Object & Order Privacy Policy Last updated: May 16, 2026 This Privacy Policy describes how Object & Order LLC, a Tennessee limited liability company (“Object & Order,” “we,” “us,” or “our”), collects, uses, and shares information when you use our trade purchasing and practice management platform and our marketing website (together, the “Service”). This Policy applies to interior designers and design firms who use the Service (“you” or “your”). If you do not agree with this Policy, do not use the Service. 1. Information We Collect 1.1 Information you provide directly. When you sign up and use the Service, we collect information you provide, including: • Name, email address, business name, mailing address, phone number, and other contact details; • Professional credentials, including NCIDQ certification numbers, state license or registration numbers, and business entity and resale certificate information; • Account login credentials, including passwords and authentication tokens; • Payment information, including bank account or payout details collected through Stripe (Object & Order does not store full payment card numbers); • Project, schedule, contact, task, and product data you create or upload to the Service; and • Communications with us, including support requests and feedback. 1.2 Information about your clients. Through normal use of the Service, you will upload or create records about your clients, including contact information, project details, and billing information. You are responsible for ensuring you have the right to share this information with us and for informing your clients about how their information is handled. 1.3 Information collected automatically. When you use the Service, we automatically collect: • Device and browser information, including device type, operating system, browser type and version, and screen size; • IP address and approximate location derived from it; • Usage data, including pages and features accessed, actions taken, time spent, referring URLs, and timestamps; • Cookie and similar identifiers (see Section 7); and • Error and performance data. 1.4 Information from third parties. When you connect a third-party service to your account (such as Gmail, Outlook, QuickBooks, or Stripe), we receive information from that service based on the permissions you grant. See Section 2 for details on email integrations. 2. Email Integration and Inbox Scanning This section is important. Please read it carefully if you connect a Gmail or Outlook account to the Service. 2.1 What we access. If you choose to connect a Gmail account (via Google OAuth) or an Outlook account (via Microsoft OAuth), you grant Object & Order permission to access your email inbox to provide features such as automatic order tracking, contact creation, and task creation from emails. 2.2 What we look for. Our systems scan email messages to identify and extract information relevant to your trade purchasing activity, including vendor order confirmations, shipping updates, invoices, tracking numbers, and related vendor communications. 2.3 What we store. We store only the information needed to provide these features, which may include sender and recipient addresses, subject lines, timestamps, order numbers, tracking numbers, item details, prices, and the body content of identified order-related emails. Emails that are not identified as relevant to your trade purchasing activity are not stored. 2.4 What we do not do. We do not read, store, or use your email content for advertising. We do not sell your email content. We do not use the content of your emails to train artificial intelligence models. We do not access your inbox for any purpose other than providing the features described in this Section. 2.5 Google API Services User Data Policy. Object & Order’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. 2.6 Microsoft Graph API. Object & Order’s use of information received from Microsoft Graph (including Outlook mail data) is governed by this Policy and limited to providing the features you have authorized. 2.7 Disconnecting. You may disconnect your email account at any time through the Service or by revoking access in your Google or Microsoft account settings. Disconnecting will stop new email scanning, but previously stored data will remain in your account unless you delete it. 3. Artificial Intelligence Processing 3.1 Several features of the Service use artificial intelligence models, including order detection in email, web clipper auto-fill, and other automation features. 3.2 To provide these features, we send the relevant content (such as the text of an order confirmation email or the content of a clipped product page) to third-party AI service providers. These providers process the content to return a structured result back to the Service. 3.3 We use AI service providers that contractually agree not to use your data to train their models and that limit retention of submitted content to short, operational windows. 3.4 AI features are probabilistic and may produce inaccurate, incomplete, or out-of-date results. You should verify any AI-generated output before relying on it for a business decision. 4. How We Use Information 4.1 We use the information we collect to: (a) Provide, operate, and maintain the Service; (b) Verify your professional credentials and eligibility; (c) Place orders with vendors on your behalf and process payments; (d) Communicate with you about your account, orders, support requests, and changes to the Service; (e) Send you marketing communications about Object & Order (you may opt out at any time); (f) Monitor, analyze, and improve the Service, including measuring engagement and diagnosing technical issues; (g) Detect and prevent fraud, abuse, and security incidents; (h) Comply with legal obligations and enforce our Terms of Service; and (i) Develop new products and features. 4.2 We may also create aggregate, de-identified, and anonymized data from the information we collect and use it for any lawful purpose, including product improvement, analytics, benchmarking, industry research, and vendor-facing products. Aggregate and anonymized data does not identify you, your firm, or your clients. 5. How We Share Information 5.1 Service providers and subprocessors. We share information with third-party service providers who help us operate the Service. These providers are bound by confidentiality obligations and may only use the information to provide services to us. Our current subprocessors are: • Supabase — database hosting and authentication; • Vercel — application hosting; • Stripe — payment processing, including Stripe Connect and Stripe Tax; • Google — Gmail API access for users who connect a Gmail account; • Microsoft — Outlook API access for users who connect an Outlook account; • QuickBooks (Intuit) — accounting integration for users who connect a QuickBooks account; • PostHog — product analytics; • Google Analytics — website analytics; and • AI service providers — to power AI features described in Section 3. 5.2 Vendors. When you use the Service to place orders, we share information with the vendors fulfilling those orders, including your name and contact information (so they can maintain a direct working relationship with you), shipping addresses, and order details. 5.3 Legal and safety. We may share information to comply with applicable law or legal process, respond to lawful requests from public authorities, enforce our Terms of Service, protect the rights, property, and safety of Object & Order and others, and investigate fraud or security incidents. 5.4 Business transfers. If Object & Order is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy. 5.5 With your consent. We may share information for other purposes with your consent or at your direction. 6. We Do Not Sell Your Personal Information 6.1 Object & Order does not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. 7. Cookies and Analytics 7.1 Cookies. We use cookies and similar technologies to operate the Service, remember your preferences, keep you signed in, and understand how the Service is used. 7.2 PostHog. We use PostHog to capture product usage events, feature engagement, and session data. PostHog helps us understand which features designers actually use so we can prioritize improvements. 7.3 Google Analytics. We use Google Analytics on our marketing website to measure traffic and understand how visitors find and use the site. Google Analytics uses cookies and may collect IP addresses and other identifiers. You can opt out by installing the Google Analytics Opt-Out Browser Add-On. 7.4 Your choices. Most browsers allow you to control cookies through their settings. Blocking some cookies may affect the functionality of the Service. 8. Data Retention 8.1 We retain your information for as long as your account is active or as needed to provide the Service. 8.2 If you terminate your account, we will make reasonable efforts to allow you to export your data for thirty (30) days following termination, after which we may delete it. 8.3 Some information may be retained longer than thirty (30) days where required by law, for tax and accounting purposes, to resolve disputes, to enforce our agreements, or in encrypted backups that are routinely rotated. 9. Security 9.1 We use commercially reasonable administrative, technical, and physical safeguards to protect your information, including encryption in transit, encrypted storage, access controls, and the use of SOC 2-aligned infrastructure providers. 9.2 No method of transmission or storage is one hundred percent (100%) secure. We cannot guarantee absolute security. 9.3 You are responsible for keeping your account credentials confidential. Notify us immediately if you suspect unauthorized access to your account. 10. Your Rights and Choices 10.1 Access, correction, and deletion. You may access and update most of your account information directly in the Service. You may also request a copy of your personal information, request corrections, or request deletion by contacting us at the address in Section 14. 10.2 Marketing communications. You may opt out of marketing emails by clicking the unsubscribe link in any marketing email or by contacting us. Transactional and service-related emails (such as order confirmations and security notices) will continue to be sent. 10.3 Email and accounting integrations. You may disconnect Gmail, Outlook, QuickBooks, or other connected accounts at any time through the Service or through the third-party provider’s settings. 10.4 Cookie controls. You can control cookies through your browser settings as described in Section 7. 11. California Privacy Rights 11.1 If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. 11.2 Categories of personal information collected. In the past twelve (12) months, we have collected the following categories of personal information, as defined under the CCPA: • Identifiers (such as name, email address, IP address, account ID); • Customer records (such as billing address, phone number, payment information); • Commercial information (such as transaction history and products ordered); • Internet or other network activity (such as usage data and device information); • Professional information (such as credentials, business name, and resale certificate information); and • Inferences drawn from the above (such as feature preferences and engagement patterns). 11.3 Sources. We collect this information directly from you, automatically through your use of the Service, and from third-party services you connect to your account. 11.4 Purposes. We use this information for the purposes described in Section 4. 11.5 Disclosures. We disclose the categories above to the categories of recipients described in Section 5, including service providers, vendors, legal authorities where required, and parties to business transfers. 11.6 Sale and sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. 11.7 Your CCPA rights. Subject to certain exceptions, California residents have the right to: (a) Know the categories and specific pieces of personal information we have collected about you; (b) Request deletion of personal information we have collected from you; (c) Request correction of inaccurate personal information; (d) Opt out of the sale or sharing of personal information (although we do neither); and (e) Be free from discrimination for exercising your rights. 11.8 How to exercise your rights. To exercise these rights, contact us using the information in Section 14. We will verify your identity before responding, typically by confirming information already on file. You may also designate an authorized agent to make a request on your behalf, in which case we will verify the agent’s authority. 12. Children 12.1 The Service is not directed to children, and we do not knowingly collect personal information from anyone under the age of eighteen (18). If we learn that we have collected personal information from a child under 18, we will delete it. 13. Changes to This Policy 13.1 We may update this Privacy Policy from time to time. The “Last updated” date at the top of this Policy indicates when it was last revised. If we make material changes, we will notify you by email or through the Service before the changes take effect. 14. Contact Us 14.1 If you have any questions about this Privacy Policy or our privacy practices, please contact us at: Object & Order LLC [mailing address] [contact email] 15. Governing Law 15.1 This Privacy Policy is governed by the laws of the State of Tennessee, without regard to its conflict of laws principles. — End of Privacy Policy —