MuninnbaseMuninnbase
← All legal documents

Last updated May 22, 2026

Privacy Policy

Effective Date: May 22, 2026 Last Updated: May 22, 2026

1. Introduction

This Privacy Policy describes how JM3 Solutions LLC d/b/a JM3 Labs, with principal place of business at 971 US Highway 202 N, Suite N, Branchburg, NJ 08876 (referred to in this policy as "Muninnbase," "we," "us," or "our"), provider of the Muninnbase service ("the Service"), collects, uses, and shares information when you use our website at muninnbase.com (the "Site") and our software-as-a-service application (the "Service").

This policy applies to information collected from:

  • Customers: organizations and the individuals authorized to administer their accounts, who subscribe to or otherwise contract with us for the Service.
  • End Users: employees and other authorized users who access the Service through a Customer's account.
  • Visitors: anyone who visits the Site without signing in.

If you are an End User accessing the Service through your employer's account, please also review your employer's privacy notice. Your employer (the Customer) is the data controller for information submitted through the Service in the course of using their account, and Muninnbase processes that information on the Customer's behalf.

2. Who We Are

JM3 Solutions LLC d/b/a JM3 Labs operates Muninnbase, an AI-powered knowledge base product designed for businesses. Our principal place of business is at 971 US Highway 202 N, Suite N, Branchburg, NJ 08876. For privacy questions or to exercise your rights under this policy, contact us at [email protected].

3. Information We Collect

3.1 Information you provide to us

Account information. When a Customer creates an account, we collect the organization name, the administrator's name, email address, and authentication credentials (passwords are stored only as cryptographic hashes by our authentication provider). When a Customer invites End Users, we collect each End User's email address and any name or role information provided during invitation.

Customer Content. Customers upload documents to the Service so that the AI assistant can answer questions grounded in those documents. We refer to all data and content uploaded, generated, or submitted by a Customer or its End Users as "Customer Content." Customer Content remains the property of the Customer.

Queries and answers. When an End User asks a question through the Service, we record the question text, the answer returned by the AI, and the source citations referenced. These records are stored within the Customer's tenant as a "Q&A log."

Billing information. When a Customer subscribes to a paid plan, we collect billing contact information and process payment through our payment processor, Stripe. We do not store full payment card numbers; Stripe stores them in accordance with PCI-DSS.

Support communications. If a Customer or End User contacts us for support, we collect the content of the communication and any information shared in it.

3.2 Information collected automatically

Server logs. Our web servers automatically log standard information about each request, including IP address, user agent, request path, timestamp, and HTTP response code. Logs are used for operational, debugging, and security purposes.

Authentication and security cookies. The Service uses cookies that are strictly necessary to keep you signed in and to protect against abuse. The Site may use additional cookies as described in Section 9.

Bot-detection signals. During signup, we use Cloudflare Turnstile, a privacy-respecting alternative to traditional CAPTCHA. Turnstile analyzes browser signals (such as challenge-response timing and user-agent characteristics) to determine whether a request is from a human, and is designed to minimize personal data collection compared to legacy CAPTCHA services.

3.3 Information we do not collect

We do not knowingly collect:

  • Full payment card numbers (handled by Stripe)
  • Sensitive categories of personal information beyond authentication credentials needed to operate the Service
  • Information from children under 13

4. How We Use Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Authenticate users and protect against unauthorized access
  • Process billing and send transactional communications (such as account verifications, password resets, and billing receipts)
  • Respond to support requests and other inquiries
  • Detect, investigate, and prevent abuse, fraud, and security incidents
  • Generate aggregated, anonymized analytics about Service usage that do not identify any Customer, End User, or Visitor
  • Comply with legal obligations and enforce our agreements

5. AI and Machine Learning Disclosures

Muninnbase uses large language models (LLMs) and text-embedding models to power its question-answering features. We believe Customers deserve a clear explanation of how their data interacts with these models.

Inference only, never training. Customer Content, queries, and answers are sent to our LLM provider (OpenAI) solely to generate responses to End User questions. We do not use Customer Content, queries, or answers to train any artificial intelligence or machine-learning model, whether our own or any third party's. We have confirmed in writing with our LLM provider that data submitted through their API is not used to train their models.

What flows to the LLM provider. When an End User asks a question, the question text and the most relevant passages retrieved from the Customer's documents are sent to OpenAI for inference. The response is returned to the End User and stored in the Customer's Q&A log within Muninnbase.

Output accuracy. AI-generated answers can be incomplete or incorrect even when grounded in source documents. The Service is designed to ground answers in Customer-provided documents and to refuse questions it cannot answer from those documents, but no AI system is perfect. AI-generated output should not be relied upon as legal, financial, medical, or other professional advice, and is not a substitute for professional judgment.

6. Subprocessors

We rely on a small number of vendors ("subprocessors") to operate the Service. Each subprocessor is bound by contractual data-protection obligations and is only permitted to process information for the purposes described below.

Subprocessor Purpose Location
Supabase, Inc. Managed database and authentication infrastructure United States
Railway Corp. Application hosting and file storage United States
Cloudflare, Inc. Content delivery, DDoS protection, web application firewall, and Turnstile bot detection on signup United States (with global edge network)
OpenAI, L.L.C. LLM inference and text embeddings United States
Plus Five Five, Inc. (d/b/a Resend) Transactional email delivery (account verification, password reset, and similar) United States
Stripe, Inc. Billing and payment processing (active when a Customer subscribes to a paid plan) United States

A current list of subprocessors is maintained at Subprocessor List. We will provide notice through that page or by email to Customer administrators before adding a new subprocessor that processes Customer Content.

7. Data Sharing and Disclosure

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.

We share information only:

  • With the subprocessors listed in Section 6, who process information on our behalf and under contract
  • With a Customer's authorized administrators, who have access to their organization's users, content, and account settings
  • To comply with applicable law, valid legal process, or lawful government requests
  • To protect our rights, the safety of our users, or to investigate potential violations of our Terms of Service
  • In connection with a merger, acquisition, financing, or sale of business assets, in which case we will provide notice to affected Customers before personal information is transferred

8. Data Retention

Customer Content (uploaded documents) is retained for as long as the Customer maintains an active account. When a Customer's account is closed, Customer Content is deleted in accordance with our deletion procedures.

Q&A logs are retained according to each Customer's configured retention setting. The default retention period is 30 days. Customer administrators may adjust this setting within the limits we permit.

Unanswered-question events (questions the Service could not confidently answer) are retained until a Customer administrator clears them through the admin interface. These records support administrator workflows to identify content gaps in the knowledge base.

Account information is retained for as long as the account is active, plus a reasonable period after account closure to satisfy legal, accounting, audit, and tax obligations.

Server logs are retained for a limited operational window and then deleted or anonymized.

A Customer administrator may request irreversible deletion of all data associated with their tenant at any time through the in-product account-closure flow. Some information may be retained where required by law or for legitimate operational purposes (such as financial records or fraud investigation), and we will delete that information when those purposes have been satisfied.

9. Cookies and Similar Technologies

The Service and Site use cookies and similar technologies. The categories used today are:

  • Strictly necessary cookies: authentication state, session security, and CSRF protection. These cookies cannot be disabled without breaking the Service.
  • Security cookies: set by Cloudflare to detect and mitigate abusive traffic.

We do not currently use analytics, advertising, or social-media cookies. If we add cookies in the future that require consent under applicable law, we will update this policy and present a consent mechanism at that time. A separate Cookie Policy with full technical details is available at Cookie Policy.

10. Data Security

We take reasonable and appropriate technical, administrative, and physical safeguards to protect information against loss, theft, unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit (TLS) and at rest
  • Tenant isolation enforced at the application, database, and access-token layers
  • Access controls and least-privilege principles for our internal personnel
  • Logging and monitoring of system activity
  • Diligence on each subprocessor's security posture

No security program is perfect. We will notify affected Customers of any security incident affecting their data in accordance with applicable law.

11. Your Privacy Rights

11.1 Customers' rights

If you are a Customer, you can access, correct, export, or delete account information through the admin interface in the Service. You can also close your account at any time, which initiates deletion of your tenant data.

11.2 End Users' rights

If you are an End User accessing the Service through your employer's account, your employer controls that account and the Customer Content within it. To exercise rights regarding information you submit through the Service in connection with your employer's account, contact your employer. We will support your employer in responding to such requests as part of our processor obligations.

11.3 California residents

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share
  • Request a copy of personal information we hold about them
  • Request correction of inaccurate personal information
  • Request deletion of personal information, subject to legal exceptions
  • Opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information in this sense.
  • Limit use of "sensitive personal information." We do not collect sensitive personal information beyond authentication credentials, and we use those credentials only to authenticate you.
  • Be free from retaliation for exercising these rights

To exercise these rights, email us at [email protected]. We will verify your identity before responding and will respond within the timeframes required by applicable law.

Under California Civil Code Section 1798.83 ("Shine the Light"), California residents may request information about disclosures of personal information to third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

11.4 Residents of other US states

Residents of US states with comprehensive consumer privacy laws (currently including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, and others as enacted) may have rights similar to those described in Section 11.3, including rights to access, correct, delete, and obtain a copy of their personal information, and to opt out of certain processing. To exercise these rights, contact us at [email protected].

11.5 Authorized agents

You may designate an authorized agent to make a privacy rights request on your behalf. We will require verification of the agent's authority and may also require you to verify your own identity.

12. Children's Privacy

The Service is intended for use by businesses and their authorized employees. It is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it. If you believe a child under 13 has provided us information, contact us at [email protected].

13. International Users

The Service is operated from the United States and intended for Customers and End Users in the United States. We do not currently market the Service to, or accept Customers in, the European Union, United Kingdom, or other jurisdictions with comprehensive cross-border data-protection regimes. If you access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the United States.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and, for Customers, notify the account administrator by email or through the Service in advance of the changes taking effect. Continued use of the Service after a change indicates acceptance of the updated policy.

15. Contact Us

For privacy questions, requests, complaints, or to exercise your rights:

Email: [email protected] Postal mail: JM3 Solutions LLC d/b/a JM3 Labs, 971 US Highway 202 N, Suite N, Branchburg, NJ 08876