Lasso Privacy Policy

Last updated: August 30, 2025

This Privacy Policy explains how Lasso Inc. (“Lasso”, “we”, “us”) collects, uses, and shares information about Merchants and End-Customers when Merchants use our Services.

Who We Are; Scope

We provide checkout/orchestration tools and hosted components that Merchants embed in their websites and post-purchase flows. U.S.-only onboarding: We currently contract with U.S.-domiciled business customers. End-Customers may be located anywhere.

Roles (Controller vs. Processor/Service Provider)

End-Customer data processed for a Merchant’s transactions: Merchant =Controller; Lasso = Processor/Service Provider.

Merchant data for account/admin and our own operations data: Lasso = Independent Controller.

Information We Process

Merchant account/admin: name, business contact, billing details, auth credentials, logs, usage.

End-Customer transaction metadata: order details; billing/shipping addresses; contact info; device/network identifiers; session/events; token identifiers/aliases from provider-hosted components. We do not store raw card PAN or sensitive authentication data.

Support & communications: messages and attachments you send us.

Automatically collected: diagnostics, crash and performance logs, and security signals.

Sources

Directly from Merchant; from End-Customer interactions with checkout flows; from Designated Providers; and from our infrastructure and analytics tools.

How We Use Information

Provide, secure, support, and improve the Services; render checkout; orchestrate payments; sync orders to commerce platforms; prevent fraud/abuse; comply with law; and communicate with you.

Create aggregated/de-identified analytics for product improvement (not to identify a person).

Sharing

Service providers/sub-processors that help us host, deliver, and support the Services (see Sub-processor List).

Designated Providers (e.g., orchestration/gateway/checkout platforms) at Merchant’s direction to process payments.

Commerce platforms (e.g., Shopify/WooCommerce) at Merchant’s direction for order sync.

Legal/safety: to comply with law, enforce terms, or protect rights, safety, and security.

Business transfers: in connection with a merger, acquisition, or sale of assets.

U.S. “Service Provider/Processor” Commitments (CPRA & similar)

For End-Customer personal information we process for Merchants, we:

Process only to provide/secure/support/improve the Services per Merchant’s instructions;

Do not Sell or Share personal information and do not use it for Cross-Context Behavioral Advertising;

Implement reasonable security and provide breach notice without undue delay and within 72 hours of confirming a breach;

Flow down obligations to sub-processors and remain responsible for them;

Delete or return personal information on request or at end of term, subject to legal retention;

Provide reasonable assistance with Consumer requests and compliance.

Sub-processors

We maintain a Sub-processor List upon request with purposes, locations, and links. Changes to sub-processor list will follow the process described in Section 11 of the Terms of Service

Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data (including encryption in transit, encryption at rest where we store personal data, access controls, logging/monitoring, and incident response). No method of transmission or storage is 100% secure.

Retention

We keep personal information for as long as necessary to provide the Services and fulfill the purposes above, then delete or de-identify it unless law requires longer retention.

International Transfers (if/when applicable)

We contract with U.S. merchants. If Merchant’s usage involves personal data from the EEA/UK/Switzerland, we will use appropriate transfer mechanisms (e.g., EU SCCs/UK Addendum/Swiss adaptations) only to the extent required by law.

Children

The Services are not directed to children and we do not knowingly collect personal information from children under 13 (or higher age where applicable).

Your Privacy Choices & U.S. State Rights

Merchants: manage account information in the dashboard or contact us.

End-Customers: requests to access, delete, or correct information should be sent to the Merchant (the Controller). We will assist the Merchant in fulfilling such requests.

Opt-in ad signals: If a Merchant enables ad platform connections, End-Customer consent and controls are handled by the Merchant; Lasso provides connection toggles.

Changes to This Policy

We may update this Policy; material changes will be posted in the dashboard or on our site. Continued use after the effective date constitutes acceptance.

Contact

Lasso Inc.

Legal/Privacy: admin@lassocart.com

Address: 3237 Brookline Rd Wilmington, DE 19808