Privacy Policy

1. Introduction & Scope

This Privacy Policy explains how Lasso Mgmt LLC, a U.S. limited liability company registered in the State of Oklahoma, operating under the product name “SafeBrief” (“Company,” “we,” “our,” or “us”), collects, uses, shares, and safeguards personal information in connection with our website, mobile-first EH&S safety briefing platform, and related services (collectively, the “Services”).

This Policy applies to:

• Individual users (such as superintendents, foremen, and crew members) who sign up for and use the Services;
• Clients who subscribe to paid tiers (Pro or Business) of the Services;
• Authorized users (such as employees of subscribing Clients) who access the Platform under a Client account;
• Crew members and other individuals whose names, signatures, and related records are entered by Users into the Platform;
• Visitors who browse our website.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you must discontinue use of the Services immediately.

Supplemental agreements (including Terms & Conditions, Data Processing Agreements, and other documents specific to particular features) may also govern specific engagements; in the event of conflict, the more specific agreement will prevail.

2. Definitions

“Personal Data”: Any information relating to an identified or identifiable individual (e.g., name, email, IP address, phone number, signature image, GPS location).

“Processing”: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

“Client Data”: All data uploaded to or generated within the Platform by Users, including site check responses, toolbox talk records, quiz scores, inspection results, JHA records, equipment registry entries, photos, signatures, incident reports, and corrective actions.

“User Data”: Personal Data relating to individuals (such as Client's employees, crew members, or contractors) who use the Platform or whose information is recorded within it.

“AI Outputs”: Toolbox talks, hazard analyses, training recommendations, predictive insights, and other content generated through automated or AI-enabled features of the Platform.

“Applicable Laws”: All relevant privacy and data protection laws, including the California Consumer Privacy Act as amended by CPRA (“CCPA”), the EU General Data Protection Regulation (“GDPR”), UK GDPR, and any U.S. state privacy laws that may apply.

3. Data Controller & Contact Information

For the purposes of applicable privacy laws:

• Controller: Lasso Mgmt LLC, State of Oklahoma, United States.
• Primary Privacy Contact: privacy@lassomgmt.com
• Legal Notices: privacy@lassomgmt.com
• Security Issues: privacy@lassomgmt.com
• General Support: info@lassomgmt.com

When Clients upload information about their employees, crew members, or other individuals into the Platform (such as crew attendance signatures, JHA participants, or assigned-to names on corrective actions), the Client acts as the “controller” of such data. In that capacity, Lasso Mgmt LLC operates as a “processor” under GDPR and similar regimes, processing such data solely on Client's instructions and in accordance with our agreements.

4. Categories of Data Collected

We may collect and process the following categories of Personal Data and business data:

• Identifiers: Name, company name, email address, phone number, job title, trade, username, password (hashed).
• Workforce Data: Crew member names, signature images, attendance records, training completion records, and quiz scores entered into the Platform.
• Transaction Data: Subscription tier, billing details (when payments are processed), invoice records, and upgrade requests.
• Usage Data: IP address, browser type, operating system, device identifiers, Platform activity logs, clickstream data, and login timestamps.
• Safety & Compliance Data: Site check responses, toolbox talk records, JHA records, inspection results, equipment registry entries, photos of hazards and corrective actions, GPS locations of inspections, incident reports, and near-miss reports — all classified as Client Data.
• Location Data: Job site names, ZIP codes for weather lookups, and (where Users opt in) GPS coordinates captured during inspections or incident reports.
• Activity Logs: Detailed audit logs of User actions within the Platform (who completed which inspection, when, etc.) for security and accountability purposes.
• AI Interaction Data: Inputs and outputs from AI-powered features such as toolbox talk generation, JHA hazard suggestions, and training recommendations.
• Cookies & Tracking Data: Information collected through cookies, session tokens, and similar technologies.

No Sensitive Personal Data: We do not intentionally collect sensitive categories of data (such as health records, biometric data, Social Security numbers, or financial account numbers beyond payment processing). SafeBrief is an EH&S safety platform and is not intended for the storage of Protected Health Information (PHI) or other regulated health records. Clients are responsible for ensuring they do not upload PHI or other sensitive data into the Platform.

5. How We Collect Data

We collect Personal Data and business data through the following means:

• Account Creation: When individuals sign up for the free tier directly through our website, when paid tier accounts are created following an upgrade request, and when Client administrators add additional Users within the Platform.
• Direct Input: When Users complete site checks, generate toolbox talks, run inspections, build JHAs, register equipment, log incidents, capture photos, collect crew signatures, and enter other safety data into the Platform.
• Platform Use: When Users interact with the Platform, generating logs and activity records.
• Automated Collection: Through cookies, analytics scripts, server logs, and device identifiers when you interact with our website or Platform.
• Third-Party Sources: From integrated tools (e.g., Tomorrow.io for weather data based on the ZIP codes Users enter, payment processors, error monitoring) where permitted by law.
• Communications: When you contact us via email, support channels, in-app feedback submissions, or training consultation requests.

6. Purposes of Processing

We process data only for legitimate and disclosed purposes, including:

• Service Provision: Operating the Platform, generating site-specific toolbox talks, running inspections and JHAs, managing accounts, and providing customer support.
• Security & Fraud Prevention: Detecting unauthorized access, preventing fraud, and maintaining the integrity of the Platform.
• Customization & Enhancement: Providing personalized briefings based on weather, trade, work environment, and prior usage patterns; AI-generated training recommendations tailored to a Client's observed safety data.
• Business Operations: Account management, billing, auditing, dispute resolution, and responding to upgrade or training consultation requests.
• Analytics & Improvements: Monitoring Platform performance, usage trends, and system health to improve the Services. Analytics may involve aggregated, anonymized data derived from Client Data.
• Legal & Compliance: Meeting regulatory requirements, responding to lawful requests, and enforcing our agreements.
• Communication: Sending service updates, security notices, billing notifications, responses to feedback submissions, and (with separate consent) marketing communications.

We will not process Personal Data for purposes materially different from those disclosed in this Policy without first obtaining your consent.

7. Legal Bases for Processing (GDPR & Global Frameworks)

Where GDPR, UK GDPR, or other global laws apply, we rely on the following legal bases:

• Contractual Necessity: Processing required to provide the Services to individual Users and Clients.
• Legitimate Interests: For internal business operations, fraud prevention, product improvement, security monitoring, and analytics, provided such interests are not overridden by data subject rights.
• Consent: Where required (e.g., marketing emails, non-essential cookies, certain AI features, optional GPS capture).
• Legal Obligation: To comply with applicable laws, tax rules, or regulatory investigations.

For U.S. users, we comply with applicable state privacy regimes (including CCPA/CPRA) by providing the rights described below.

8. Use of AI & Automation

The Services incorporate AI-powered features such as toolbox talk generation, JHA hazard suggestions, training recommendations, and predictive safety insights. These features are designed to assist EH&S decision-making but are not guaranteed to produce flawless results.

AI-generated outputs may contain inaccuracies, limitations, or unintended results. Users must independently review and verify outputs before relying on them, particularly when the outputs relate to OSHA compliance, hazard identification, or worker safety. SafeBrief is a tool to support — not replace — the judgment of qualified safety professionals, competent persons, and supervisors.

Approval or reliance on AI-generated content constitutes acceptance of full responsibility by the User and the User's organization. Lasso Mgmt LLC is not liable for damages, compliance issues, injuries, or losses arising from unreviewed or unverified AI outputs.

Where AI features process Personal Data, we implement safeguards to minimize data exposure and ensure outputs are used only within the authorized Platform context. We do not use Client Data to train general-purpose AI models available to third parties.

9. Sharing & Disclosure of Data

We do not sell Personal Data. We may share data only in these limited circumstances:

• Service Providers: With trusted vendors that provide infrastructure (Supabase for database and storage, Vercel for hosting), AI services (Anthropic for talk and recommendation generation), weather data (Tomorrow.io), payment processing (Stripe, when activated), analytics, error monitoring, email delivery, and technical support. These providers process data only as necessary to perform their services for us and are bound by confidentiality and data protection obligations.
• Affiliates: With corporate affiliates under common ownership with Lasso Mgmt LLC, subject to this Policy.
• Legal Disclosures: When required by law, subpoena, court order, or to protect our legal rights, property, safety of users, or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, data may be transferred to the successor entity. Clients and Users will be notified of such transfers.

All third parties receiving data are bound by contractual obligations to safeguard it and process it only for authorized purposes.

10. International Data Transfers

SafeBrief is hosted on infrastructure located primarily in the United States. If Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or other regions with data export restrictions, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions where applicable;
• Additional technical and organizational safeguards such as encryption and access controls.

Clients remain responsible for ensuring that any data they upload complies with export and cross-border transfer restrictions applicable to their business.

11. Cookies & Tracking Technologies

We use cookies, local storage, and similar technologies to improve the functionality and performance of our Services. These include:

• Essential Cookies: Required for the Platform to operate (authentication, session management).
• Preference Cookies: To remember User preferences and settings (language toggle between English and Spanish, returning crew names, returning job site names, UI state).
• Analytics Cookies: To monitor traffic and usage trends in aggregate.

Users in jurisdictions requiring consent (e.g., EU, UK, some U.S. states) will be presented with cookie banners and choices in line with legal requirements.

12. Data Retention & Deletion

We retain data only for as long as necessary to provide the Services, fulfill contractual obligations, or comply with legal requirements. Retention periods include:

• Active Users (Free Tier): Free-tier accounts are retained while the account is active. Free tier history is automatically rolled off after seven (7) days for non-essential records, while account information remains until deletion is requested.
• Active Clients (Paid Tiers): Data is retained throughout the active subscription period.
• Cancelled Accounts: Client Data is retained for thirty (30) days after account cancellation to allow for data export. After this period, data is scheduled for permanent deletion, typically within ninety (90) days, unless extended retention is required by law.
• Billing Records: Financial records are retained for seven (7) years to comply with tax and audit obligations.
• Audit Logs: Platform activity logs are retained for at least two (2) years for security and accountability purposes.
• Compliance Records: Inspection reports, JHAs, toolbox talks with crew sign-in sheets, and incident reports may be retained for the duration of the subscription plus the retention windows above so that Clients have access to records for OSHA audits and other compliance purposes.
• Aggregated Data: Anonymized, aggregated data derived from Client Data may be retained indefinitely as it no longer identifies any individual or organization.

Clients are responsible for downloading and archiving any records they need to retain beyond these windows. Upon account closure or verified deletion request, we will delete or anonymize data within the retention windows above, subject to legal hold exceptions.

13. Data Security Measures

We employ industry-standard security measures to safeguard data, including:

• Encryption of data in transit (TLS) and at rest;
• Row-level security (RLS) policies enforcing data separation between accounts;
• Authentication controls including secure password hashing and session management;
• Access controls ensuring only authorized personnel handle sensitive information;
• Regular security monitoring, error tracking, and logging;
• Daily automated backups with point-in-time recovery;
• Audit logging of administrative actions, including any Platform support actions performed by Company personnel.

While we implement strong protections, no system is completely secure. Users and Clients are responsible for safeguarding their login credentials, using strong passwords, enabling available security features, and maintaining appropriate security for data uploaded into the Platform.

Clients must promptly notify us at privacy@lassomgmt.com if they suspect any unauthorized access.

14. Children's Privacy

SafeBrief is a workplace EH&S platform intended for use by adults in occupational settings. Our Services are not directed to children and we do not knowingly collect Personal Data from individuals under the age of 16. If we learn that a child's information has been collected without parental consent, we will delete it promptly.

Clients are responsible for ensuring that any individuals whose information is entered into the Platform (such as crew members) meet applicable minimum age requirements for the work being performed.

15. Client Data vs. User Data Responsibilities

Client Responsibility: Clients (typically employers or supervisors of paid-tier accounts) act as “data controllers” with respect to the workforce information uploaded into the Platform, including crew names, signatures, attendance records, and training records. Clients are responsible for obtaining required consents from their employees and other Users, providing privacy notices as required by law, and ensuring their use of the Services complies with applicable data protection and labor laws.

Company Responsibility: Lasso Mgmt LLC acts as a “data processor” for Client Data and User Data, handling such data strictly in accordance with Client instructions and contractual obligations.

Data Processing Agreement: Clients subject to GDPR or similar regulations may request a Data Processing Agreement (DPA) by contacting privacy@lassomgmt.com.

No Assumption of Liability: We do not assume liability for a Client's misuse of User data or failure to comply with applicable privacy or labor laws.

16. Your Privacy Rights (GDPR, CCPA, and Other Regimes)

Depending on your jurisdiction, you may have the following rights with respect to Personal Data we hold about you:

• Right to access your Personal Data;
• Right to correct inaccuracies;
• Right to deletion (“Right to be Forgotten”);
• Right to restrict or object to processing;
• Right to data portability;
• Right to opt out of sale or sharing (CCPA);
• Right to withdraw consent where processing is based on consent;
• Right to non-discrimination for exercising privacy rights (CCPA).

Note: For information that a Client uploads about their employees or crew members, requests must generally be directed to the Client (who is the data controller). We will assist Clients in fulfilling valid requests as required by law.

17. Exercising Your Privacy Rights

To exercise your rights, contact us at privacy@lassomgmt.com. We may require identity verification before fulfilling requests to prevent unauthorized access.

We will respond to verified requests within legally mandated timeframes:

• Thirty (30) days under GDPR, extendable by up to two additional months for complex requests;
• Forty-five (45) days under CCPA, extendable by another forty-five (45) days where necessary.

We will not discriminate against any individual for exercising their privacy rights.

18. Third-Party Links & Services

Our Services may link to external websites or rely on third-party APIs (such as Tomorrow.io for weather data and Anthropic for AI generation). We are not responsible for the privacy practices or content of third parties. Users should review third-party privacy policies before engaging with their services.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or business practices. Updates will be posted on our website with a revised “Effective Date.” For material changes, we will notify Users via email or in-app notification at least thirty (30) days before changes take effect. Where legally required, we will obtain consent before continuing processing under materially changed terms.

20. Contact & Complaints

For questions, concerns, or complaints regarding this Privacy Policy or our data practices, please contact:

If you are located in the EU/UK and wish to lodge a complaint with a supervisory authority, you may do so with the data protection authority in your country of residence.