Privacy Policy

1. Overview

Muster is built for volunteer Fire and EMS organizations that need to manage schedules, members, qualifications, forms, and documents. We understand that this information can be sensitive. This Privacy Policy explains what we collect, how we use it, who we share it with, and how we protect it.

2. Privacy Commitments

These commitments guide how we handle customer and member data:

• We use your data to provide, secure, and support Muster.
• We use limited technical information, aggregated analytics, and customer feedback to improve reliability and usability.
• We do not sell or rent personal information.
• We do not use organization or member data for advertising, third-party ad targeting, or cross-customer profiling.
• We do not train AI models on customer or member data.
• We limit access to people and systems that need it to operate, secure, or support the Service.

Your organization owns the rosters, schedules, forms, documents, and other operational data it puts into Muster. We process that data so the Service can work for you.

3. Information We Collect

We collect information that you or your organization provide to us, as well as limited technical information needed to run the Service.

• Account information: Name, email address, authentication details, and account settings.
• Organization information: Organization name, contact details, subscription status, settings, schedules, positions, and related configuration.
• Member data: Names, contact information, roles, qualifications, certifications, availability, shift history, custom fields, form submissions, uploaded documents, and related membership records.
• Billing information: Subscription and payment status processed through Stripe. Muster does not store full credit card numbers.
• Communications: Support requests, feedback, and messages you send to us.
• Technical and security data: Session cookies, request logs, error logs, IP address, browser or device information, and similar data used for security, reliability, abuse prevention, and troubleshooting.

We do not use device fingerprinting or advertising trackers.

4. How We Use Information

We use information to:

• Provide and maintain the Service.
• Authenticate users and protect accounts.
• Manage scheduling, member records, forms, documents, reports, and organization settings.
• Process subscriptions and billing through Stripe.
• Send service emails, such as invitations, schedule updates, approval notices, reminders, and security messages.
• Respond to support requests and investigate problems.
• Detect, prevent, and address security issues, abuse, fraud, or unlawful activity.
• Improve performance, reliability, and usability using limited technical information, aggregated analytics, and customer feedback.

5. AI Features

Some organizations may use AI Coverage Copilot features, such as suggested fills or the AI assistant. When these features are enabled and used, Muster may send only the relevant schedule, availability, member, and organization context needed to answer the request to our AI provider, currently OpenAI through its API. We do not use customer or member data to train Muster-owned AI models, and OpenAI states that API inputs and outputs are not used to train its models by default unless the API customer opts in. Organization administrators can disable AI features in settings.

6. Information Sharing

We do not sell personal information. We share information only in limited circumstances:

• Within your organization: Member information is visible to authorized users according to the organization roles and permissions in Muster.
• Service providers: We use vendors for hosting, database, authentication, file storage, email delivery, payment processing, analytics, and AI features. These providers process information so they can perform services for Muster.
• Legal and safety reasons: We may disclose information if required by law, legal process, or a valid government request, or when needed to protect the rights, safety, security, or property of Muster, our customers, or others.
• Business transfers: If Muster is involved in a merger, acquisition, financing, or sale of assets, customer information may be transferred as part of that transaction, subject to this Privacy Policy or equivalent protections.

7. Security

We use technical and organizational safeguards designed to protect customer and member data. These safeguards include encryption in transit, protected database and file storage, tenant isolation, role-based access controls, administrative access controls, service-role separation, security logging, and monitoring for suspicious activity. We also limit operational access to data to people who need it to support, secure, or operate the Service.

No online service can guarantee perfect security. If we discover a security incident that affects personal information, we will investigate and notify affected customers or users as required by law.

8. Data Retention

We keep information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, and maintain security. If you delete an account or request deletion, we will delete or anonymize personal information within 30 days where technically feasible, except where retention is required for legal, billing, security, backup, or legitimate operational reasons.

9. Your Rights and Choices

Depending on your location and relationship to an organization, you may request that we:

• Provide access to personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete personal information, subject to legal exceptions.
• Export a portable copy of your data where available.
• Stop sending marketing communications.

Organization administrators can update many member records directly in Muster. For other privacy requests, contact us.

10. Cookies and Analytics

We use essential cookies to keep users signed in, maintain sessions, and protect the Service. If you block essential cookies, some features may not work.

We use Vercel Web Analytics to understand aggregate site and product usage. Vercel Web Analytics is designed not to use cookies and to provide aggregated analytics rather than advertising profiles. We do not use third-party advertising cookies or ad retargeting pixels.

11. Third-Party Services

Muster relies on carefully selected service providers. Their own privacy policies describe how they process data for their services:

• Supabase: Database, authentication, and file storage (Privacy Policy)
• Vercel: Hosting and analytics (Privacy Policy)
• Stripe: Payment processing (Privacy Policy)
• Resend: Service email delivery (Privacy Policy)
• OpenAI: AI Coverage Copilot features when enabled and used (Business Data Privacy)

12. Children and Minors

Muster is intended for organizations and their authorized users, not for children under 13 to create accounts. We do not knowingly collect personal information directly from children under 13. If an organization stores records about minors in Muster, the organization is responsible for having the required authority or consent to provide that information.

13. International Processing

Muster is operated from the United States, and our service providers may process information in the United States and other countries. When information is processed outside your location, we rely on provider commitments, contractual protections, and other safeguards designed to protect the information described in this policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the date above and provide notice through the Service, by email, or by another appropriate method.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us.