product telemetry may be sent to Azure Application Insights or other monitoring tools where configured.

Microsoft Business Central platform telemetry is designed not to emit Customer Data or Personal Data to Application Insights and is generally limited to technical, tenant, configuration, performance, diagnostic, and usage information.

Our custom Product telemetry is intended to avoid collecting Customer Data or Personal Data unless such data is necessary for diagnostics, support, security, licensing, or Product operation. However, depending on Customer configuration, customizations, integrations, support scenarios, error messages, or data voluntarily provided by Customer, limited business data or Personal Data may appear in logs, diagnostics, screenshots, support files, or error context.

We use telemetry and diagnostics to:

  1. identify errors;

  2. troubleshoot performance issues;

  3. support Customers;

  4. detect security issues;

  5. verify entitlement and licensing;

  6. improve Product reliability;

  7. understand feature usage;

  8. prioritize product improvements.

Telemetry should not be used by Customer as a substitute for Customer’s own audit, compliance, operational, or business records.

14. Third-Party and Microsoft Services

The Product may enable, require, or integrate with Third-Party Services and Microsoft services, including but not limited to:

  1. Microsoft Dynamics 365 Business Central;

  2. Microsoft 365;

  3. Microsoft Entra ID;

  4. Microsoft Azure;

  5. Microsoft AppSource and Microsoft Marketplace;

  6. Microsoft Partner Center;

  7. CSP services;

  8. Azure Maps;

  9. Google Maps;

  10. telematics providers such as Geotab, Samsara, Webfleet, or similar providers;

  11. carrier systems, shipment tracking providers, routing providers, rate providers, and external APIs;

  12. Microsoft Power BI, Microsoft Power Platform, or related reporting and automation services;

  13. Azure OpenAI Service, Microsoft Copilot, or other AI-related services, if enabled or included;

  14. analytics, logging, diagnostics, monitoring, and support tools.

Third-Party Services may require separate accounts, licenses, subscriptions, API keys, credentials, consents, configuration, fees, or acceptance of separate terms.

Data exchanged with Third-Party Services may be processed according to the terms and privacy policies of those services.

Customer is responsible for configuring Third-Party Services lawfully and for ensuring that Customer has the right to share data with those services.

 

15. Maps, Routing, Geocoding, Telematics, and Location Data

If Customer enables or uses maps, routing, geocoding, telematics, tracking, fleet, or dispatch features, the Product may process data such as:

  1. addresses;

  2. GPS coordinates;

  3. pickup locations;

  4. delivery locations;

  5. route stops;

  6. planned routes;

  7. actual routes;

  8. estimated arrival times;

  9. vehicle location;

  10. driver or dispatcher identifiers;

  11. delivery status;

  12. proof-of-delivery references;

  13. distance and duration calculations;

  14. route optimization requests;

  15. telematics events.

This data may be transmitted to or received from Microsoft, Azure Maps, Google Maps, telematics providers, carrier systems, or other providers configured by Customer.

Location data and driver data may be subject to employment, privacy, consent, labor, transport, and local regulatory requirements. Customer is responsible for ensuring that its use of such data is lawful and that any required notices, consents, employment policies, driver notices, customer notices, or carrier notices are provided.

16. AI and Copilot Features

The Product may include or connect to AI, Copilot, natural language, text generation, classification, summarization, recommendation, data extraction, routing assistance, or similar features (“AI Features”).

If Customer enables or uses AI Features, prompts, selected records, business context, user instructions, outputs, feedback, and diagnostic data may be processed to provide those features.

AI outputs may be incomplete, inaccurate, outdated, biased, unsuitable, or inappropriate for Customer’s specific circumstances. Users should review AI outputs before using them for operational, financial, legal, safety-related, customer-facing, or compliance-related purposes.

AI Features do not replace professional judgment, dispatch control, transport planning expertise, financial review, legal advice, tax advice, compliance review, or human decision-making.

We do not intentionally use Customer Data or Customer prompts to train our general AI models without Customer’s prior notice or consent.

AI Features may be provided through Microsoft Azure OpenAI Service, Microsoft Copilot, or other AI services. Those services may process data under their own terms, privacy policies, and data processing commitments.

If AI Features use Microsoft Copilot, Azure OpenAI Service, or other Microsoft generative AI services, Customer’s use of those Microsoft services may also be subject to Microsoft’s applicable AI, Copilot, Product Terms, Data Protection Addendum, Responsible AI, and service-specific terms. This Policy applies to Extensions Lab’s processing activities and does not replace Microsoft’s privacy, security, or contractual commitments for Microsoft AI services.

Customer is responsible for ensuring that prompts and data submitted to AI Features are lawful, appropriate, and permitted under Customer’s policies and applicable law.

Users may report harmful, inappropriate, or materially incorrect AI outputs through our support channels.

We may disable, restrict, change, or discontinue AI Features if required for security, compliance, legal, ethical, technical, commercial, or operational reasons.

17. Product Privacy Notices in Business Central

Where technically appropriate, the Product may display, link to, or refer to privacy notices for certain Product features, integrations, or Third-Party Services.

Such notices may explain what data is collected or exchanged, for what purposes, how the data is processed, and where to find more information.

Customer administrators may be responsible for reviewing, approving, or communicating privacy notices to users depending on Customer’s Business Central configuration, enabled integrations, internal policies, and applicable law.

18. Cookies and Website Analytics

Our websites may use cookies and similar technologies.

 

18.1 Types of cookies

We may use:

  1. Strictly necessary cookies — required for website operation, security, form submission, session management, and basic functionality.

  2. Analytics cookies — used to understand website traffic, usage patterns, page performance, and user interactions.

  3. Preference cookies — used to remember user choices, such as language or region.

  4. Marketing cookies — used only where enabled and permitted, to measure marketing performance or manage campaigns.

18.2 Google Analytics and similar tools

We may use Google Analytics or similar analytics tools to understand how visitors use our websites.

Analytics data may include:

  1. IP address;

  2. device type;

  3. browser type;

  4. operating system;

  5. pages visited;

  6. time spent on pages;

  7. referring pages;

  8. general location information;

  9. events and interactions;

  10. cookie identifiers.

Where required by law, we request consent before using non-essential analytics or marketing cookies.

 

18.3 Cookie choices

Users may manage cookies through:

  1. our cookie banner or cookie preferences tool, where available;

  2. browser settings;

  3. browser plug-ins;

  4. analytics provider opt-out tools;

  5. device settings.

Disabling cookies may affect website functionality.

 

19. Marketing Communications

We may send marketing communications to business contacts where permitted by law.

Marketing communications may include:

  1. product updates;

  2. newsletters;

  3. event invitations;

  4. partner program information;

  5. training information;

  6. promotional offers;

  7. release announcements;

  8. relevant business communications.

Recipients may opt out of marketing emails by using the unsubscribe link in the email or by contacting us.

We may still send non-marketing communications, such as security notices, support updates, subscription notices, legal notices, and administrative messages.

 

20. Sharing Data

 

We may share data with the following categories of recipients.

20.1 Microsoft

We may share or receive data from Microsoft in connection with:

  1. Business Central;

  2. Microsoft 365;

  3. Microsoft Entra ID;

  4. Microsoft Azure;

  5. Microsoft AppSource;

  6. Microsoft Marketplace;

  7. Microsoft Partner Center;

  8. Microsoft 365 admin center;

  9. CSP transactions;

  10. licensing and entitlement verification;

  11. telemetry, diagnostics, and monitoring;

  12. support escalation;

  13. security;

  14. AI or Copilot services;

  15. other Microsoft services used by Customer or by us.

Microsoft’s processing is governed by Customer’s and/or our applicable agreements with Microsoft.

Microsoft is not our subprocessor merely because Customer uses Microsoft Dynamics 365 Business Central, Microsoft 365, Microsoft Azure, Microsoft Marketplace, Microsoft Partner Center, or other Microsoft services under Customer’s own Microsoft agreement.

Microsoft may be our service provider or subprocessor only where we engage Microsoft services for our own processing activities, such as Product telemetry, diagnostics, support, hosting, monitoring, security, AI features, or other Product operations under our control.

 

20.2 Authorized Resellers and CSP partners

If Customer purchases, manages, or supports the Product through an Authorized Reseller or CSP partner, we may share or receive relevant data with that party, including:

  1. customer and tenant identifiers;

  2. subscription and entitlement information;

  3. plan and license quantity information;

  4. support status;

  5. commercial coordination data;

  6. renewal or cancellation status;

  7. implementation or configuration information;

  8. other data necessary for reseller, CSP, or partner administration.

Authorized Resellers may act as independent controllers or processors under their own agreements with Customer.

 

20.3 Third-Party Services configured or used by Customer

 

If Customer enables integrations, we may share relevant data with Third-Party Services such as:

  1. mapping providers;

  2. routing providers;

  3. telematics providers;

  4. carrier systems;

  5. APIs;

  6. reporting tools;

  7. Power BI or analytics services;

  8. AI services;

  9. warehouse or transport systems;

  10. finance systems;

  11. other systems configured by Customer.

Customer is responsible for reviewing and accepting the terms and privacy policies of Third-Party Services before enabling them.

 

20.4 Service providers and subprocessors

We may use service providers and subprocessors to help us provide, secure, support, monitor, and improve the Product and our services. These may include:

  1. cloud hosting providers;

  2. telemetry and diagnostics providers;

  3. email providers;

  4. support ticketing providers;

  5. CRM providers;

  6. website hosting providers;

  7. analytics providers;

  8. security and monitoring providers;

  9. communication and meeting tools;

  10. AI service providers;

  11. professional advisers;

  12. other vendors necessary to operate our business.

Where we act as processor, we use subprocessors in accordance with Schedule B.

 

20.5 Legal and compliance recipients

We may disclose data:

  1. to comply with law;

  2. to respond to lawful requests;

  3. to protect rights, safety, and security;

  4. to enforce agreements;

  5. to investigate fraud, misuse, or security incidents;

  6. to professional advisers;

  7. to courts, regulators, or government authorities;

  8. in connection with corporate transactions.

20.6 No sale of Personal Data

We do not sell Customer Personal Data.

We do not use Customer Data for third-party advertising.

We do not intentionally use Customer Data to train general AI models without Customer’s prior notice or consent.

Where US state privacy laws apply, we do not sell Personal Data or share Personal Data for cross-context behavioral advertising as those terms are defined under applicable law, unless expressly disclosed and permitted.

21. International Transfers

We are located in Cyprus, within the European Union.

We may process or transfer data in the European Economic Area, the United Kingdom, the United States, and other countries where we, Microsoft, Authorized Resellers, service providers, subprocessors, or Third-Party Services operate.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, we use appropriate safeguards where required, such as:

  1. adequacy decisions;

  2. Standard Contractual Clauses;

  3. UK international data transfer addendum or equivalent safeguards where applicable;

  4. contractual commitments;

  5. transfer impact assessments where required;

  6. technical and organizational measures;

  7. other lawful transfer mechanisms.

Data residency and international transfer commitments for Customer Data stored in Microsoft Dynamics 365 Business Central or other Microsoft services are governed by Customer’s agreements with Microsoft, including the applicable Microsoft Product Terms and Microsoft Products and Services Data Protection Addendum.

Microsoft services, features, network components, support processes, integrations, or optional services may have different data residency and transfer rules. Customer is responsible for reviewing Microsoft’s applicable documentation and configuring Microsoft services according to Customer’s compliance requirements.

Customer is responsible for assessing international transfers caused by Customer’s own configuration of Microsoft services, Third-Party Services, integrations, APIs, maps, telematics, AI services, or Authorized Reseller arrangements.

22. Data Retention

We retain data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law, contract, tax, accounting, security, dispute, or compliance obligations.

The retention periods in this section apply to data processed by Extensions Lab under this Policy. They do not define or control retention, backup, deletion, or recovery periods for Customer Data stored in Customer’s Microsoft Dynamics 365 Business Central environment or other Microsoft services.

Retention, backup, deletion, and recovery of data in Microsoft services are governed by Customer’s Microsoft agreements, Microsoft Product Terms, Microsoft Data Protection Addendum, Microsoft service documentation, and Customer’s own configuration.

Indicative retention periods are:

1. Website inquiries and contact forms — up to 3 years after last interaction, unless longer retention is required.
2. Customer and commercial records — subscription term plus up to 7 years for accounting, tax, contract, and legal purposes.
3. Marketplace, CSP, reseller, and entitlement records — subscription term plus up to 7 years.
4. Support tickets and troubleshooting records — up to 3 years after ticket closure, unless longer retention is required for security, legal, or product quality reasons.
5. Telemetry and diagnostic logs — typically up to 24 months, unless longer retention is required for security, reliability, fraud prevention, or legal reasons.
6. Security logs — typically up to 24 months, or longer for investigation or compliance.
7. Marketing records — until opt-out or inactivity, plus suppression records as needed to honor opt-outs.
8. Partner program records — relationship term plus up to 7 years.
9. Demo, sandbox, trial, and evaluation records — up to 2 years after expiration, unless converted to a commercial relationship or longer retention is required.
10. Professional services records — project term plus up to 7 years.
11. AI prompts and outputs processed by us — as short as reasonably possible for the configured feature, support, safety, or diagnostic purpose, unless longer retention is required by Customer configuration, provider terms, security, or law.
12. Backups — retained according to backup cycles and deleted or overwritten according to our or the relevant provider’s backup practices.

Customer is responsible for retention, export, backup, and deletion of Customer Data in Customer’s Business Central environment.

When we act as processor, deletion or return of Customer Personal Data is handled according to Schedule B, the applicable agreement, and the technical capabilities of the relevant systems.

23. Security

We use commercially reasonable technical and organizational measures designed to protect Personal Data and Product-related systems under our control.

These measures may include, as appropriate:

  1. access controls;

  2. least privilege access;

  3. authentication controls;

  4. encryption in transit;

  5. encryption at rest where supported by the relevant platform;

  6. secure development practices;

  7. logging and monitoring;

  8. vulnerability management;

  9. environment separation;

  10. confidentiality obligations;

  11. incident response procedures;

  12. backup and recovery practices;

  13. vendor and subprocessor review;

  14. security updates;

  15. administrative controls.

No system is completely secure. Customer is responsible for securing its own Microsoft tenant, Business Central environment, users, devices, credentials, API keys, integrations, permissions, exports, and Third-Party Services.

If Customer purchased or manages the Product through an Authorized Reseller, that Authorized Reseller may have access to Customer’s tenant, Business Central environment, configuration, users, licenses, or data depending on Customer’s agreement with the Authorized Reseller. We are not responsible for acts or omissions of Authorized Resellers unless they process data as our subprocessors under our instructions.

 

24. Personal Data Breaches

If we become aware of a Personal Data breach affecting Personal Data for which we are controller, we will assess the breach and notify affected individuals or regulators where required by applicable law.

If we become aware of a Personal Data breach affecting Customer Personal Data that we process as processor, we will notify Customer without undue delay after becoming aware of the breach, as required by Schedule B and applicable law.

Customer is responsible for assessing and notifying Personal Data breaches within Customer’s Business Central environment, Microsoft tenant, Third-Party Services, Authorized Reseller services, or other systems not controlled by us.

 

25. Data Subject Rights

Depending on applicable law, individuals may have rights to:

  1. access their Personal Data;

  2. correct inaccurate Personal Data;

  3. delete Personal Data;

  4. restrict processing;

  5. object to processing;

  6. receive a portable copy of Personal Data;

  7. withdraw consent where processing is based on consent;

  8. object to direct marketing;

  9. not be subject to certain solely automated decisions;

  10. lodge a complaint with a supervisory authority.

To exercise rights in relation to data for which we are controller, contact us at:

info@extensionsforce.com

To exercise rights in relation to Customer Data controlled by Customer, individuals should contact the relevant Customer directly. Where we act as processor, we will assist Customer as required by Schedule B and applicable law.

If you are located in the EEA and believe your rights have been violated, you may lodge a complaint with your local supervisory authority. In Cyprus, the supervisory authority is the Office of the Commissioner for Personal Data Protection.

 

26. Business Central Data Subject Requests

Customer is generally responsible for responding to data subject requests relating to Customer Data stored in Customer’s Business Central environment, including requests for access, export, correction, deletion, restriction, or portability.

Business Central includes administrative tools and features that may help Customer identify, classify, export, correct, restrict, or delete certain Personal Data.

Customer is responsible for configuring and using those tools appropriately, classifying Personal Data correctly, and determining whether and how a data subject request should be fulfilled.

If we process Customer Personal Data as processor and Customer needs our assistance to respond to a data subject request, we will provide reasonable assistance as described in Schedule B — Data Processing Addendum.

 

27. Automated Decision-Making

We do not use Personal Data to make solely automated decisions that produce legal effects or similarly significant effects on individuals, unless expressly disclosed and permitted by applicable law.

AI Features may assist users by generating suggestions, summaries, classifications, recommendations, or draft outputs. Such outputs are not intended to make final business, legal, financial, safety, employment, transport, or compliance decisions without human review.

Customer is responsible for reviewing AI outputs and for ensuring that any automated workflows configured by Customer comply with applicable law.

 

28. Special Categories of Personal Data and Criminal Offence Data

Our Products are designed for business use and are not intended to require processing of special categories of Personal Data, such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation.

Our Products are also not intended to require processing of criminal offence data.

Customer should not enter special categories of Personal Data or criminal offence data into the Product unless:

  1. it is necessary for Customer’s lawful business purpose;

  2. Customer has a valid legal basis;

  3. Customer has provided required notices and obtained required consents where applicable;

  4. Customer has assessed and implemented appropriate safeguards.

If Customer provides such data to us for support or processing, Customer is responsible for ensuring that such disclosure is lawful.

 

29. Children

 

Our websites and Products are intended for business and professional use.

They are not intended for children.

We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact us so that we can take appropriate action.

30. Customer Responsibilities

Customer is responsible for:

  1. providing required privacy notices to its users, employees, drivers, dispatchers, customers, vendors, carriers, and other data subjects;

  2. obtaining required consents where applicable;

  3. establishing a lawful basis for processing Customer Personal Data;

  4. configuring Business Central permissions and roles;

  5. managing user access;

  6. classifying Personal Data and sensitive data in Business Central where appropriate;

  7. configuring integrations lawfully;

  8. reviewing Third-Party Service terms and privacy policies;

  9. handling data subject requests relating to Customer Data;

  10. managing retention and deletion of Customer Data in Business Central;

  11. assessing data protection impact where required;

  12. ensuring lawful use of maps, telematics, location, driver, vehicle, AI, and transport data;

  13. ensuring that its use of the Product complies with applicable law.

 

31. Subprocessors and Service Providers

Where we act as processor, Customer gives us general authorization to engage subprocessors to provide, support, secure, monitor, and improve the Product and related services, subject to Schedule B.

Our subprocessors may include providers in the following categories:

  1. Microsoft Azure and Microsoft cloud services used by us for our own Product operations;

  2. Microsoft Marketplace, Partner Center, and related Microsoft commerce services used by us for licensing or entitlement administration;

  3. telemetry and diagnostics providers;

  4. support ticketing systems;

  5. email and communication tools;

  6. CRM and customer management tools;

  7. website hosting providers;

  8. analytics providers;

  9. AI service providers;

  10. security and monitoring providers;

  11. professional advisers;

  12. mapping, routing, geocoding, or telematics providers where used by us to provide configured Product functionality;

  13. other service providers necessary to deliver the Product and related services.

For clarity, Microsoft is not our subprocessor merely because Customer uses Microsoft Dynamics 365 Business Central, Microsoft 365, Microsoft Azure, Microsoft Marketplace, Microsoft Partner Center, or other Microsoft services under Customer’s own Microsoft agreement.

Microsoft may be our service provider or subprocessor only where we engage Microsoft services for our own processing activities, such as Product telemetry, diagnostics, support, hosting, monitoring, security, AI features, or other Product operations under our control.

Where Customer directly configures or contracts with a Third-Party Service, that service is not our subprocessor unless we have engaged it to process Customer Personal Data on our behalf.

We may publish a list of subprocessors on our website or provide it upon request.

 

32. Changes to This Policy

We may update this Policy from time to time.

We will post the updated version on our website or another appropriate location. The updated version will include a new “Last updated” date.

Material changes may be communicated through the website, Product, email, documentation, Microsoft Marketplace listing, Authorized Reseller, or other reasonable means.

Changes apply from the effective date stated in the updated Policy, unless applicable law requires otherwise.

Continued use of the Product after the effective date means that Customer acknowledges the updated Policy.

 

33. Contact Us

For privacy questions, data protection requests, or security concerns, contact us at:

Extensionsforce Limited
Trading as Extensions Lab
Gkoura 6, 4040 Germasogeia
Limassol, Cyprus

Privacy contact: info@extensionsforce.com
Support contact: support@extensionsforce.com
Website: https://www.extensions-lab.com
Support page: https://www.extensions-lab.com/support

Schedule A — Product and Integration Examples

This Schedule provides examples of data processing scenarios that may apply to certain Products. Not all scenarios apply to every Product or Customer.

 

A1. Shipper TMS

Shipper TMS may process data related to:

  1. transport requests;

  2. truck loads;

  3. own fleet planning;

  4. external carrier planning;

  5. route planning;

  6. dispatching;

  7. delivery execution;

  8. map-based planning;

  9. route calculation;

  10. addresses and coordinates;

  11. vehicle, trailer, and driver data;

  12. telematics integrations;

  13. carrier rates;

  14. shipment tracking;

  15. APIs;

  16. reporting;

  17. AI Features, if enabled;

  18. support and diagnostics.

Shipper TMS may integrate with Microsoft services, Azure Maps, Google Maps, telematics providers, carrier systems, Business Central APIs, reporting tools, and other external systems configured by Customer.

A2. TMS for Logistics Service Providers

TMS for Logistics Service Providers may process data related to:

  1. forwarding orders;

  2. freight orders;

  3. customer orders;

  4. carrier execution;

  5. subcontracted carrier management;

  6. multi-stage transport planning;

  7. purchase invoice allocation;

  8. customer invoicing;

  9. settlement;

  10. margins;

  11. uninvoiced work;

  12. customers, vendors, carriers, and contacts;

  13. addresses and route information;

  14. APIs;

  15. reporting;

  16. Power BI or analytics;

  17. AI Features, if enabled;

  18. support and diagnostics.

TMS for Logistics Service Providers may integrate with Microsoft services, carrier systems, external APIs, reporting tools, AI services, and other external systems configured by Customer.

 

A3. Other Extensions Lab Business Central Apps

 

Other Extensions Lab Business Central applications may process business data relevant to their documented functionality, including Business Central records, configuration, users, permissions, telemetry, diagnostics, support data, integrations, APIs, reports, and AI Features where applicable.

 

Schedule B — Data Processing Addendum

This Data Processing Addendum (“DPA”) applies when Extensions Lab processes Customer Personal Data on behalf of Customer as processor.

This DPA forms part of the EULA, this Policy, and any applicable agreement between Customer and Publisher.

B1. Roles

Customer is the controller of Customer Personal Data.

Publisher is the processor of Customer Personal Data to the extent Publisher processes Customer Personal Data on behalf of Customer and under Customer’s instructions.

Where Customer acts as processor for another controller, Customer is responsible for ensuring that it has authority to instruct Publisher and that Publisher’s processing is consistent with Customer’s obligations to the relevant controller.

 

B2. Subject Matter

The subject matter of processing is the provision, support, maintenance, security, monitoring, and improvement of Extensions Lab Products and related services for Microsoft Dynamics 365 Business Central.

 

B3. Duration

 

The duration of processing is the term of Customer’s subscription, trial, demo, sandbox, evaluation, support engagement, professional services engagement, or other use of the Product, plus any retention period required for deletion, return, backups, legal compliance, accounting, dispute resolution, security, or legitimate business purposes.

 

B4. Nature and Purpose of Processing

 

The nature and purpose of processing may include:

  1. hosting or operating Product-related components under Publisher’s control;

  2. enabling Product functionality;

  3. supporting Customer’s configuration;

  4. troubleshooting;

  5. telemetry and diagnostics;

  6. support ticket handling;

  7. delegated admin or remote support access where authorized by Customer;

  8. integration support;

  9. security monitoring;

  10. license and entitlement verification;

  11. error correction;

  12. professional services where agreed;

  13. other processing documented in the EULA, this Policy, an order, a statement of work, or Customer’s instructions.

 

B5. Types of Personal Data

Customer Personal Data may include:

  1. names;

  2. business contact details;

  3. user identifiers;

  4. employee, driver, dispatcher, planner, consultant, carrier, vendor, or customer contact information;

  5. addresses;

  6. location data;

  7. route and delivery data;

  8. vehicle, driver, or fleet data;

  9. customer and vendor data;

  10. invoice, settlement, rate, or financial data;

  11. support data;

  12. attachments and documents;

  13. telemetry and diagnostic data;

  14. AI prompts and outputs, if enabled;

  15. API and integration data;

  16. other Personal Data included in Customer Data.

 

B6. Categories of Data Subjects

 

Data subjects may include:

  1. Customer employees;

  2. Customer contractors;

  3. Customer administrators;

  4. Authorized Users;

  5. drivers;

  6. dispatchers;

  7. planners;

  8. warehouse users;

  9. carrier contacts;

  10. vendor contacts;

  11. customer contacts;

  12. consignee or delivery contacts;

  13. partner or reseller contacts;

  14. support requesters;

  15. other individuals whose data is included in Customer Data.

 

B7. Customer Instructions

Publisher will process Customer Personal Data only on documented instructions from Customer, including instructions in:

  1. the EULA;

  2. this Policy;

  3. this DPA;

  4. Marketplace Orders;

  5. Product configuration;

  6. support requests;

  7. statements of work;

  8. written agreements;

  9. Customer’s use of the Product;

  10. applicable law.

If Publisher believes an instruction violates applicable data protection law, Publisher will inform Customer unless prohibited by law.

 

B8. Confidentiality

 

Publisher will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or appropriate statutory duties of confidentiality.

B9. Security Measures

 

Publisher will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Such measures may include, as appropriate:

  1. access controls;

  2. least privilege;

  3. authentication;

  4. encryption in transit;

  5. encryption at rest where supported;

  6. logging;

  7. monitoring;

  8. confidentiality obligations;

  9. secure development practices;

  10. incident response;

  11. backup practices;

  12. vulnerability management;

  13. vendor management.

Customer is responsible for security measures within Customer’s Business Central environment, Microsoft tenant, users, devices, credentials, permissions, API keys, and Third-Party Services.

 

B10. Subprocessors

 

Customer gives Publisher general written authorization to engage subprocessors.

Publisher will impose data protection obligations on subprocessors that are substantially similar to those in this DPA, to the extent applicable to the services provided by the subprocessor.

Publisher remains responsible to Customer for the performance of subprocessors that process Customer Personal Data on Publisher’s behalf.

Publisher may add or replace subprocessors. Where required by law or contract, Publisher will provide notice of material subprocessor changes through its website, documentation, email, or other reasonable means and allow Customer to object on reasonable data protection grounds.

Customer must submit any objection within 30 days after notice of the relevant subprocessor change, unless a shorter period is required due to security, legal, technical, or operational urgency.

If Customer reasonably objects to a subprocessor and Publisher cannot reasonably provide the affected Product or feature without that subprocessor, Customer may discontinue use of the affected Product or feature. This does not affect any cancellation, refund, or renewal terms governed by the applicable Marketplace Order, CSP private offer, Authorized Reseller order, or Microsoft commerce process.

 

B11. Assistance With Data Subject Requests

 

Taking into account the nature of the processing, Publisher will provide reasonable assistance to Customer, insofar as possible, to help Customer respond to data subject requests relating to Customer Personal Data processed by Publisher as processor.

If Publisher receives a request directly from a data subject relating to Customer Personal Data controlled by Customer, Publisher may refer the request to Customer unless legally required to respond otherwise.

 

B12. Assistance With Security and Compliance

Taking into account the nature of processing and information available to Publisher, Publisher will provide reasonable assistance to Customer with Customer’s obligations relating to:

  1. security of processing;

  2. personal data breach notification;

  3. data protection impact assessments;

  4. prior consultation with supervisory authorities,

to the extent required by applicable data protection law and relevant to Publisher’s processing as processor.

 

B13. Personal Data Breach Notification

 

Publisher will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data processed by Publisher as processor.

The notification will include information reasonably available to Publisher, such as:

  1. nature of the breach;

  2. categories of data affected;

  3. likely consequences, where known;

  4. measures taken or proposed;

  5. contact point for follow-up;

  6. other information required by applicable law where available.

Publisher’s notification is not an admission of fault or liability.

 

B14. Return or Deletion

 

At the end of the provision of services relating to processing, Publisher will, at Customer’s choice and to the extent technically feasible, delete or return Customer Personal Data processed by Publisher as processor, unless retention is required by law, contract, security, dispute resolution, backup, or legitimate business purposes.

Customer is responsible for deleting, exporting, or retaining Customer Data in Customer’s Business Central environment.

Data stored in backups may be deleted according to backup cycles and protected from further processing except as required for backup restoration, security, or legal purposes.

 

B15. Audits and Compliance Information

Publisher will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer may request information about Publisher’s security and privacy practices through reasonable security questionnaires or documentation requests.

Audits must be reasonable, limited to Publisher’s processing of Customer Personal Data, conducted during normal business hours, subject to confidentiality, and must not compromise security, confidentiality, or operations of Publisher, other customers, Microsoft, or Third-Party Services.

Publisher may satisfy audit requests by providing security documentation, certifications, summaries, questionnaires, or third-party audit reports where available.

 

B16. International Transfers

Publisher may transfer Customer Personal Data outside the EEA, UK, or Switzerland where necessary to provide the Product or related services.

Where required, Publisher will use appropriate safeguards such as Standard Contractual Clauses, UK transfer mechanisms, adequacy decisions, or other lawful transfer mechanisms.

To the extent Standard Contractual Clauses are required for a transfer of Customer Personal Data, the parties agree that the applicable Standard Contractual Clauses are incorporated by reference and apply as follows:

  1. Module Two applies where Customer is controller and Publisher is processor.

  2. Module Three applies where Customer is processor and Publisher is subprocessor.

  3. The details of processing are described in this Policy, this DPA, the EULA, the applicable order, and Product configuration.

  4. The technical and organizational measures are described in this Policy and Schedule C.

  5. Where there is a conflict between the Standard Contractual Clauses and this Policy, the Standard Contractual Clauses control for the relevant transfer.

Customer authorizes such transfers subject to this DPA.

 

B17. Government and Law Enforcement Requests

 

If Publisher receives a legally binding request from a public authority for Customer Personal Data processed as processor, Publisher will, where legally permitted:

  1. notify Customer;

  2. attempt to redirect the authority to Customer;

  3. disclose only the minimum information legally required;

  4. document the request.

Publisher will not provide voluntary, broad, or unrestricted access to Customer Personal Data to public authorities unless legally required.

 

B18. Customer Obligations

Customer is responsible for:

  1. complying with applicable data protection laws;

  2. providing notices to data subjects;

  3. obtaining consents where required;

  4. establishing a lawful basis for processing;

  5. ensuring Customer’s instructions are lawful;

  6. managing Business Central permissions and users;

  7. configuring Third-Party Services lawfully;

  8. responding to data subject requests;

  9. managing Customer Data retention in Business Central;

  10. conducting DPIAs where required;

  11. ensuring that Customer has the right to provide Customer Personal Data to Publisher.

 

B19. Liability

 

Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability in the EULA or applicable written agreement, except to the extent such limitations or exclusions are prohibited by applicable law.

 

B20. Conflict

 

If there is a conflict between this DPA and the rest of this Policy, this DPA controls for processor processing of Customer Personal Data.

If there is a conflict between this DPA and a signed data processing agreement between Customer and Publisher, the signed data processing agreement controls for the subject matter it covers.

If there is a conflict between this DPA and mandatory applicable data protection law, mandatory applicable data protection law controls.

 

Schedule C — Subprocessor, Recipient, and Security Categories

This Schedule describes categories of third parties and security measures that may apply in connection with the Products. Not every category applies to every Customer or Product.

 

C1. Subprocessor and recipient categories

CategoryPurposeExample data

Microsoft cloud services used by Extensions Lab -> Azure services, Application Insights, monitoring, AI where enabled, Product operations under our controlTenant IDs, environment IDs, telemetry, diagnostics, support data

Microsoft Marketplace and Partner Center services -> Marketplace orders, licensing, entitlement verification, private offers, CSP private offersCustomer organization data, tenant ID, subscription ID, offer ID, plan ID, entitlement data

Microsoft Business Central services used by Customer -> Customer’s Business Central tenant, Microsoft-hosted operational data, Microsoft service operations -> ->  Customer Data controlled by Customer under Customer’s Microsoft agreement

CSP and Authorized Resellers ->  Resale, billing, support coordination, license management, implementation -> Customer contact data, order data, license quantity, tenant ID, support status

Mapping and routing providers -> Maps, geocoding, route calculation, distance, duration, route displayAddresses, coordinates, route stops, distance requests

Telematics providers-> Fleet, dispatch, tracking, vehicle/driver integration -> Vehicle IDs, driver IDs, route data, GPS data, dispatch data

Carrier and logistics systems -> Transport execution, carrier communication, tracking, rates -> Shipment data, addresses, carrier data, status events

Support tools -> Ticketing, support communications, troubleshooting -> Contact data, support tickets, logs, screenshots

Communication tools -> Email, meetings, chat, notifications -> Contact data, message content

Analytics and telemetry tools -> Product diagnostics, performance, usage, securityTenant/environment IDs, app version, events, errors

Website hosting and analytics -> Website operation and analytics -> IP address, browser data, cookie data, form submissions

AI service providers ->  AI/Copilot features, summarization, classification, recommendations -> Prompts, context data, outputs, diagnostics

Professional advisers -> Legal, accounting, compliance, dispute management -> Relevant business, contract, and legal records

A more detailed subprocessor list may be made available upon request or published on our website.

C2. Technical and organizational measures

We apply technical and organizational measures appropriate to the nature, scope, context, and purpose of processing. These may include:

  1. access control and role-based access;

  2. least privilege access;

  3. authentication requirements;

  4. secure password and credential practices;

  5. encryption in transit;

  6. encryption at rest where supported by the relevant platform;

  7. logging and monitoring;

  8. error and diagnostic monitoring;

  9. backup and recovery practices;

  10. vulnerability management;

  11. secure development practices;

  12. environment separation where applicable;

  13. confidentiality obligations for personnel and contractors;

  14. vendor and subprocessor review;

  15. incident response procedures;

  16. data minimization practices;

  17. retention controls;

  18. administrative security controls;

  19. periodic review of access rights;

  20. contractual data protection obligations with relevant vendors.

Customer remains responsible for technical and organizational measures within Customer’s Microsoft tenant, Business Central environment, users, permissions, devices, integrations, API keys, credentials, and Third-Party Services.

Schedule D — Microsoft Privacy and Compliance Resources

 

The following Microsoft resources are provided for convenience. They may help Customers understand Microsoft’s privacy, security, compliance, and data protection commitments for Microsoft services.

These resources do not replace Customer’s agreements with Microsoft and do not expand Extensions Lab’s obligations under this Policy, the EULA, or any applicable agreement.

  1. Microsoft Privacy Statement
    https://privacy.microsoft.com/privacystatement

  2. Microsoft Business Applications Legal Information
    https://www.microsoft.com/en-us/business-applications/legal/legal-landing-page/

  3. Microsoft Product Terms
    https://www.microsoft.com/licensing/terms/

  4. Microsoft Products and Services Data Protection Addendum
    https://aka.ms/DPA

  5. Microsoft Trust Center
    https://www.microsoft.com/trust-center

  6. Privacy FAQ for Business Central Customers
    https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/privacyfaq

  7. Privacy and Personal Data in Microsoft Dynamics 365
    https://learn.microsoft.com/en-us/dynamics365/get-started/privacy/

  8. Business Central Privacy for AL Developers
    https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/privacy-developers

  9. Responding to Requests About Users’ Personal Data in Business Central
    https://learn.microsoft.com/en-us/dynamics365/business-central/admin-responding-to-requests-about-personal-data

  10. Privacy Notices Status in Business Central
    https://learn.microsoft.com/en-us/dynamics365/business-central/privacy-notices-status

Microsoft may update these resources from time to time. Customer is responsible for reviewing the Microsoft terms and documentation applicable to Customer’s Microsoft services, tenant, region, configuration, and compliance requirements.

bottom of page