Privacy Policy / Datenschutzerklärung

1.1 We are pleased that you are using the M3 Mobile service portal. In this Privacy Policy, we inform you about the processing of personal data in connection with the use of the service portal.

1.2 Personal data means any information relating to an identified or identifiable natural person. This may include, for example, names, business contact details, user account data, device-related service information, communication data, and technical connection data.

1.3 The controller responsible for the processing of personal data in connection with this service portal is: M3 Mobile GmbH, Am Holzweg 26, D-65830 Kriftel, Germany. Email: cs_gmbh@m3mobile.co.kr

1.4 This service portal is intended exclusively for business customers, entrepreneurs, legal entities, and professional users. However, when business customers use the portal, we process personal data of individual contact persons, employees, representatives, or other persons acting on behalf of such business customers.

1.5 This Privacy Policy applies to the use of the M3 Mobile service portal, including account registration, login, RMA creation, repair processing, quotations, invoicing, shipping, customer communication, and related technical operation of the portal.

2.1 Depending on how you use the service portal, we may process the following categories of personal data: name and surname of the contact person; company name; business email address; business phone number; company address, billing address, and return shipping address; VAT number or other business identification data, where provided; user account data, including login credentials, user ID, account status, role, permissions, and authentication data; password data in encrypted or hashed form; product information, including model name, serial number, warranty status, service package information, and device registration data; RMA number, repair request data, fault description, service history, repair status, diagnosis information, quotation status, and customer approvals or rejections; uploaded documents or attachments; communication data, including service messages, email notifications, quotation communication, invoice communication, and shipping updates; invoicing and payment-related data; logistics data, including shipment address, carrier information, tracking number, dispatch status, and delivery status; technical connection data, including IP address, date and time of access, browser type, operating system, device information, requested URLs, referrer URL, session information, security logs, and error logs.

2.2 We ask customers not to upload or submit unnecessary personal data, sensitive personal data, or private information that is not required for the repair, warranty, RMA, or service process.

3.1 We process personal data for the following purposes: to create and manage user accounts; to verify business customer access to the service portal; to register products and verify warranty status; to create, process, and manage RMA requests; to diagnose defects and process repairs; to issue, send, approve, reject, and manage repair quotations; to issue invoices and manage payment status; to arrange return shipment and logistics; to communicate with customers regarding registration, approval, RMA status, quotations, invoices, repairs, pending issues, and shipping updates; to manage service history and warranty documentation; to comply with statutory commercial, tax, accounting, and record-keeping obligations; to ensure the technical operation, security, stability, and availability of the service portal; to prevent misuse, fraud, unauthorized access, and security incidents; to establish, exercise, or defend legal claims.

3.2 The legal bases for processing are: Art. 6(1)(b) GDPR, where processing is necessary for the performance of a contract or for pre-contractual measures; Art. 6(1)(c) GDPR, where processing is necessary to comply with legal obligations; Art. 6(1)(f) GDPR, where processing is necessary for our legitimate interests; Art. 6(1)(a) GDPR, where we request and receive consent for a specific processing activity.

4.1 To use the service portal, business customers may be required to create an account.

4.2 During registration and account management, we may process the contact person's name, company name, business email address, phone number, company address, VAT number, user role, login credentials, account approval status, and related authentication data.

4.3 Passwords are not stored in plain text. Authentication data is processed using appropriate technical security measures, such as encryption or hashing, depending on the authentication provider and technical implementation.

4.4 The legal basis for account registration and login processing is Art. 6(1)(b) GDPR. Processing for security, misuse prevention, access control, and technical administration is also based on Art. 6(1)(f) GDPR.

5.1 When you create an RMA request or submit a product for repair, we process the information required to handle the service case. This may include product model, serial number, warranty status, service package status, defect description, uploaded documents, diagnosis information, repair status, quotation information, customer approval or rejection, invoice information, and return shipping data.

5.2 The purpose of this processing is to register the service case, verify warranty status, assess the reported defect, prepare quotations where required, perform the repair, document the service history, issue invoices where applicable, and return the product to the customer.

5.3 The legal basis is Art. 6(1)(b) GDPR. Where repair, invoice, accounting, or tax records must be retained by law, the legal basis is Art. 6(1)(c) GDPR. Where processing is necessary for service documentation, fraud prevention, legal defense, or internal administration, the legal basis is Art. 6(1)(f) GDPR.

6.1 The service portal may allow customers to upload documents, photos, screenshots, invoices, delivery notes, warranty documents, or other supporting files.

6.2 Uploaded files are processed only for the purpose of verifying warranty status, diagnosing defects, processing repairs, preparing quotations, confirming service entitlement, handling invoices, or documenting the service case.

6.3 Customers are responsible for ensuring that uploaded documents do not contain unnecessary personal data or sensitive information that is not required for the service process.

6.4 The legal basis for processing uploaded documents is Art. 6(1)(b) GDPR. Where statutory retention obligations apply, the legal basis is Art. 6(1)(c) GDPR. Where processing is required for legal defense or internal documentation, the legal basis is Art. 6(1)(f) GDPR.

7.1 We use your business email address to send service-related transactional notifications. These may include account registration messages, account approval messages, RMA confirmations, repair status updates, quotation notifications, invoice notifications, payment reminders, pending status updates, and shipping notifications.

7.2 These messages are necessary for the operation of the service portal and the processing of RMA, repair, warranty, and service cases.

7.3 We do not use your email address for marketing communications unless there is a separate legal basis or, where required, your prior consent.

7.4 The legal basis for transactional service emails is Art. 6(1)(b) GDPR. For technical delivery, security, and documentation purposes, the legal basis may also be Art. 6(1)(f) GDPR.

8.1 When you access the service portal, technical connection data may be processed automatically. This may include IP address, date and time of access, requested URL, browser type, operating system, device information, referrer URL, session information, error logs, and similar technical data.

8.2 This processing is necessary to provide the portal, maintain system security, prevent misuse, diagnose technical errors, monitor availability, and ensure the stability and security of the service.

8.3 The legal basis is Art. 6(1)(f) GDPR.

8.4 We do not use technical connection data for marketing tracking or user profiling.

8.5 Server logs, security logs, and technical error logs are stored only for as long as necessary for the purposes described above, unless a longer retention period is required for security, legal, or evidentiary reasons.

9.1 The core database of the M3 Mobile service portal is hosted via Supabase in the European Union, currently in the Ireland region (eu-west-1).

9.2 In addition, the service portal uses external technical service providers, including Supabase for database and authentication services, Vercel for hosting and deployment, and Resend for transactional email delivery.

9.3 Where technically and contractually available, M3 Mobile aims to use infrastructure located within the European Economic Area (EEA).

9.4 However, depending on the specific service provider, sub-processor, technical routing, support activity, security measure, email delivery process, or system administration activity, personal data may also be processed outside the EEA.

9.5 Where personal data is transferred to countries outside the EEA for which no adequacy decision exists, M3 Mobile will ensure that appropriate safeguards are in place, such as EU Standard Contractual Clauses, Data Processing Agreements, or other legally recognized safeguards under the GDPR.

10.1 The service portal uses cookies and similar technologies that are technically necessary to provide the portal and its core functions.

10.2 Strictly necessary cookies may be used for purposes such as: maintaining a secure login session; authenticating users; protecting the portal against unauthorized access; storing session status; enabling RMA and account functions; ensuring technical security and stability.

10.3 We do not use third-party marketing cookies, advertising cookies, behavioral tracking cookies, or analytics cookies such as Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, or similar tools, unless this Privacy Policy is updated and, where required, prior consent is obtained.

10.4 Strictly necessary cookies are used on the basis of Art. 6(1)(f) GDPR and the applicable legal provisions for technically necessary access to or storage of information on the user's device.

10.5 If the portal uses only strictly necessary cookies, no separate cookie consent banner is displayed. If non-essential cookies or tracking technologies are introduced in the future, we will request consent where legally required.

11.1 We disclose personal data only where necessary for the purposes described in this Privacy Policy, where required by law, or where we have a legitimate interest in doing so.

11.2 Recipients may include: M3 Mobile employees and authorized personnel; authorized M3 Mobile service centers; M3 Mobile affiliated companies; logistics providers and shipping carriers; IT service providers, hosting providers, database providers, authentication providers, deployment providers, email delivery providers, and system maintenance providers; tax advisors, accountants, auditors, legal advisors, debt collection providers, or public authorities; payment or banking service providers, where applicable.

11.3 We use external processors for technical operation and service delivery, including Supabase, Vercel, and Resend. These providers process personal data on our behalf to the extent required for database hosting, authentication, deployment, website hosting, technical operation, and transactional email delivery.

11.4 Where required, we enter into Data Processing Agreements with processors in accordance with Art. 28 GDPR.

11.5 Processors may use sub-processors. Where this occurs, the use of sub-processors is subject to the applicable Data Processing Agreement and GDPR requirements.

12.1 The service portal is primarily intended for use by business customers in the European market. However, personal data may be transferred to or accessed from countries outside the EEA where this is necessary for technical operation, support, group-level service processing, warranty handling, service administration, or the use of external processors and sub-processors.

12.2 This may include access by M3 Mobile affiliated companies or technical service providers located outside the EEA, including, where applicable, South Korea or the United States.

12.3 The transfer of personal data to South Korea is legally based on the Adequacy Decision of the European Commission, which recognizes South Korea as providing an adequate level of data protection essentially equivalent to that in the EU.

12.4 Where personal data is transferred to a country outside the EEA for which the European Commission has not issued an adequacy decision (e.g., the United States), we will take appropriate safeguards in accordance with the GDPR, such as EU Standard Contractual Clauses or Data Processing Agreements.

12.5 Personal data will not be transferred to unsafe third countries without appropriate safeguards where such safeguards are required by law.

13.1 We store personal data only for as long as necessary for the purposes for which it was collected, unless statutory retention obligations or legitimate interests require longer storage.

13.2 Account data is generally stored for as long as the customer account remains active. If an account is deleted, account data will be deleted or restricted unless continued storage is necessary for legal, contractual, accounting, warranty, service documentation, or evidentiary reasons.

13.3 RMA, repair, quotation, warranty, and service history data may be stored for the duration necessary to process the service case, document the repair, verify warranty claims, handle follow-up claims, comply with contractual obligations, and defend legal claims.

13.4 Invoice, accounting, commercial, and tax-related records may be stored for up to 10 years where required under German commercial and tax law.

13.5 Technical logs, security logs, and error logs are stored only for as long as necessary for security, troubleshooting, misuse prevention, and evidentiary purposes.

13.6 If data is no longer required for the purposes described above and no statutory retention obligation applies, it will be deleted or anonymized.

14.1 We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

14.2 These measures may include access controls, role-based permissions, authentication mechanisms, encryption or hashing of authentication data, secure communication, system monitoring, backups, logging, and contractual obligations with service providers.

14.3 Please note that no internet-based system can be guaranteed to be completely secure. Customers are responsible for keeping their login credentials confidential and for ensuring that only authorized persons access the portal on behalf of their company.

15.1 Subject to the statutory requirements, you have the following rights under the GDPR: right of access under Art. 15 GDPR; right to rectification under Art. 16 GDPR; right to erasure under Art. 17 GDPR; right to restriction of processing under Art. 18 GDPR; right to data portability under Art. 20 GDPR; right to object under Art. 21 GDPR; right to withdraw consent at any time, where processing is based on consent.

15.2 To exercise your rights, please contact us using the contact details provided in Section 1.

15.3 We may need to verify your identity before processing your request.

15.4 Your rights may be limited where statutory retention obligations, contractual obligations, legal claims, or other legally recognized grounds prevent deletion or full disclosure.

16.1 You have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data violates applicable data protection law.

16.2 The supervisory authority responsible for M3 Mobile GmbH in Hessen is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Wilhelmstraße 7, 65185 Wiesbaden, Germany. Email: poststelle@datenschutz.hessen.de

16.3 You may also contact another competent data protection supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

17.1 We do not use personal data processed through the service portal for automated decision-making within the meaning of Art. 22 GDPR.

17.2 We do not create user profiles for marketing, advertising, or behavioral tracking purposes.

18.1 We may update this Privacy Policy from time to time if the service portal, processing activities, service providers, legal requirements, or technical implementation change.

18.2 The current version of this Privacy Policy is available through the M3 Mobile service portal.