Privacy policy

This privacy policy applies to the use of the web application available at https://dashboard.matflow.com, provided by Bross Consulting GmbH. It is addressed to authorized users with access to matflow. The application processes company-specific data, which may also include personal data. Processing is carried out in accordance with the General Data Protection Regulation (GDPR).

This privacy policy was last updated on June 15, 2025.

1. Data Controller

Bross Consulting GmbH
Viktualienmarkt 8
80331 Munich, Germany

Represented by:
Dr. Florian Bross
Managing Director
Email: datenschutz@matflow.com
Phone: +49 89 4132 7672-0

2. Purpose and Nature of Data Processing

The matflow web application provides interactive digital twins and dashboards. Personal data is processed for the use of the application, particularly for authentication, dashboard functionality, and the technical provision of the application.

Categories of Data Processed:

  • Login data (e.g., email address, Microsoft account ID)
  • Technical usage data (e.g., IP address, timestamps, access logs)
  • Interaction data with the dashboard (e.g., applied filters, user actions)

Purposes of Processing:

  • Provision and operation of the web application
  • User management and access control
  • Misuse detection and error diagnostics
  • Performance monitoring and application security enhancement

Depending on the specific customer use, the following additional data may be processed:

  • Material master and product data
  • Customer and supplier master data
  • Order, transaction, and movement data
  • Logistics, warehouse, or supply chain data

3. Legal Basis for Processing

The processing of personal data is based on the following legal grounds under the GDPR:

  • Art. 6(1)(b) GDPR – for the performance of a contract or pre-contractual measures
  • Art. 6(1)(f) GDPR – for the purposes of legitimate interests, particularly the secure and functional provision of the web application

4. Authentication via Microsoft Entra ID (Azure AD)

Access to the web application is provided via Microsoft Single Sign-On (SSO). Users are authenticated through Microsoft Entra ID (formerly Azure Active Directory).

Data processed in the context of SSO:

  • Username (email address)
  • Microsoft account ID
  • Authentication token

Microsoft’s privacy policies also apply: https://privacy.microsoft.com/en-us/privacystatement

5. Hosting and Data Processing by Microsoft Azure

The application is fully hosted via Microsoft Azure in the Europe region. The following Azure components are used:

  • Azure App Service: Hosts the web application (dashboard.matflow.com)
  • Azure SQL Server: Stores and queries dashboard data
  • Power BI Service: Provides interactive reports via Power BI Embedded
  • Power BI Embedded Capacity: Renders dashboards in the frontend using programmatic tokens

A data processing agreement with Microsoft pursuant to Art. 28 GDPR is in place.

Further information about Microsoft Azure’s GDPR compliance: https://learn.microsoft.com/en-us/compliance/regulatory/gdpr

6. Access by Technical Service Providers

For maintenance and further development of the application, an external technical service provider may access Azure resources, the database, and Power BI Embedded with administrative rights. Access is strictly purpose-driven and reviewed regularly. Technical access restrictions apply via defined IP addresses.

7. Data Security

Appropriate technical and organizational measures are implemented in accordance with Art. 32 GDPR to ensure the security of processed data:

  • SSL encryption (HTTPS) for the entire application
  • Azure Key Vault for secure management and storage of sensitive data such as passwords and certificates
  • Role-based access control (least privilege principle)
  • Firewall rules for SQL Server access
  • Logging of security-relevant events
  • Regular security updates for server and software components

8. Data Subject Rights

In accordance with the GDPR, data subjects have the following rights:

  • Right of access to stored personal data (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to certain types of processing (Art. 21 GDPR)

To exercise these rights, please contact the data controller listed above.

9. Data Retention Period

Personal data is stored only as long as necessary for the purposes for which it was collected or as required by legal retention obligations. Thereafter, the data will be deleted or anonymized.