Privacy Policy
Effective: April 1, 2026 | Last updated: March 31, 2026
Musib, Inc. (hereinafter “the Company”) complies with applicable privacy laws and regulations, and establishes and publishes this Privacy Policy to protect the personal information of users of the anpm service (hereinafter “the Service”).
Article 1 (Personal Information Collected and Collection Methods)
1. At Registration
| Category | Items Collected | Purpose |
|---|---|---|
| Required | Email address, password (stored encrypted), username | User identification, service delivery, account management |
| Optional | Display name, profile image (avatar_url), bio, contact links | Profile display, builder portfolio |
2. At Agent Installation (Automatically Collected)
| Items Collected | Purpose | Notes |
|---|---|---|
| Installed agent info (slug, version) | Installation history, update notifications | - |
| Device hash (SHA-256 one-way hash of hostname:username) | Daily active user (DAU) measurement, duplicate prevention | One-way hash, original cannot be recovered |
| Usage timestamp (pinged_date) | Usage analytics | Aggregated daily |
| User ID (user_id) — only when logged in | Installer identification, builder dashboard analytics | Not collected when not logged in |
3. At CLI Login
| Items Collected | Purpose |
|---|---|
| Auth tokens (access_token, refresh_token) | CLI authentication persistence |
| Device code (device_code) — when using device auth flow | Secure authentication in sandbox/remote environments |
4. At Agent Publishing (Builders)
Agent metadata such as name, description, version, tags, and changelog is collected and used for marketplace listing and search.
5. Enterprise Inquiries
Company name, estimated number of builders, adoption purpose, contact information, and Space name are collected and used for enterprise consultation and follow-up.
Article 2 (Purpose of Use)
- Service delivery: Account management, agent installation and execution, guide URL generation, access control
- Builder dashboard: Agent installation statistics and usage analytics (see Article 4 for details)
- Service improvement and analytics: Usage pattern analysis, feature improvements, error response, de-identified statistics generation and external publication (blog, press releases, investor materials, etc.)
- Communications: Announcements, agent update notifications (with follow consent), customer support, marketing communications
- Safe service operation: Fraud prevention, terms violation response, service abuse detection
Article 3 (Retention and Destruction)
| Data | Retention Period | Basis |
|---|---|---|
| Account information | Retained 30 days after account deletion, then destroyed (For re-registration requests, fraud prevention) | Legitimate interest |
| Installation logs | 3 years from collection | Service analytics, dispute resolution, license verification |
| Usage statistics (device hash) | 3 years from collection | Service analytics, trend analysis |
| Device auth codes | 5 minutes after issuance | One-time authentication |
| E-commerce records | Contract/withdrawal records: 5 years Payment records: 5 years Consumer complaint/dispute records: 3 years | E-Commerce Act |
| Access logs | 3 months | Communications Privacy Act |
Personal information past its retention period is destroyed without delay. Electronic files are deleted using methods that prevent recovery.
Article 4 (Disclosure to Third Parties)
Due to the nature of the Service, the Company provides installer information to the builder of the respective agent. This is for the purpose of enabling builders to manage installers, understand operational status, and communicate with installers.
| Recipient | Data Provided | Purpose | Retention |
|---|---|---|---|
| Builder of the agent | Profile information
Organization info
Usage info
| Installer management (CRM), operational status monitoring, version-based user analysis, installer communication, service quality improvement | Until agent deletion or builder account deletion |
Data NOT collected or shared: Conversation content, prompts, AI responses, generated code, and other actual usage data during agent execution are not collected by the Company and are not shared with builders. IP addresses, passwords, device details (OS, browser, etc.), and payment information are also not shared.
Non-logged-in installers: When an agent is installed without logging in, only the installation count is recorded and no personally identifiable information is shared.
Consent and withdrawal: Installers are deemed to consent to the sharing of this information when installing an agent. Consent may be withdrawn at any time by deleting your account or contacting support. Upon withdrawal, installation data for the agent will be deleted.
Article 5 (Data Processing Delegation)
The Company delegates personal information processing as follows for service delivery.
| Processor | Delegated Tasks | Retention |
|---|---|---|
| Supabase Inc. | Authentication service, database hosting | Until contract termination |
| Resend Inc. | Email delivery | Immediately after delivery |
Delegation contracts include provisions for privacy law compliance, confidentiality, prohibition of third-party sharing, and liability for incidents.
Article 6 (International Transfer)
Servers of delegated processors (Supabase, Resend) may be located overseas. In such cases, the following is disclosed pursuant to applicable law.
- Data transferred: All items specified in Article 1
- Recipients: Supabase Inc. (USA), Resend Inc. (USA)
- Purpose: Authentication, data storage, email delivery
- Retention: Same as Article 3
Article 7 (User Rights and How to Exercise Them)
- Users (or their legal representatives) may exercise the following rights at any time:
- Request to access personal information
- Request correction of errors
- Request deletion
- Request to suspend processing
- Rights may be exercised through profile settings within the Service or by contacting support (010-9881-0664). The Company will act without delay.
- If a user requests correction of an error, the Company will not use the affected personal information until the correction is complete.
Article 8 (Security Measures)
The Company takes the following measures to ensure data security:
- Password encryption: One-way encryption using bcrypt algorithm
- Auth token security: File access restrictions (0600) for local storage, periodic automatic refresh
- Communication encryption: HTTPS (TLS) applied to all API communications
- Device identification de-identification: SHA-256 one-way hash processing prevents original recovery
- Access control: Row Level Security (RLS) policies applied to database
- Session management: Auth token management via HTTP-Only cookies, periodic token refresh
Article 9 (Use of Cookies)
- The Company uses cookies to maintain user authentication status.
- Cookies used are essential cookies for authentication session management. No third-party analytics or advertising cookies are used.
- Users may reject cookies through browser settings, but this may limit access to features requiring login.
Article 10 (Automated Collection and Opt-Out)
- When installing or running agents via the CLI tool, usage pings are automatically sent to track usage.
- Usage pings include a device hash (one-way hash), agent identifier, and installed version. No directly personally identifiable information is included.
- Users may opt out of identifiable collection by discontinuing CLI usage or using the CLI without logging in.
Article 11 (Data Protection Officer)
| Name | Haemin Jeong |
| Title | CEO |
| Contact | 010-9881-0664 |
Article 12 (Remedies for Rights Infringement)
Users who need remedies or consultation regarding personal information infringement may contact the following organizations:
- Personal Information Infringement Report Center (KISA): 118, privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: 1833-6972, kopico.go.kr
- Supreme Prosecutors' Office Cyber Investigation Division: 1301, spo.go.kr
- National Police Agency Cyber Bureau: 182, ecrm.police.go.kr
Article 13 (Policy Changes)
When this Privacy Policy is amended, changes will be announced within the Service at least 7 days before the effective date. Changes unfavorable to users will be announced at least 30 days in advance.
Supplementary Provisions
This policy is effective from April 1, 2026.