Extension Privacy Policy

§ 1Scope & Who We Are

This Policy applies to all LusoNexus Extensions available on Microsoft AppSource and to data processed by LusoNexus in connection with the installation, operation, and support of those Extensions.

LusoNexus LLC is a Wyoming limited liability company and the developer and publisher of the Extension. We act as a data processor with respect to personal data that Customer (you) passes through or makes accessible to the Extension within your Business Central environment. You, as the Business Central tenant owner, are the data controller.

Contact: reach@lusonexus.com  |  Cheyenne, WY 82001, United States

§ 2Microsoft's Role

The Extension runs within your Microsoft Dynamics 365 Business Central environment, which is operated and hosted by Microsoft. LusoNexus does not operate the Business Central platform and does not independently control data stored within it. Microsoft's processing of your data as part of your Business Central subscription is governed by Microsoft's Data Processing Agreement, Privacy Statement, and Online Services Terms — not by this Policy.

Your AppSource account, purchase records, billing information, and subscription management are handled by Microsoft. LusoNexus does not receive or store your payment card data or Microsoft account credentials.

§ 3What Data We Process

3.1 Extension Operational Data

To deliver the Extension's functionality, LusoNexus code running within your Business Central environment may read, write, or process data stored in your Business Central tables — including but not limited to business records, transaction data, configuration settings, and any personal data contained within those records (such as employee names, customer contact information, or vendor details). The specific data accessed depends on the Extension's function, as described in its AppSource listing and documentation.

3.2 Support Data

When you contact LusoNexus for technical support, you may share error messages, screenshots, configuration details, or Business Central data exports. This data is used solely to diagnose and resolve your support issue and is not retained beyond what is necessary for that purpose.

3.3 Telemetry and Diagnostics

Where explicitly disclosed in the Extension's AppSource listing or documentation, the Extension may log error events or diagnostic information to assist with troubleshooting. Any such telemetry is anonymized or pseudonymized where feasible, is limited to what is necessary for Extension stability, and is not used for advertising or user profiling.

3.4 What We Do Not Collect

LusoNexus does not:

• Collect or store your Business Central login credentials or Microsoft account information;
• Access your Business Central data outside the scope of the Extension's documented functions;
• Sell, rent, or share your Business Central data with third parties for their own commercial purposes;
• Use data from your Business Central environment for cross-customer analytics, advertising, or marketing;
• Receive payment card data or financial account information (handled exclusively by Microsoft).

§ 4How We Use It

Data accessed or received in connection with the Extension is used only for the following purposes:

• Delivering Extension functionality: Reading and writing Business Central data as required for the Extension to perform its documented purpose;
• Technical support: Diagnosing and resolving issues you report;
• Extension improvement: Where anonymized diagnostics are collected, improving Extension stability and performance;
• Legal compliance: Complying with applicable laws, regulations, and lawful government requests;
• Security: Detecting and preventing unauthorized access, abuse, or security incidents.

LusoNexus processes your data only on your instructions as documented in the Extension's functionality and in response to your support requests. We do not use your data for any purpose beyond what is described in this Policy.

§ 5Legal Bases for Processing (GDPR)

For customers in the EEA, UK, or Switzerland, LusoNexus processes personal data accessible through the Extension as a data processor acting on your instructions (Article 28 GDPR). As the data controller, you are responsible for having a valid legal basis for your own processing of personal data within Business Central.

Where LusoNexus processes personal data in its own capacity (e.g., support contact information), the applicable legal bases are:

• Performance of a contract (Art. 6(1)(b)): Processing your support contact information to resolve technical issues;
• Legitimate interests (Art. 6(1)(f)): Extension diagnostics and security monitoring, where our interests do not override your fundamental rights;
• Legal obligation (Art. 6(1)(c)): Processing required by applicable law.

Upon request, LusoNexus will execute a Data Processing Agreement (DPA) covering the processing of personal data within your Business Central environment through the Extension.

§ 6Data Sharing

LusoNexus does not sell your data. We share data only in the following limited circumstances:

• Infrastructure providers: Third-party hosting or cloud services used to operate any server-side components of the Extension (if applicable), bound by contractual data protection obligations;
• Legal compliance: Where required by law, court order, or lawful governmental request;
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected customers and equivalent privacy protections for your data;
• With your consent: For any purpose you have explicitly authorized in writing.

§ 7International Data Transfers

LusoNexus is based in the United States. Where LusoNexus receives personal data from the EEA, UK, or Switzerland in connection with support requests or Extension diagnostics, such data is transferred to and processed in the United States.

We protect such transfers using appropriate safeguards including:

• EU Standard Contractual Clauses (SCCs) for EEA-to-US transfers, where required;
• UK International Data Transfer Agreements (IDTA) for UK-to-US transfers, where required.

Data that remains within your Business Central tenant is subject to Microsoft's data residency and transfer policies, not LusoNexus's. Your Business Central geography setting (set when you created your tenant) governs where Microsoft stores your tenant data.

§ 8Data Retention

LusoNexus retains data associated with your use of the Extension as follows:

• Extension operational data: Data within your Business Central tenant is controlled by you. LusoNexus does not independently retain copies of your Business Central records. Uninstalling the Extension and choosing to delete Extension data from your tenant removes it permanently — LusoNexus cannot recover it.
• Support data: Retained for up to ninety (90) days after resolution of your support request, then deleted or anonymized;
• Diagnostic/telemetry data: Retained for up to ninety (90) days for stability monitoring, then deleted;
• Business records (invoices, contracts): Retained for seven (7) years as required by applicable tax and accounting law.

You may request deletion of personal data LusoNexus holds about you at any time — see §10 for your rights.

§ 9Security

LusoNexus implements commercially reasonable technical and organizational security measures appropriate to the Extension's data processing activities. These include: secure coding practices in AL and any related backend components; access controls limiting which LusoNexus personnel can access support data; encrypted communications for any external data transmissions; and regular review of Extension security practices.

The security of data within your Business Central environment is primarily governed by Microsoft's security controls for the Business Central platform and by your own tenant administration practices (user permissions, access policies, MFA, etc.). LusoNexus is not responsible for security incidents arising from misconfiguration of your Business Central tenant or Microsoft infrastructure.

In the event of a personal data breach affecting data LusoNexus holds independently (e.g., support data), we will notify you and applicable supervisory authorities as required by law within the legally required timeframe.

§ 10Your Rights

As the data controller for personal data within your Business Central tenant, you are responsible for responding to data subject rights requests from your own employees, customers, and other data subjects whose data is processed within Business Central. LusoNexus will assist you with such requests to the extent that the Extension's functionality makes this feasible.

With respect to personal data LusoNexus holds in its own right (e.g., your support contact information), you have the following rights depending on your jurisdiction:

To exercise your rights, contact us at reach@lusonexus.com. We will respond within 30 days or such shorter period as required by applicable law. For data subject requests relating to data within your Business Central tenant that LusoNexus processes as a processor on your behalf, please submit the request directly to LusoNexus after first confirming that the request relates to Extension-processed data.

§ 11Regional Notices

11.1 European Economic Area & United Kingdom

LusoNexus acts as a data processor for personal data you make accessible to the Extension within your Business Central environment. We will execute a Data Processing Agreement upon request. For EEA/UK data subjects whose personal data is processed within Business Central, you (as the data controller/tenant owner) are the primary point of contact for exercising data subject rights. LusoNexus will assist you as required under applicable law and the EULA.

11.2 California

LusoNexus does not sell or share personal information as those terms are defined under the CCPA. We do not discriminate against consumers who exercise their CCPA rights. To submit a verifiable consumer request, email reach@lusonexus.com with the subject "California Privacy Request — AppSource."

11.3 Canada

We collect, use, and disclose personal information in connection with Extension support and diagnostics in accordance with PIPEDA. Collection is limited to what is necessary for the identified purposes. You may withdraw consent for optional processing at any time.

§ 12Changes to This Policy

We may update this Policy to reflect changes in Extension functionality, legal requirements, or our data practices. Material changes will be communicated through an updated version of this page (with the "Last Updated" date revised) and, where required, through AppSource notifications or direct notice to active subscription holders.

Continued use of the Extension after the effective date of any changes constitutes acceptance. If you object to any change, you may uninstall the Extension and contact us to request deletion of any data we hold about you.

§ 13Contact Us

For all privacy-related inquiries, requests, and complaints related to LusoNexus AppSource Extensions:

• Email: reach@lusonexus.com
• Mail: LusoNexus LLC, Cheyenne, WY 82001, United States
• Subject line: "AppSource Privacy" — to route your inquiry correctly

We aim to respond within 30 days. For complex requests we may require up to an additional 60 days, with notice to you within the initial 30-day window.

EEA/UK residents who are not satisfied with our response may lodge a complaint with their local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO). Canadian residents may contact the Office of the Privacy Commissioner (OPC).