Privacy Policy

This Privacy Policy describes how Lasso Mgmt LLC, an Oklahoma limited liability company (“Company”, “we”, “us”, or “our”), collects, uses, shares, stores, and protects personal information in connection with the Lasso Learn website, training platform, custom course development services, and any related applications or APIs (collectively, the “Services”).

This policy applies to (a) visitors to our marketing website, (b) administrators and other authorized users of organizations that purchase the Services (each, a “Client”), and (c) individual learners whom a Client authorizes to access training through the Platform (each, a “Learner”).

This Privacy Policy is incorporated into and forms part of the Terms and Conditions. Capitalized terms used but not defined here have the meanings given in the Terms and Conditions.

We collect the categories of information described below.

a. Information you provide directly

• Account information: name, business email address, phone number, organization name, role, and authentication credentials (such as a password, PIN, or QR token) when an administrator or Learner is created.
• Contact form and demo requests: name, email, company, employee count, industry, and any free-text message you submit.
• Client Materials: standard operating procedures, manuals, handbooks, slide decks, video, audio, images, scripts, brand assets, and any other source materials you upload for custom course development.
• Payment and billing information: billing contact details and limited transactional data; full payment card details are handled by our payment processor and are not stored by us.
• Support communications: the content of emails, support tickets, and chat conversations you send to us.

b. Learner activity data

• Course assignments, launches, completions, time spent, quiz attempts and scores, certificate issuance, and attendance for in-person sessions.
• Language and notification preferences saved by a Learner in the Platform.

c. Information collected automatically

• Device and connection data: IP address, browser type and version, operating system, device identifiers, referring URLs, and the dates and times of access.
• Usage data: the pages, features, and APIs you use, the actions you take, and diagnostic information about errors or performance.
• Cookies and similar technologies: as described in Section 10.

We use the information we collect to:

• Provide, operate, secure, and maintain the Services, including authenticating users and provisioning access;
• Develop, host, and deliver Custom Courses based on Client Materials;
• Track and report on Learner training activity, completions, certifications, and compliance status for the Client;
• Process payments, manage subscriptions, and send billing communications;
• Respond to inquiries, demo requests, and support tickets;
• Send service announcements, security alerts, and other administrative communications;
• Send product updates and marketing communications, where permitted and subject to your right to opt out;
• Analyze how the Services are used to improve features, performance, security, and reliability; and
• Comply with legal obligations, enforce our agreements, and protect the rights, property, or safety of the Company, our users, or others.

Where applicable data-protection law requires it, we process personal information on one or more of the following legal bases:

• Contract: to provide the Services to a Client under the Terms and Conditions or an Order, including processing Learner data on the Client's behalf;
• Legitimate interests: to operate, secure, and improve the Services, prevent fraud and abuse, and communicate with users in ways they would reasonably expect, where those interests are not overridden by the rights of the data subject;
• Consent: where we ask for it — for example, for certain marketing communications or non-essential cookies; and
• Legal obligation: to comply with applicable laws, regulations, court orders, and lawful requests from public authorities.

We do not sell personal information. We share information only in the limited circumstances described below.

• Within the Client's organization: Learner activity data is made available to the administrators of the Client whose account the Learner belongs to, including for compliance reporting and audit purposes.
• Service providers (processors): we share information with vendors that help us run the Services, such as cloud hosting and database providers, authentication providers, email and notification delivery, payment processors, video processing, analytics, and AI tools used in course development. These providers are bound by contracts that restrict their use of the information to providing services to us.
• Legal and safety: we may disclose information when we believe in good faith that disclosure is required by law, legal process, or governmental request, or is necessary to enforce our Terms, protect the security or integrity of the Services, or protect the rights, property, or safety of the Company, our users, or others.
• Business transfers: if the Company is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the receiving party honoring the commitments made in this Privacy Policy or providing equivalent protection.
• With your direction: we may share information when you direct us to do so.

The Services are hosted on infrastructure provided by reputable cloud providers, including Supabase for our primary database and authentication layer. Information may be stored and processed in the United States or other jurisdictions where our service providers operate.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These safeguards include encryption of data in transit using industry-standard TLS, encryption of data at rest where supported by underlying infrastructure, role-based access controls, server-side row-level security on database tables containing user data, and routine review of access and security events.

No method of transmission or storage is perfectly secure. We cannot and do not guarantee absolute security, but we work continuously to maintain a level of protection appropriate to the sensitivity of the information involved.

We retain personal information for as long as is necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. In practice this generally means:

• Account and Learner data: retained while the Client's account is active and for a reasonable period afterward to allow data export and audit support;
• Training and compliance records: retained to support the Client's recordkeeping obligations (for example, OSHA bloodborne pathogens training records, which the Client may need to keep for at least three years);
• Billing records: retained for the period required by applicable tax and accounting law; and
• Backups: may persist for a limited period after deletion as part of routine backup rotation.

On termination of a Client's account, we will make a one-time export available on request as described in the Terms and Conditions, after which we may delete the Client's data except to the extent we are required to retain it.

Depending on where you live, you may have the following rights with respect to personal information we hold about you:

• Access: request confirmation of whether we process personal information about you and a copy of that information;
• Correction: ask us to correct information that is inaccurate or incomplete;
• Deletion: ask us to delete information we hold about you, subject to certain exceptions;
• Portability: ask for a machine-readable copy of information you provided to us;
• Restriction or objection: ask us to restrict or object to certain processing activities;
• Withdrawal of consent: withdraw consent at any time where processing is based on consent (without affecting prior processing); and
• Non-discrimination: not be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at howdy@lassomgmt.com. We may need to verify your identity before acting on a request. If you are a Learner whose information is processed on behalf of a Client, please contact your organization's administrator first; we will support the Client in responding to your request.

When a Client uses the Services to train its Learners, the Client is the controller of the personal information of its Learners and the Company acts as a processor. The Client is responsible for providing any required notices to, and obtaining any required consents from, its Learners regarding the collection and use of their information through the Services.

The Company processes Learner information only as instructed by the Client (including by means of the Client's configuration of the Services) and as described in the Terms and Conditions and this Privacy Policy, and uses Learner information for our own purposes only as necessary to provide, secure, and improve the Services, to comply with law, or as otherwise permitted by applicable data-protection law.

If a Learner has questions about how their training data is used, they should contact the administrator of the organization through which they were assigned training. Learners may also contact us at howdy@lassomgmt.com, and we will coordinate with the relevant Client to respond.

We use cookies and similar technologies (such as local storage and session storage) for purposes including:

• Authentication and security: to keep users signed in, to identify the device making a request, and to detect suspicious activity;
• Preferences: to remember language and other interface preferences; and
• Analytics: to understand how visitors and users interact with the Services so that we can improve them.

Most browsers let you control cookies through their settings. Blocking essential cookies (such as the ones used for authentication) will prevent the Services from functioning correctly.

The Services depend on third-party providers in several categories. The current categories include, but are not limited to:

• Cloud hosting and database: infrastructure used to run the Platform and store Client and Learner data, including Supabase;
• Email and notification delivery: services used to send transactional emails such as password resets, completion notifications, and administrative messages;
• Payment processing: services used to take and process subscription and one-time payments;
• Analytics: services used to measure aggregate usage and performance of the Services;
• Content creation tools: tools used during custom course development, including video, audio, image, and AI tools; and
• Customer support: tools used to receive and respond to support inquiries.

These third parties have their own privacy practices, which we encourage you to review. We share only the information needed to provide the relevant function.

The Services are intended for use by businesses and their adult workforces. The Services are not directed to children under sixteen (16) years of age, and we do not knowingly collect personal information from children under sixteen. If we learn that we have collected personal information from a child under sixteen without verified parental consent, we will take steps to delete that information promptly. If you believe we may have collected information about a child, please contact us at howdy@lassomgmt.com.

The Company is based in the United States, and our service providers may also be located in the United States or in other countries. By using the Services, you understand that information we collect may be transferred to, stored in, and processed in the United States and other jurisdictions, which may have data-protection laws that differ from those of your country.

Where required by applicable law, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers of personal information.

We may update this Privacy Policy from time to time. When we do, we will post the revised policy on the Lasso Learn website and update the Effective Date at the top of this page. For material changes, we will use commercially reasonable efforts to notify Clients through the Platform or by email to the Client's billing contact. Your continued use of the Services after the updated policy takes effect constitutes your acceptance of the changes.

If you have questions about this Privacy Policy or our privacy practices, or if you would like to exercise any of the rights described above, please contact us at:

Lasso Mgmt LLC
Attn: Privacy
howdy@lassomgmt.com