Musher
Install

Privacy Policy

Last updated: March 2026

Introduction

Musher ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

Information We Collect

Information You Provide

  • Account Information: Email address, full name, and username when you sign up
  • Organization Information: Organization name, slug, and membership details
  • Bundle Content: Agent skills, prompts, rules, configs, and metadata you publish to the registry
  • API Keys: Key names and scopes (we store only cryptographic hashes of key secrets)
  • Payment Information: Billing address and payment method details (processed and stored by Stripe; we do not store full card numbers)

Information Collected Automatically

  • Device and browser information
  • IP address and approximate location
  • Usage patterns, API request metadata, and interaction data
  • Bundle download counts and registry access logs
  • CLI and SDK usage telemetry (command usage, error logs, latency metrics)

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our registry and distribution services
  • Process your account registration and manage your organizations
  • Display publisher profiles and public bundle listings on the Hub
  • Process payments and manage subscriptions
  • Communicate with you about updates, features, and service changes
  • Analyze aggregated, anonymized usage patterns to improve user experience
  • Enforce our Terms of Service and Acceptable Use Policy
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

AI Training Policy

We do not use your private bundles, prompts, or proprietary configurations to train AI models. Anonymized, aggregate usage metrics (such as feature adoption and error rates) may be used to inform product improvements. Public bundle metadata displayed on the Hub (titles, descriptions, tags) may be indexed for search functionality.

Data Sharing

We do not sell your personal information. We may share data with:

  • Service Providers: Third parties that help us operate our platform (hosting, payment processing, analytics). See our Trust Center for a current list of subprocessors.
  • Public Hub: Publisher handles, public bundle metadata, and download counts are visible on the Hub
  • Legal Requirements: When required by law or to protect our rights

Data Security

We implement security measures including:

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • OCI content-addressed storage with SHA-256 integrity verification
  • ECDSA P-256 content signing for bundle provenance
  • API key secrets stored as cryptographic hashes (never in plaintext)
  • Tenant isolation between organizations
  • Role-Based Access Control (RBAC) for organizational resources

Data Retention

Data TypeRetention PeriodDeletion Method
Account informationDuration of account + 30 daysPermanent deletion upon account closure request
Public bundle contentIndefinite (immutable registry)Subject to Unpublish Policy
Private bundle contentDuration of accountPermanent deletion upon account closure
Access logs & telemetry90 daysAutomatic purge
Payment records7 years (tax/legal compliance)Automatic purge after retention period
Audit logs1 yearAutomatic purge

Cookies & Tracking Technologies

We use the following technologies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics: Anonymized usage analytics to understand how the platform is used. You can opt out via telemetry settings.

We do not use third-party advertising cookies or cross-site tracking.

Automated Decision-Making

Musher uses automated systems for the following purposes. These systems do not make decisions that produce legal or similarly significant effects on individuals:

  • Security scanning: Automated analysis of published bundles for malware signatures and known vulnerabilities
  • Rate limiting: Automated throttling of API requests to prevent abuse and ensure platform stability
  • Fraud detection: Automated analysis of account activity patterns to detect unauthorized access

International Data Transfers

Musher processes data primarily in the United States. If you access our services from outside the US, your data may be transferred to and processed in the US. For transfers from the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Enterprise customers may request a Data Processing Agreement (DPA) by contacting [email protected].

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • Right to Know: You may request information about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact [email protected]. We will respond within 45 days.

Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Opt out of marketing communications
  • Object to processing based on legitimate interest

Contact Us

For privacy-related questions, contact us at: [email protected]