Privacy Policy

Last updated: 2026-05-06

Who we are

Muster is a personnel accountability system for fire-ground incidents, built and operated by Safe Signals LLC. This Privacy Policy describes how Safe Signals handles data collected through the Muster mobile app, the Muster admin console, the Muster firefighter portal, and the Muster marketing site (collectively, "the Service").

Muster customers are fire departments. Most data in the Service belongs to the customer department, not to Safe Signals — Safe Signals is a data processor on the department's behalf for the majority of operational data.

What we collect

From the customer department

  • Department information: name, address, billing email, billing contacts, tier (Emergency / Tier 1 / Tier 2 / Tier 3), seat count, license expiry.
  • Personnel records: firefighter names, ranks, certifications, qualifications (IC / ISO / Training Officer), optional contact details, role membership.
  • Device records: activated device IDs (Ed25519 fingerprints), device type, app version, last-seen timestamp.
  • Incident records: event-sourced timeline of every incident the department runs in the app — assignments, PARs, benchmarks, Maydays, evacuations, hazards flagged, exposure events, rehab cycles, whiteboard state, after-action archives.
  • Audit log: every administrative action taken in the admin console (who did what, when, from what IP).

From firefighters who use the portal

  • Authentication: email address (used as Firebase Auth identity) and a hashed password (handled entirely by Firebase Auth — Safe Signals never sees the plaintext password).
  • Mapping data: the link between your Firebase Auth account and your personnel record at the department that invited you.
  • Acknowledgments: when you acknowledge an exposure event your department logged for you.

From visitors to the marketing site

  • Standard server logs (IP address, browser, pages viewed) for security and capacity planning. No third-party tracking pixels.
  • Information you submit on the signup form (department name, billing email) is sent to Stripe to create a Checkout session.

Sensitive operational data

Some data Muster captures is more sensitive than general operational data and gets special handling:

  • Vitals readings (during rehab): default retention is incident-only. Department admins may opt in to longer retention, and individual firefighters may opt in to cross-incident personal history. Vitals are never logged and never shown to other crew members.
  • Exposure events: subject to OSHA 1910.1020, which requires 30-year retention post-separation for employee exposure records. Safe Signals retains exposure events at the floor required by OSHA — admins cannot configure shorter retention. Exposure events are owned by the firefighter's employing department; in mutual aid, the employing department's admin console is the authoritative copy.
  • Mayday records: visibility is configurable per department (full disclosure / admin-privileged / restricted / redacted). Default is admin-privileged. All access to Mayday detail is audit-logged.
  • Medical incidents: firefighter injuries and civilian patient information are retained with the incident archive. Civilian patients are anonymized (label-only, e.g., "Patient A") in the Muster archive — clinical records remain with EMS.

How we use this data

  • To provide and operate the Service for the customer department.
  • To support firefighter access to their own exposure history per OSHA 1910.1020(g).
  • To process payments via Stripe (we do not handle card data directly — Stripe processes all payment information).
  • To diagnose problems, monitor capacity, and investigate security incidents.
  • To honor legal requests when validly served (subpoenas, court orders).

Safe Signals does not sell customer data, share it with advertisers, or use it to train any third-party AI service.

Where data is stored

Operational data is stored in Google Firebase (Firestore + Cloud Storage), Google Cloud Run (stateless API), and Google Cloud Functions, all in US data centers by default. Tier 3 customers may negotiate alternate hosting (dedicated Firebase project or on-premises).

Payments are processed by Stripe. Email delivery (invitations, password resets) goes through Mailgun via the Firebase Trigger Email extension.

Retention

  • Incident archives: retained for the life of the customer's license. After cancellation, archives are kept for 90 days to allow export, then deleted unless the customer has an active export or retention contract.
  • Exposure events + personal exposure history: 30 years post-separation per OSHA 1910.1020. Cannot be shortened by the department or by cancellation — Safe Signals will preserve exposure records past customer cancellation as required by federal law.
  • Audit logs: retained indefinitely for compliance and forensic purposes.
  • Marketing-site server logs: 90 days, then aggregated.
  • Stripe payment records: governed by Stripe's retention policy (typically 7 years for tax / regulatory reasons).

Your rights

If you are a firefighter whose department uses Muster, you have the right under OSHA 1910.1020(g) to access your own exposure records. The firefighter portal provides this access — sign in with the invitation your department admin sent you, view every event your department has logged for you, and download a PDF of your record on demand. You may also request redaction of personal identifying details (names, contact info) from archived records — exposure facts themselves cannot be deleted under OSHA, but identifying information can be redacted with your department's approval.

If you are a department admin, you control your department's configuration: retention defaults (within OSHA floors), visibility policies, who is enrolled in the firefighter portal, who has admin access. Use the admin console to make changes; every action is audit-logged.

If you are a marketing-site visitor, you can email us to request deletion of any data we hold from your visit. There is very little such data — server logs and any signup-form contact you submitted.

Security

All data is encrypted in transit (TLS 1.2+) and at rest (Firebase + Cloud Storage default encryption). Authentication is via Firebase Auth; admin accounts may enable 2FA. Device identities are Ed25519 keypairs — Safe Signals cannot impersonate a customer's devices.

License tokens are short-lived JWTs signed with an RSA-2048 key held by Safe Signals; tokens are revocable and cached locally for offline operation.

Safe Signals follows responsible-disclosure practices for security vulnerabilities — please report any to security@safesignals.io.

Changes to this policy

When we make material changes to this policy, we will notify customer department admins by email and update the "Last updated" date at the top of this page. Continued use of the Service after a change constitutes acceptance of the updated policy.

Questions?

Contact Safe Signals LLC at legal@safesignals.io.