Privacy Policy

1. Introduction & Scope

Lasso Mgmt LLC (“Company,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with the SupplyLasso platform and related websites, mobile applications, APIs, and services (collectively, the “Services”).

This Policy applies to personal data processed by Company as a controller — principally, information about the individuals who sign up for, administer, or use SupplyLasso on behalf of a Client organization, and visitors to our marketing websites. Where we process personal data on behalf of a Client (for example, records that a Client’s staff upload into the platform), we act as a processor and the Client is the controller; the Client’s own privacy notice governs how that data is collected from end-users.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

2. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Controller” means the party that determines the purposes and means of the processing of Personal Data.
• “Processor” means the party that processes Personal Data on behalf of a Controller.
• “Client” means the organization that subscribes to the Services.
• “Client Data” means data a Client submits to, stores in, or generates through the Services.
• “User” means an individual authorized by a Client to use the Services.
• “You” means, depending on context, a User, a visitor to our websites, or any other individual whose Personal Data we process.

3. Data Controller & Contact Information

The data controller for Personal Data processed under this Policy is:

For questions about this Policy, to exercise your privacy rights, or to report a privacy concern, contact us using the information above or in Section 20.

4. Categories of Data Collected

We collect the following categories of Personal Data:

• Account & Contact Information: name, email address, phone number, job title, organization name, location, and role.
• Authentication Data: login credentials, password hashes (we never store plaintext passwords), session tokens, and multi-factor authentication metadata.
• Usage Data: pages viewed, features used, actions taken (e.g., purchase orders created, items scanned), timestamps, and performance metrics.
• Device & Technical Data: IP address, browser type, device type, operating system, referring URLs, and general location derived from IP.
• Billing Information: billing contact, billing address, tax identifiers, and, via our payment processor, payment-method metadata (we do not store full card numbers).
• Communications: the content of support requests, demo request forms, feedback, and other communications with us.
• Client-Uploaded Content:data a Client’s User uploads or enters, which may incidentally contain Personal Data of providers, staff, or patients. We act as a processor for such content.

SupplyLasso is not designed to receive protected health information (PHI) about patients. Clients subject to HIPAA should not upload PHI without a Business Associate Agreement (BAA) in place with Company.

5. How We Collect Data

We collect Personal Data in the following ways:

• Directly from you, when you create an account, request a demo, submit a contact form, communicate with support, or otherwise interact with the Services.
• From your organization, when a Client adds you as a User, invites you to the platform, or uploads data that references you.
• Automatically, when you use the Services, through cookies, server logs, and analytics tools (see Section 11).
• From third parties, such as identity providers, payment processors, email/SMS delivery providers, and vendor integrations that return data (e.g., prices, stock levels) when Clients use them.

6. Purposes of Processing

We process Personal Data for the following purposes:

• Providing the Services, including account provisioning, authentication, access control, core platform functionality, and support;
• Billing and account administration, including invoicing and collection of fees;
• Product improvement, including aggregate analytics, performance monitoring, bug diagnosis, and research and development;
• Security and fraud prevention, including detecting and responding to unauthorized access, abuse, or policy violations;
• Communications, including transactional emails, service announcements, onboarding messages, and (where permitted) marketing communications about features relevant to Clients;
• Legal and compliance purposes, including responding to valid legal requests, enforcing our Terms, and meeting regulatory obligations.

7. Legal Bases for Processing (GDPR & Global Frameworks)

For individuals in the European Economic Area, the United Kingdom, or other jurisdictions with comparable data protection laws, we rely on the following legal bases for processing Personal Data:

• Contract: processing necessary to provide the Services to you or your organization and to perform under our Terms and Conditions.
• Legitimate Interests: processing necessary for our legitimate interests in operating, securing, and improving the Services, provided those interests are not overridden by your rights and freedoms.
• Consent: processing based on your consent (for example, for certain marketing communications or non-essential cookies), which you may withdraw at any time.
• Legal Obligation: processing necessary to comply with our legal obligations.

Where we rely on legitimate interests, you have the right to object to processing on that basis (see Section 16).

8. Use of AI & Automation

The Services use artificial intelligence and automation to support features such as cost-savings recommendations, item categorization, par-level suggestions, vendor scorecards, and related analytics. These features process Client Data (which may include limited Personal Data such as User names associated with purchase orders) to generate outputs.

We do not use Client Data to train third-party foundation models. Where a feature sends content to a third-party AI provider for processing, the provider acts as our subprocessor under contractual terms that restrict use to serving the request. AI outputs are decision support and are not a substitute for professional judgment; Users should review them before acting.

We do not use solely automated decision-making that produces legal or similarly significant effects on you. If that changes, we will update this Policy and, where required, obtain consent or offer a meaningful appeal mechanism.

9. Sharing & Disclosure of Data

We disclose Personal Data only as follows:

• Within the Client organization: data is accessible to other Users of the same Client according to role and permission settings configured by the Client.
• With service providers (subprocessors): we share data with vendors that help us operate the Services, including cloud hosting, database, email, SMS, analytics, error monitoring, and payment providers. These providers are contractually bound to protect Personal Data and use it only to perform services for us.
• With vendor integrations you enable:when a Client uses a feature that transmits data to a third-party vendor or EDI network (e.g., sending a purchase order), we transmit the required data on the Client’s behalf.
• For legal reasons: we may disclose Personal Data to comply with law, legal process, or lawful governmental request, or to protect the rights, property, or safety of Company, our Clients, or others.
• In a business transaction: in connection with a merger, acquisition, financing, or sale of assets, Personal Data may be transferred, subject to standard confidentiality protections and applicable law.

We do not sell Personal Data, and we do not share it for cross-context behavioral advertising.

10. International Data Transfers

Company is based in the United States and processes Personal Data in the United States. If you access the Services from outside the United States, you acknowledge that your Personal Data will be transferred to, stored, and processed in the United States or other countries where we or our subprocessors operate.

Where transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries occur, we rely on appropriate safeguards, including, where applicable, Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms. Upon request, we can provide information about the specific safeguards used.

11. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Services, remember your session, understand usage, and improve the product. Categories:

• Strictly necessary: required for authentication, security, and core platform functionality. These cannot be disabled through a cookie banner because the Services cannot function without them.
• Performance / analytics: help us understand how the Services are used so we can improve them.
• Preferences: remember settings such as display options.

We do not use advertising or cross-site tracking cookies. You can control cookies through your browser settings; blocking strictly necessary cookies may prevent the Services from working.

12. Data Retention & Deletion

We retain Personal Data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements.

• Account data is retained for the duration of the Subscription plus a reasonable wind-down period.
• Client Datauploaded by a Client is retained according to that Client’s instructions and the retention settings of the Services. Upon Subscription termination, Client Data is made available for export for sixty (60) days and then deleted from active systems, subject to any longer retention required by law (see Terms, Section 23).
• Billing and tax records are retained for the period required by applicable tax, accounting, and legal rules.
• Security logs are retained only as long as needed for security, fraud prevention, and troubleshooting.
• Backups may temporarily retain data after deletion from active systems. Backups are encrypted and cycled out according to our retention schedule.

13. Data Security Measures

We implement administrative, technical, and physical safeguards designed to protect Personal Data against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Measures include, among others:

• Encryption of data in transit (TLS) and at rest;
• Tenant isolation through database row-level security policies that restrict access to each Client’s data;
• Role-based access controls and least-privilege administrative access;
• Logging of administrative and impersonation actions, with audit trails;
• Regular review of security controls and vendor risk;
• Secure software development practices, including code review and dependency management.

Despite these measures, no system is perfectly secure. In the event of a confirmed Security Incident affecting Personal Data, we will notify affected parties as required by applicable law.

14. Children's Privacy

The Services are not directed to children and are intended for use by adults acting in a professional capacity. We do not knowingly collect Personal Data from children under the age of 16. If we learn that we have collected Personal Data from a child under the applicable minimum age, we will delete that information as promptly as reasonably possible. If you believe we may have collected information from a child, please contact us at info@lassomgmt.com.

15. Client Data vs. User Data Responsibilities

When a Client uses the Services, the Client controls the content of its Client Data, including who has access to it and how it is used within the platform. In that capacity, the Client is the data controller, and Company is a data processor acting on the Client’s instructions.

If you are a User whose Personal Data is processed through the Services at the direction of a Client (for example, your employer), questions about that processing — including requests to access, correct, or delete your information — should be directed first to the Client. We will support the Client in responding to your request in accordance with our contractual obligations.

We act as a data controller for the limited Personal Data we process independently, such as Account provisioning, billing, support, and our own product analytics.

16. Your Privacy Rights (GDPR, CCPA, and Other Regimes)

Depending on where you live, you may have some or all of the following rights with respect to the Personal Data we process about you:

• Access: request confirmation of whether we process your Personal Data and a copy of that data.
• Correction: request that we correct inaccurate or incomplete Personal Data.
• Deletion: request deletion of your Personal Data, subject to exceptions required by law or legitimate business need.
• Restriction / Objection: request that we restrict certain processing, or object to processing based on legitimate interests.
• Portability: request a copy of Personal Data you provided to us in a structured, commonly used format.
• Withdraw consent: where processing is based on consent, withdraw that consent at any time.
• Non-discrimination: for California residents and others with similar rights, the right not to receive discriminatory treatment for exercising your privacy rights.
• Lodge a complaint: with a supervisory authority in your jurisdiction.

17. Exercising Your Privacy Rights

To exercise any of the rights in Section 16, contact us at info@lassomgmt.com. We may need to verify your identity before responding, and we may request additional information necessary to process your request.

We will respond within the timeframe required by applicable law. If your request concerns Personal Data processed on behalf of a Client, we will forward your request to that Client and support their response.

You may designate an authorized agent to make a request on your behalf, subject to verification of the agent’s authority.

18. Third-Party Links & Services

The Services may contain links to third-party websites, integrations with vendor platforms, and references to third-party services. This Policy does not apply to those third parties. We encourage you to review the privacy notices of any third party before providing Personal Data to them.

We are not responsible for the content, privacy practices, or security of third-party websites or services.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the Services, or the law. When we make material changes, we will update the “Effective Date” at the top of this Policy and, where appropriate, provide additional notice (for example, by email to the administrative contact on file or an in-product notification).

Your continued use of the Services after the Effective Date of an updated Policy constitutes your acceptance of the updated terms.

20. Contact & Complaints

For privacy questions, requests, or complaints, please contact our Privacy Team using the details in the Contact block below. You may also contact us by postal mail at the address listed.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority. We ask that you first contact us so we have the opportunity to address your concern.

Contact