MUISIK takes its name from the Korean word for "the unconscious," inspired by Freud's Iceberg Theory. It's a revolutionary service that analyzes your YouTube likes with AI to help you discover the real you that even you don't know. Unlike questionnaire-based tests, it analyzes real behavioral data that can't lie.

Why analyze YouTube likes?

Likes are instantaneous, intuitive unconscious actions. When pressing the like button, we don't think—our body reacts first to the feeling that "this video is good." This is completely different from consciously answering "I am this kind of person" on a questionnaire. Years of accumulated likes are the most reliable data showing your unconscious patterns.

How is MUISIK different from traditional personality tests?

MUISIK completely overcomes the 4 limitations of traditional tests: 1) Time: 10-30 minutes → reduced to 1 minute 2) Bias: Social desirability bias eliminated 3) Objectivity: Objective behavioral data instead of subjective answers 4) Consistency: Long-term cumulative data instead of momentary emotions.

How accurate are the results?

Accuracy increases with the number of videos. More videos allow AI to identify deeper unconscious preference patterns. Analysis is possible with just 1 video, but we recommend 50 or more for the best results.

Yes, completely free. Based on our philosophy that "self-discovery is everyone's right," MUISIK provides all core features for free. You can analyze up to 1,000 videos once every 24 hours.

Privacy Policy

Initial Publication Date: December 1, 2025

Effective Date: December 1, 2025

Preamble

MUISIK (hereinafter referred to as "the Company") processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and publishes this Privacy Policy to inform data subjects of the procedures and standards for processing and protecting personal information, and to handle related complaints promptly and smoothly.

Privacy Policy Summary (Labeling)

Category	Details
Personal Information Collected	[Required] Google Account Information (name, email address, profile picture), Google OAuth 2.0 access tokens and refresh tokens, YouTube liked video metadata including video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration, Service usage logs (access logs, IP address)
Processing Purpose	User registration and identification/authentication, Generation of subconscious analysis reports based on YouTube liked videos, Service provision and stability assurance, Prevention of service abuse
Retention Period	Account information and analysis results: Retained for 30 days after account deletion, then permanently destroyed \| OAuth tokens: Maximum 30 days JWT session or until logout \| Service usage logs: 30 days or 6 months (Personal Information Protection Act, E-commerce Consumer Protection Act)
Third-Party Disclosure	No third-party disclosure. Exception: May be provided if required by law
Processing Outsourcing	Google LLC (authentication, YouTube data access, Gemini AI analysis), Supabase, Inc. (database and infrastructure), Functional Software, Inc. (Sentry, error analysis)
Data Subject Rights	Right to access, correct, delete, and suspend processing of personal information; Right to withdraw consent (exercisable through 'Settings' page within the service or via visionary.0419@gmail.com)

Purpose of Personal Information Processing
Categories of Personal Information Processed
Processing and Retention Period of Personal Information
Outsourcing of Personal Information Processing
Cross-Border Transfer of Personal Information
Destruction Procedures and Methods of Personal Information
Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise
Measures to Ensure the Safety of Personal Information
Installation, Operation, and Rejection of Automatic Personal Information Collection Devices
Information on Personal Information Protection Officer
Remedies for Rights Infringement
Changes to the Privacy Policy

Article 1 (Purpose of Personal Information Processing)

The Company processes personal information for the following purposes. Personal information being processed shall not be used for purposes other than those stated below, and if the purpose of use changes, the Company will implement necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Website Membership Registration and Management

Personal information is processed for the purpose of confirming membership registration intent through Google OAuth 2.0, identification and authentication for member services, maintaining and managing membership status, preventing service abuse, providing various notices and notifications, and account recovery and dispute resolution for 30 days after membership withdrawal.

2. Provision of Subconscious Analysis Service

The Company transmits metadata of members' liked videos (collecting up to 1,000, all analyzed) collected through YouTube Data API v3 to Google Gemini AI (latest version) model to generate and provide personalized content consumption patterns and subconscious preference analysis reports. Video ID lists and hash values are stored in the database to provide the 24-hour re-analysis feature.

3. Service Stability Assurance and Improvement

Personal information is processed for the purpose of preventing service abuse through collection of service usage logs (access logs, IP addresses), identifying and analyzing error causes through Sentry, and operating the service stably.

Article 2 (Categories of Personal Information Processed)

The Company collects and uses the following personal information to the minimum extent necessary for service provision. All items are required, and service use is not possible if collection is refused.

1. Personal Information Items Processed with Data Subject's Consent

Legal Basis	Category	Collection and Use Purpose	Personal Information Items	Collection Method
Personal Information Protection Act Article 15(1)(1) (Consent)	Google OAuth 2.0 Authentication	Maintaining YouTube data access permissions and API calls	[Required] Google OAuth 2.0 access_token, refresh_token	Automatically issued upon approval of "https://www.googleapis.com/auth/youtube.readonly" permission on Google OAuth 2.0 consent screen. Stored in NextAuth.js JWT session for up to 30 days.
Personal Information Protection Act Article 15(1)(1) (Consent)	YouTube Liked Video Metadata	Generation of subconscious analysis reports and provision of 24-hour re-analysis feature	[Required] Video ID (videoId), title, description, channel name (channelTitle), channel ID (channelId), upload date (publishedAt), tags, category ID (categoryId), view count (viewCount), like count (likeCount), duration. Up to 1,000 collected and all sent to Gemini AI. Video ID list and hash value permanently stored in database. After analysis completion, profile image URLs (thumbnailUrl) of TOP5 channels are collected via YouTube Channels API and included in analysis results.	YouTube Data API v3 playlistItems.list and videos.list endpoint calls

2. Personal Information Items Processed without Data Subject's Consent

Legal Basis	Category	Collection and Use Purpose	Personal Information Items	Collection Method
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	Member Account Information	Membership registration, identification and authentication, service provision	[Required] Name, email address, Google profile picture URL (image), Google account unique ID	Automatically collected through GoogleProvider upon Google OAuth 2.0 login. Stored in Supabase user_tiers table.
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	Service Usage Logs	Service stability assurance, prevention of abuse, error analysis	Service usage logs, access logs, access IP address, browser information, access time	Automatically collected during service use. Transmitted to Sentry (retained for 90 days).

※ Sensitive information (race, ideology, political orientation, health, sexual life, etc.) and unique identification information (resident registration number, passport number, driver's license number, alien registration number) are not collected.

※ COPPA Compliance: In compliance with the Children's Online Privacy Protection Act (COPPA) of the United States, the Company does not knowingly collect personal information from children under 13 years of age. If registration by a child under 13 is discovered, the account will be immediately terminated and all collected information will be destroyed. For users in other jurisdictions, if the age of consent for data processing is higher than 13, that local requirement applies.

Article 3 (Processing and Retention Period of Personal Information)

① The Company processes and retains personal information within the retention and use period of personal information according to laws and regulations or the retention and use period of personal information consented to by the data subject at the time of collection.

② The processing and retention period for each category of personal information is as follows.

Personal Information Items	Retention Period	Retention Basis and Deletion Time
Member Account Information (name, email, profile picture)	30 days after account deletion	Upon account deletion, deleted_at timestamp is recorded in user_tiers table (soft delete). After 30 days from deletion, automated cleanup job permanently deletes from user_tiers, user_analyses, video_snapshots, analysis_history tables. Account can be recovered by re-login within 30 days by resetting deleted_at to NULL.
OAuth 2.0 Tokens (access token, refresh token)	Maximum 30 days JWT session or until logout	Stored in NextAuth.js JWT session for up to 30 days. Immediately deleted upon logout. Also immediately deleted upon account deletion. Token invalidated upon Google OAuth permission revocation.
YouTube Video Metadata (title, description, etc.)	Temporarily transmitted during Gemini AI analysis only, not retained on server	Metadata collected from YouTube API is included in Gemini AI API request and immediately destroyed from server memory after transmission. Not stored in database. However, only video ID list is permanently stored in video_snapshots table (see below).
Video ID List and SHA-256 Hash Value	30 days after account deletion	Video ID array (TEXT[]) and snapshot_hash (SHA-256) stored in Supabase video_snapshots table to provide 24-hour re-analysis feature. Permanently deleted by Cron job 30 days after account deletion. (database/MUISIK.sql:136-148)
Analysis Report Results (analysis_data)	30 days after account deletion	Analysis results generated by Gemini AI stored in JSON format in user_analyses table. Permanently deleted by Cron job 30 days after account deletion.
Service Usage Logs (access logs, IP address)	30 days after account deletion or 6 months	Destroyed promptly upon achievement of retention purpose in accordance with Article 21 of the Personal Information Protection Act. However, may be retained for 6 months for prevention of fraud in accordance with the Act on Consumer Protection in Electronic Commerce.
Error Logs (Sentry)	90 days	Automatically deleted after 90 days according to Sentry platform policy.

③ Member Withdrawal Procedures and Data Retention/Deletion Details:

1. When a member clicks the 'Delete Account' button on the 'Settings' page within the service, the withdrawal time is recorded in the deleted_at column of the user_tiers table (soft delete method)

2. Immediately upon withdrawal, JWT session cookie is deleted, preventing re-login (however, account can be recovered within 30 days by Google re-login, resetting deleted_at to NULL)

3. Account information is retained for 30 days from the withdrawal date for purposes of preventing service abuse, payment settlement, and dispute resolution

4. After 30 days from withdrawal, a daily automated Cron job sequentially and permanently deletes member data from the following tables:

- user_language_preferences (user language preferences)

- user_tier_history (tier change history)

- video_snapshots (video ID snapshots)

- analysis_history (analysis history and cost records)

- user_analyses (analysis results)

- user_tiers (member tier information - final deletion)

5. Deleted data cannot be recovered and is not retained in backup systems

④ If personal information must be preserved in accordance with laws and regulations, it will be stored separately in a different database for the relevant period before destruction:

- Records of fraudulent use: 6 months (Act on Consumer Protection in Electronic Commerce, etc.)

- Records related to labeling and advertising: 6 months (Act on Consumer Protection in Electronic Commerce, etc.)

Article 4 (Outsourcing of Personal Information Processing)

① The Company outsources personal information processing tasks as follows for smooth personal information processing. Personal information is transferred overseas for outsourced task performance (detailed information in Article 5).

Consignee	Outsourced Task Details	Personal Information Items Processed	Outsourcing Period
Google LLC (Headquarters: California, USA)	1) Google OAuth 2.0 Authentication: Member login and identification through GoogleProvider 2) YouTube Data API v3 Provision: API provision for collecting member's liked video metadata (playlistItems.list, videos.list endpoints). Channels API provision (channels.list endpoint) for collecting profile image URLs of TOP5 channels after analysis completion 3) Gemini AI Analysis: Receiving member's video metadata (up to 1,000 for FREE plan) to generate subconscious analysis reports	Name, email address, profile picture, Google account ID, OAuth 2.0 tokens, YouTube liked video metadata (video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration)	Until account deletion or contract termination
Supabase, Inc. (Headquarters: California, USA)	PostgreSQL database hosting, cloud infrastructure operation and management. Storing and managing member account information, analysis results, and video snapshots in user_tiers, user_analyses, video_snapshots, analysis_history tables.	Name, email address, profile picture, Google account ID, video ID list, SHA-256 hash value, analysis report results (JSON), analysis history and cost records	Until 30 days after account deletion or contract termination
Functional Software, Inc. (Sentry) (Headquarters: California, USA)	Collection and analysis of error logs, stack traces, and performance monitoring data for identifying and analyzing service error causes	Service usage logs, access IP address, browser information, error occurrence time, stack traces (personal identification information automatically masked)	90 days from collection date (Sentry platform policy)
Google LLC (Google AdSense) (Headquarters: California, USA)	Serving personalized advertisements, measuring advertising performance, and advertising revenue settlement. Advertisements are only displayed when user consents.	Advertising identifier (Cookie ID), visited page information, ad click information, device information (browser, OS)	Until consent withdrawal or service termination (up to 13 months per Google AdSense policy)

② When concluding outsourcing contracts, the Company specifies the following matters in documents such as contracts in accordance with Article 26 of the Personal Information Protection Act and supervises whether the consignee safely processes personal information:

- Prohibition of personal information processing beyond the purpose of outsourced task performance

- Technical and administrative protection measures obligations

- Re-outsourcing restrictions and prior consent procedures

- Authority to manage and supervise consignees

- Matters related to liability allocation including damages

- Obligation to return or destroy personal information upon contract termination

③ If the details of outsourced tasks or consignees change, the Company will promptly disclose such changes through this Privacy Policy.

Article 5 (Cross-Border Transfer of Personal Information)

IMPORTANT NOTICE FOR INTERNATIONAL USERS: Your personal information and YouTube metadata collected through this Service will be transferred to and stored on servers located in the United States (operated by Google LLC, Supabase Inc., and Functional Software Inc.). This cross-border data transfer is necessary for the provision of the Service. By using this Service, you explicitly consent to this data transfer. If you do not consent to this transfer, you may not use the Service.

The Company outsources processing and storage of data subjects' personal information to overseas providers as follows for service provision. In accordance with Article 39-12 of the Personal Information Protection Act (Korea) and GDPR Article 44-49 (for EU users), the fact of overseas transfer is notified, and if data subjects refuse this, membership registration and service use are not possible.

Transferee (Contact)	Personal Information Items Transferred	Transfer Country and Date/Time	Transfer Method	Purpose of Use	Retention and Use Period
Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	[OAuth Authentication] Name, email address, profile picture, Google account ID, OAuth 2.0 access token and refresh token [YouTube API] Member's liked video metadata and channel profile image URLs returned from YouTube server when calling YouTube Data API with OAuth token [Gemini AI] Up to 1,000 video metadata items for FREE plan (video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration).	United States (California and Google global data centers) Transfer Time: - OAuth: At login - YouTube API: At analysis start - Gemini AI: At analysis execution	Network transfer through HTTPS encrypted communication. Via Google Cloud Platform infrastructure.	1) Providing Google OAuth 2.0 authentication service 2) Providing liked video data and channel profile image URLs through YouTube Data API v3 3) Generating subconscious analysis reports through Gemini 2.0 Flash model	- OAuth tokens: Maximum 30 days JWT session or until logout/withdrawal - Gemini AI transmitted data: Processed according to Google server policy after API request completion (Company does not retain thereafter)
Supabase, Inc. 970 Toa Payoh North #07-04, Singapore 318992	Name, email address, profile picture, Google account ID, video ID list (TEXT[]), SHA-256 hash value, analysis report results (JSON), analysis history and cost records, deleted_at timestamp	United States (AWS us-east-1 region and other Supabase data centers) Transfer Time: At membership registration and continuous storage during service use	HTTPS encrypted communication and direct storage in Supabase PostgreSQL database. Via AWS infrastructure.	Database storage and management of member information, analysis results, video snapshot data	Until 30 days after account deletion or contract termination
Functional Software, Inc. (Sentry) 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	Service usage logs, access IP address, browser information (User-Agent), error occurrence time, stack traces, request URL, HTTP method (personal identification information automatically masked)	United States (California and Sentry data centers) Transfer Time: Real-time transfer when service errors occur	Network transfer through HTTPS encrypted communication. Sentry SDK automatically transmits error logs.	Service error cause identification, performance monitoring, stability improvement	90 days from collection date (automatically deleted according to Sentry platform policy)
Google LLC (Google AdSense) 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	Advertising identifier (Cookie ID), visited page information, ad click information, device information (browser type, OS), ad impression and click data	United States (California and Google global advertising network) Transfer Time: Real-time transfer when user consents to ads on consent banner	Network transfer through HTTPS encrypted communication. Google AdSense script automatically collects cookies.	Serving personalized ads, measuring ad performance, advertising revenue settlement	Until consent withdrawal or up to 13 months per Google AdSense policy

Data Subject Rights and Safety Measures for Cross-Border Transfer:

① Data subjects have the right to refuse consent to cross-border transfer; however, service use is fundamentally impossible without consent.

② The Company takes the following measures to ensure the safety of personal information transferred overseas:

- HTTPS/TLS encrypted communication (encryption in transit)

- Supabase PostgreSQL database encryption (encryption at rest)

- Verification of compliance with international security certifications such as SOC 2 Type II, ISO 27001 by Google, Supabase, Sentry

- Specification of personal information protection obligation clauses in outsourcing contracts (see Article 4)

- Regular security audits and monitoring of consignees

③ Compliance with personal information protection regulations by overseas transferees:

- Google LLC: Complies with California Consumer Privacy Act (CCPA), EU GDPR

- Supabase, Inc.: EU GDPR, SOC 2 Type II certification

- Functional Software, Inc. (Sentry): EU GDPR, Privacy Shield Framework compliance

Article 6 (Destruction Procedures and Methods of Personal Information)

① The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period expires or the processing purpose is achieved. However, a 30-day grace period is provided after account deletion in accordance with Article 3.

② The procedures and methods for destroying personal information are as follows.

1. Destruction Procedures

① Automatic Destruction (30 Days After Account Deletion)

- Daily automated cleanup job automatically selects member data that has passed 30 days based on deleted_at timestamp

- Sequentially and permanently deletes from Supabase database in the following order: user_language_preferences → user_tier_history → video_snapshots → analysis_history → user_analyses → user_tiers

- Deletion operations are processed as transactions; in case of failure, rolled back to ensure data consistency

② Manual Destruction (Upon Data Subject Request)

- When data subject requests immediate destruction via visionary.0419@gmail.com, database records are manually deleted after approval by the Personal Information Protection Officer

- If there is a legal obligation to preserve, stored separately before destruction (see Article 3, Paragraph 4)

③ Immediate Destruction Upon Logout/OAuth Permission Revocation

- Upon logout: NextAuth.js JWT session cookie immediately deleted (including OAuth tokens)

- Upon Google OAuth permission revocation: Token invalidated on Google server, Company cannot access YouTube data thereafter

2. Destruction Methods

① Electronic File Format Personal Information (Primary Destruction Target)

- Supabase PostgreSQL database: Records permanently deleted via SQL DELETE queries. Database recovery function (Point-in-Time Recovery) disabled to ensure removal from backups.

- JWT session cookies: Immediately destroyed by calling browser cookie deletion API

- Server memory: Metadata temporarily stored during analysis automatically destroyed by JavaScript garbage collection

② Paper Documents (Not Applicable)

- The Company does not store personal information in paper documents. If paper documents are stored in the future, they will be destroyed by shredding or incineration.

③ Destroyed personal information cannot be recovered, and the Company retains destruction records for at least 3 years (Enforcement Decree of the Personal Information Protection Act, Article 48-2).

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise)

① Data subjects may exercise rights such as access to, correction of, deletion of, and suspension of processing of personal information to the Company at any time.

② Rights may be exercised to the Company through writing, email, facsimile (FAX), etc. in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.

③ Data subjects can view their personal information or directly delete it and withdraw consent at any time through the 'Delete Account' function on the 'Settings' page within the service.

④ Rights may be exercised through a legal representative or authorized agent of the data subject. In this case, a power of attorney in accordance with the form No. 11 attached to the "Notice on Personal Information Processing Methods" must be submitted.

⑤ Requests for access to and suspension of processing of personal information may be restricted in accordance with Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.

⑥ If personal information is specified as a collection target in other laws and regulations, its deletion cannot be requested.

Article 8 (Measures to Ensure the Safety of Personal Information)

The Company takes the following measures to ensure the safety of personal information in accordance with Article 29 of the Personal Information Protection Act and the "Standards for Ensuring the Safety of Personal Information" (Notice No. 2024-4).

1. Administrative Measures

- Establishment and implementation of internal management plan: Documentation of privacy policy, access permission management, destruction procedures, etc.

- Designation of Personal Information Protection Officer (see Article 10)

- Minimization of personal information processing personnel and regular training (at least once annually)

- Recording and retention of personal information access history (at least 6 months)

2. Technical Measures

- Access Permission Management: Supabase Row Level Security (RLS) policy ensures each member can only access their own data. Administrators use separate service account authentication.

- Encryption: Encryption in transit via HTTPS/TLS 1.3 protocol. Supabase PostgreSQL database has encryption at rest via AES-256. OAuth tokens ensure integrity through JWT signature (HS256 algorithm).

- Access Control: Supabase database access restricted via IP whitelist and API key authentication. Unauthorized access blocked by NextAuth.js JWT session.

- Security Programs: Real-time error monitoring through Sentry. Utilization of DDoS defense and firewall on Vercel platform.

- Personal Information De-identification: Personal identification information (email, name) automatically masked when transmitted to Sentry.

3. Physical Measures

- The Company is a cloud-based service and does not operate its own computer room.

- Supabase, Inc. uses AWS data centers, and AWS ensures physical access control through ISO 27001, SOC 2 Type II certifications.

- Google LLC implements physical security measures such as biometric identification and 24-hour security personnel at its own data centers.

Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

① The Company uses 'cookies' or similar technologies to a minimum for data subject convenience.

② Types and purposes of cookies used:

1. Essential Cookies

- Cookie Name: next-auth.session-token (or __Secure-next-auth.session-token)

- Issuer: NextAuth.js library

- Purpose: Maintaining member login status and JWT session management (including OAuth 2.0 tokens)

- Retention Period: Maximum 30 days (can be deleted upon logout or browser closure)

- Stored Information: JWT token (encrypted user ID, email, Google access token, refresh token)

- Rejection Availability: Service use not possible without login if rejected

2. Analytics Cookies

- The Company does not currently use third-party analytics tools such as Google Analytics or Facebook Pixel.

- If used in the future, prior consent will be obtained or this policy will be revised and notified.

3. Advertising Cookies

- Cookie Names: _gcl_au, __gads, __gac, id (Google AdSense)

- Issuer: Google LLC

- Purpose: Providing personalized advertisements, measuring advertising performance, advertising revenue settlement

- Retention Period: Up to 13 months (per Google AdSense policy)

- Rejection Availability: Rejectable (may affect service sustainability due to reduced advertising revenue)

- Rejection Methods:

• Select "Allow essential cookies only" on consent banner

• Google Ads Settings: https://adssettings.google.com

• Browser cookie blocking settings (see below)

③ Methods to reject cookie settings:

- Chrome: Settings > Privacy and security > Cookies and other site data > "Block all cookies"

- Firefox: Settings > Privacy and security > Cookies and site data > "Block all cookies"

- Safari: Preferences > Privacy > "Block all cookies"

- Edge: Settings > Cookies and site permissions > "Block all cookies"

④ Service use limitations when rejecting cookies:

- All services unavailable due to inability to login if essential cookies are rejected

- Even if cookies are allowed, the Company does not use cookies to track individuals or for advertising purposes.

Article 10 (Data Controller and Data Protection Officer)

① Data Controller (for GDPR purposes): MUISIK is the data controller responsible for processing your personal information. For inquiries regarding data processing, please contact:

▶ Data Controller / Personal Information Protection Officer

- Service Name: MUISIK

- Contact Email: visionary.0419@gmail.com

- Data Protection Officer: Available via email at visionary.0419@gmail.com

② Data subjects may contact the Data Controller/Personal Information Protection Officer regarding all personal information protection-related inquiries, complaint handling, and damage remedies arising from the use of the Company's services. The Company will respond to and handle data subject inquiries without delay.

③ For EU Users: If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority if you believe your personal data has been processed in violation of GDPR.

Article 11 (Remedies for Rights Infringement)

For International Users: All disputes arising from these Terms and the use of the Service shall be subject to the exclusive jurisdiction of the courts of the Republic of Korea, governed by Korean law.

For Korean Users: Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, etc. to receive remedies for personal information infringement.

1. Personal Information Dispute Mediation Committee (Korea)

- Phone: 1833-6972 (without area code)

- Website: www.kopico.go.kr

2. Personal Information Infringement Report Center (Korea Internet & Security Agency)

- Phone: 118 (without area code)

- Website: privacy.kisa.or.kr

3. For EU Users: Local Data Protection Authority

- You have the right to lodge a complaint with your local data protection authority if you believe your personal data has been processed in violation of GDPR.

- Find your local authority: https://edpb.europa.eu/about-edpb/board/members_en

A person whose rights or interests have been infringed due to dispositions or omissions by the head of a public institution regarding requests under Article 35 (Access to Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension of Processing of Personal Information, etc.) of the Personal Information Protection Act may file for administrative adjudication in accordance with the Administrative Adjudication Act.

Article 12 (Changes to the Privacy Policy)

① This Privacy Policy is effective from the effective date, and if there are additions, deletions, or corrections to the contents in accordance with laws and policies, the Company will notify through announcements 7 days before the implementation of changes.

② However, in case of significant changes to data subject rights such as collection and use of personal information or third-party provision, the Company will notify at least 30 days in advance.

③ Changes will be notified through announcements within the service or individual notification via email, and the revised Privacy Policy will be effective from the date of announcement.

Supplementary Provisions

Article 1 (Effective Date)

This Privacy Policy is effective from December 1, 2025.

Article 2 (Relationship with Previous Policy)

This policy applies retroactively to personal information collected before the implementation of this policy. However, if personal information is used beyond the scope of existing consent or provided to third parties, separate consent will be obtained.

Article 3 (Handling of Technical Detail Changes)

Even if technical details specified in this policy (e.g., database table names, API endpoints, file paths, etc.) are changed for service improvement, if the purpose, items, and retention period of personal information processing remain the same, they will be considered minor changes and may be internally modified without separate notice. However, changes affecting data subject rights will be notified in advance in accordance with Article 12.

Article 4 (Contact Information)

If you have any questions regarding this Privacy Policy, please contact the following:

MUISIK Privacy Protection Officer

Email: visionary.0419@gmail.com

Company: MUISIK

Initial Publication Date: December 1, 2025Effective Date: December 1, 2025

Privacy Policy

Initial Publication Date: December 1, 2025

Effective Date: December 1, 2025

Preamble

Privacy Policy Summary (Labeling)

Category	Details
Personal Information Collected	[Required] Google Account Information (name, email address, profile picture), Google OAuth 2.0 access tokens and refresh tokens, YouTube liked video metadata including video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration, Service usage logs (access logs, IP address)
Processing Purpose	User registration and identification/authentication, Generation of subconscious analysis reports based on YouTube liked videos, Service provision and stability assurance, Prevention of service abuse
Retention Period	Account information and analysis results: Retained for 30 days after account deletion, then permanently destroyed \| OAuth tokens: Maximum 30 days JWT session or until logout \| Service usage logs: 30 days or 6 months (Personal Information Protection Act, E-commerce Consumer Protection Act)
Third-Party Disclosure	No third-party disclosure. Exception: May be provided if required by law
Processing Outsourcing	Google LLC (authentication, YouTube data access, Gemini AI analysis), Supabase, Inc. (database and infrastructure), Functional Software, Inc. (Sentry, error analysis)
Data Subject Rights	Right to access, correct, delete, and suspend processing of personal information; Right to withdraw consent (exercisable through 'Settings' page within the service or via visionary.0419@gmail.com)

Purpose of Personal Information Processing
Categories of Personal Information Processed
Processing and Retention Period of Personal Information
Outsourcing of Personal Information Processing
Cross-Border Transfer of Personal Information
Destruction Procedures and Methods of Personal Information
Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise
Measures to Ensure the Safety of Personal Information
Installation, Operation, and Rejection of Automatic Personal Information Collection Devices
Information on Personal Information Protection Officer
Remedies for Rights Infringement
Changes to the Privacy Policy

Article 1 (Purpose of Personal Information Processing)

1. Website Membership Registration and Management

2. Provision of Subconscious Analysis Service

3. Service Stability Assurance and Improvement

Article 2 (Categories of Personal Information Processed)

1. Personal Information Items Processed with Data Subject's Consent

Legal Basis	Category	Collection and Use Purpose	Personal Information Items	Collection Method
Personal Information Protection Act Article 15(1)(1) (Consent)	Google OAuth 2.0 Authentication	Maintaining YouTube data access permissions and API calls	[Required] Google OAuth 2.0 access_token, refresh_token	Automatically issued upon approval of "https://www.googleapis.com/auth/youtube.readonly" permission on Google OAuth 2.0 consent screen. Stored in NextAuth.js JWT session for up to 30 days.
Personal Information Protection Act Article 15(1)(1) (Consent)	YouTube Liked Video Metadata	Generation of subconscious analysis reports and provision of 24-hour re-analysis feature	[Required] Video ID (videoId), title, description, channel name (channelTitle), channel ID (channelId), upload date (publishedAt), tags, category ID (categoryId), view count (viewCount), like count (likeCount), duration. Up to 1,000 collected and all sent to Gemini AI. Video ID list and hash value permanently stored in database. After analysis completion, profile image URLs (thumbnailUrl) of TOP5 channels are collected via YouTube Channels API and included in analysis results.	YouTube Data API v3 playlistItems.list and videos.list endpoint calls

2. Personal Information Items Processed without Data Subject's Consent

Legal Basis	Category	Collection and Use Purpose	Personal Information Items	Collection Method
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	Member Account Information	Membership registration, identification and authentication, service provision	[Required] Name, email address, Google profile picture URL (image), Google account unique ID	Automatically collected through GoogleProvider upon Google OAuth 2.0 login. Stored in Supabase user_tiers table.
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	Service Usage Logs	Service stability assurance, prevention of abuse, error analysis	Service usage logs, access logs, access IP address, browser information, access time	Automatically collected during service use. Transmitted to Sentry (retained for 90 days).

Article 3 (Processing and Retention Period of Personal Information)

② The processing and retention period for each category of personal information is as follows.

Personal Information Items	Retention Period	Retention Basis and Deletion Time
Member Account Information (name, email, profile picture)	30 days after account deletion	Upon account deletion, deleted_at timestamp is recorded in user_tiers table (soft delete). After 30 days from deletion, automated cleanup job permanently deletes from user_tiers, user_analyses, video_snapshots, analysis_history tables. Account can be recovered by re-login within 30 days by resetting deleted_at to NULL.
OAuth 2.0 Tokens (access token, refresh token)	Maximum 30 days JWT session or until logout	Stored in NextAuth.js JWT session for up to 30 days. Immediately deleted upon logout. Also immediately deleted upon account deletion. Token invalidated upon Google OAuth permission revocation.
YouTube Video Metadata (title, description, etc.)	Temporarily transmitted during Gemini AI analysis only, not retained on server	Metadata collected from YouTube API is included in Gemini AI API request and immediately destroyed from server memory after transmission. Not stored in database. However, only video ID list is permanently stored in video_snapshots table (see below).
Video ID List and SHA-256 Hash Value	30 days after account deletion	Video ID array (TEXT[]) and snapshot_hash (SHA-256) stored in Supabase video_snapshots table to provide 24-hour re-analysis feature. Permanently deleted by Cron job 30 days after account deletion. (database/MUISIK.sql:136-148)
Analysis Report Results (analysis_data)	30 days after account deletion	Analysis results generated by Gemini AI stored in JSON format in user_analyses table. Permanently deleted by Cron job 30 days after account deletion.
Service Usage Logs (access logs, IP address)	30 days after account deletion or 6 months	Destroyed promptly upon achievement of retention purpose in accordance with Article 21 of the Personal Information Protection Act. However, may be retained for 6 months for prevention of fraud in accordance with the Act on Consumer Protection in Electronic Commerce.
Error Logs (Sentry)	90 days	Automatically deleted after 90 days according to Sentry platform policy.

③ Member Withdrawal Procedures and Data Retention/Deletion Details:

1. When a member clicks the 'Delete Account' button on the 'Settings' page within the service, the withdrawal time is recorded in the deleted_at column of the user_tiers table (soft delete method)

2. Immediately upon withdrawal, JWT session cookie is deleted, preventing re-login (however, account can be recovered within 30 days by Google re-login, resetting deleted_at to NULL)

3. Account information is retained for 30 days from the withdrawal date for purposes of preventing service abuse, payment settlement, and dispute resolution

4. After 30 days from withdrawal, a daily automated Cron job sequentially and permanently deletes member data from the following tables:

- user_language_preferences (user language preferences)

- user_tier_history (tier change history)

- video_snapshots (video ID snapshots)

- analysis_history (analysis history and cost records)

- user_analyses (analysis results)

- user_tiers (member tier information - final deletion)

5. Deleted data cannot be recovered and is not retained in backup systems

④ If personal information must be preserved in accordance with laws and regulations, it will be stored separately in a different database for the relevant period before destruction:

- Records of fraudulent use: 6 months (Act on Consumer Protection in Electronic Commerce, etc.)

- Records related to labeling and advertising: 6 months (Act on Consumer Protection in Electronic Commerce, etc.)

Article 4 (Outsourcing of Personal Information Processing)

Consignee	Outsourced Task Details	Personal Information Items Processed	Outsourcing Period
Google LLC (Headquarters: California, USA)	1) Google OAuth 2.0 Authentication: Member login and identification through GoogleProvider 2) YouTube Data API v3 Provision: API provision for collecting member's liked video metadata (playlistItems.list, videos.list endpoints). Channels API provision (channels.list endpoint) for collecting profile image URLs of TOP5 channels after analysis completion 3) Gemini AI Analysis: Receiving member's video metadata (up to 1,000 for FREE plan) to generate subconscious analysis reports	Name, email address, profile picture, Google account ID, OAuth 2.0 tokens, YouTube liked video metadata (video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration)	Until account deletion or contract termination
Supabase, Inc. (Headquarters: California, USA)	PostgreSQL database hosting, cloud infrastructure operation and management. Storing and managing member account information, analysis results, and video snapshots in user_tiers, user_analyses, video_snapshots, analysis_history tables.	Name, email address, profile picture, Google account ID, video ID list, SHA-256 hash value, analysis report results (JSON), analysis history and cost records	Until 30 days after account deletion or contract termination
Functional Software, Inc. (Sentry) (Headquarters: California, USA)	Collection and analysis of error logs, stack traces, and performance monitoring data for identifying and analyzing service error causes	Service usage logs, access IP address, browser information, error occurrence time, stack traces (personal identification information automatically masked)	90 days from collection date (Sentry platform policy)
Google LLC (Google AdSense) (Headquarters: California, USA)	Serving personalized advertisements, measuring advertising performance, and advertising revenue settlement. Advertisements are only displayed when user consents.	Advertising identifier (Cookie ID), visited page information, ad click information, device information (browser, OS)	Until consent withdrawal or service termination (up to 13 months per Google AdSense policy)

- Prohibition of personal information processing beyond the purpose of outsourced task performance

- Technical and administrative protection measures obligations

- Re-outsourcing restrictions and prior consent procedures

- Authority to manage and supervise consignees

- Matters related to liability allocation including damages

- Obligation to return or destroy personal information upon contract termination

③ If the details of outsourced tasks or consignees change, the Company will promptly disclose such changes through this Privacy Policy.

Article 5 (Cross-Border Transfer of Personal Information)

Transferee (Contact)	Personal Information Items Transferred	Transfer Country and Date/Time	Transfer Method	Purpose of Use	Retention and Use Period
Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	[OAuth Authentication] Name, email address, profile picture, Google account ID, OAuth 2.0 access token and refresh token [YouTube API] Member's liked video metadata and channel profile image URLs returned from YouTube server when calling YouTube Data API with OAuth token [Gemini AI] Up to 1,000 video metadata items for FREE plan (video ID, title, description, channel name, upload date, tags, category ID, view count, like count, duration).	United States (California and Google global data centers) Transfer Time: - OAuth: At login - YouTube API: At analysis start - Gemini AI: At analysis execution	Network transfer through HTTPS encrypted communication. Via Google Cloud Platform infrastructure.	1) Providing Google OAuth 2.0 authentication service 2) Providing liked video data and channel profile image URLs through YouTube Data API v3 3) Generating subconscious analysis reports through Gemini 2.0 Flash model	- OAuth tokens: Maximum 30 days JWT session or until logout/withdrawal - Gemini AI transmitted data: Processed according to Google server policy after API request completion (Company does not retain thereafter)
Supabase, Inc. 970 Toa Payoh North #07-04, Singapore 318992	Name, email address, profile picture, Google account ID, video ID list (TEXT[]), SHA-256 hash value, analysis report results (JSON), analysis history and cost records, deleted_at timestamp	United States (AWS us-east-1 region and other Supabase data centers) Transfer Time: At membership registration and continuous storage during service use	HTTPS encrypted communication and direct storage in Supabase PostgreSQL database. Via AWS infrastructure.	Database storage and management of member information, analysis results, video snapshot data	Until 30 days after account deletion or contract termination
Functional Software, Inc. (Sentry) 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	Service usage logs, access IP address, browser information (User-Agent), error occurrence time, stack traces, request URL, HTTP method (personal identification information automatically masked)	United States (California and Sentry data centers) Transfer Time: Real-time transfer when service errors occur	Network transfer through HTTPS encrypted communication. Sentry SDK automatically transmits error logs.	Service error cause identification, performance monitoring, stability improvement	90 days from collection date (automatically deleted according to Sentry platform policy)
Google LLC (Google AdSense) 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	Advertising identifier (Cookie ID), visited page information, ad click information, device information (browser type, OS), ad impression and click data	United States (California and Google global advertising network) Transfer Time: Real-time transfer when user consents to ads on consent banner	Network transfer through HTTPS encrypted communication. Google AdSense script automatically collects cookies.	Serving personalized ads, measuring ad performance, advertising revenue settlement	Until consent withdrawal or up to 13 months per Google AdSense policy

Data Subject Rights and Safety Measures for Cross-Border Transfer:

① Data subjects have the right to refuse consent to cross-border transfer; however, service use is fundamentally impossible without consent.

② The Company takes the following measures to ensure the safety of personal information transferred overseas:

- HTTPS/TLS encrypted communication (encryption in transit)

- Supabase PostgreSQL database encryption (encryption at rest)

- Verification of compliance with international security certifications such as SOC 2 Type II, ISO 27001 by Google, Supabase, Sentry

- Specification of personal information protection obligation clauses in outsourcing contracts (see Article 4)

- Regular security audits and monitoring of consignees

③ Compliance with personal information protection regulations by overseas transferees:

- Google LLC: Complies with California Consumer Privacy Act (CCPA), EU GDPR

- Supabase, Inc.: EU GDPR, SOC 2 Type II certification

- Functional Software, Inc. (Sentry): EU GDPR, Privacy Shield Framework compliance

Article 6 (Destruction Procedures and Methods of Personal Information)

② The procedures and methods for destroying personal information are as follows.

1. Destruction Procedures

① Automatic Destruction (30 Days After Account Deletion)

- Daily automated cleanup job automatically selects member data that has passed 30 days based on deleted_at timestamp

- Deletion operations are processed as transactions; in case of failure, rolled back to ensure data consistency

② Manual Destruction (Upon Data Subject Request)

- When data subject requests immediate destruction via visionary.0419@gmail.com, database records are manually deleted after approval by the Personal Information Protection Officer

- If there is a legal obligation to preserve, stored separately before destruction (see Article 3, Paragraph 4)

③ Immediate Destruction Upon Logout/OAuth Permission Revocation

- Upon logout: NextAuth.js JWT session cookie immediately deleted (including OAuth tokens)

- Upon Google OAuth permission revocation: Token invalidated on Google server, Company cannot access YouTube data thereafter

2. Destruction Methods

① Electronic File Format Personal Information (Primary Destruction Target)

- Supabase PostgreSQL database: Records permanently deleted via SQL DELETE queries. Database recovery function (Point-in-Time Recovery) disabled to ensure removal from backups.

- JWT session cookies: Immediately destroyed by calling browser cookie deletion API

- Server memory: Metadata temporarily stored during analysis automatically destroyed by JavaScript garbage collection

② Paper Documents (Not Applicable)

- The Company does not store personal information in paper documents. If paper documents are stored in the future, they will be destroyed by shredding or incineration.

③ Destroyed personal information cannot be recovered, and the Company retains destruction records for at least 3 years (Enforcement Decree of the Personal Information Protection Act, Article 48-2).

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise)

① Data subjects may exercise rights such as access to, correction of, deletion of, and suspension of processing of personal information to the Company at any time.

③ Data subjects can view their personal information or directly delete it and withdraw consent at any time through the 'Delete Account' function on the 'Settings' page within the service.

⑥ If personal information is specified as a collection target in other laws and regulations, its deletion cannot be requested.

Article 8 (Measures to Ensure the Safety of Personal Information)

1. Administrative Measures

- Establishment and implementation of internal management plan: Documentation of privacy policy, access permission management, destruction procedures, etc.

- Designation of Personal Information Protection Officer (see Article 10)

- Minimization of personal information processing personnel and regular training (at least once annually)

- Recording and retention of personal information access history (at least 6 months)

2. Technical Measures

- Access Permission Management: Supabase Row Level Security (RLS) policy ensures each member can only access their own data. Administrators use separate service account authentication.

- Access Control: Supabase database access restricted via IP whitelist and API key authentication. Unauthorized access blocked by NextAuth.js JWT session.

- Security Programs: Real-time error monitoring through Sentry. Utilization of DDoS defense and firewall on Vercel platform.

- Personal Information De-identification: Personal identification information (email, name) automatically masked when transmitted to Sentry.

3. Physical Measures

- The Company is a cloud-based service and does not operate its own computer room.

- Supabase, Inc. uses AWS data centers, and AWS ensures physical access control through ISO 27001, SOC 2 Type II certifications.

- Google LLC implements physical security measures such as biometric identification and 24-hour security personnel at its own data centers.

Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

① The Company uses 'cookies' or similar technologies to a minimum for data subject convenience.

② Types and purposes of cookies used:

1. Essential Cookies

- Cookie Name: next-auth.session-token (or __Secure-next-auth.session-token)

- Issuer: NextAuth.js library

- Purpose: Maintaining member login status and JWT session management (including OAuth 2.0 tokens)

- Retention Period: Maximum 30 days (can be deleted upon logout or browser closure)

- Stored Information: JWT token (encrypted user ID, email, Google access token, refresh token)

- Rejection Availability: Service use not possible without login if rejected

2. Analytics Cookies

- The Company does not currently use third-party analytics tools such as Google Analytics or Facebook Pixel.

- If used in the future, prior consent will be obtained or this policy will be revised and notified.

3. Advertising Cookies

- Cookie Names: _gcl_au, __gads, __gac, id (Google AdSense)

- Issuer: Google LLC

- Purpose: Providing personalized advertisements, measuring advertising performance, advertising revenue settlement

- Retention Period: Up to 13 months (per Google AdSense policy)

- Rejection Availability: Rejectable (may affect service sustainability due to reduced advertising revenue)

- Rejection Methods:

• Select "Allow essential cookies only" on consent banner

• Google Ads Settings: https://adssettings.google.com

• Browser cookie blocking settings (see below)

③ Methods to reject cookie settings:

- Chrome: Settings > Privacy and security > Cookies and other site data > "Block all cookies"

- Firefox: Settings > Privacy and security > Cookies and site data > "Block all cookies"

- Safari: Preferences > Privacy > "Block all cookies"

- Edge: Settings > Cookies and site permissions > "Block all cookies"

④ Service use limitations when rejecting cookies:

- All services unavailable due to inability to login if essential cookies are rejected

- Even if cookies are allowed, the Company does not use cookies to track individuals or for advertising purposes.

Article 10 (Data Controller and Data Protection Officer)

① Data Controller (for GDPR purposes): MUISIK is the data controller responsible for processing your personal information. For inquiries regarding data processing, please contact:

▶ Data Controller / Personal Information Protection Officer

- Service Name: MUISIK

- Contact Email: visionary.0419@gmail.com

- Data Protection Officer: Available via email at visionary.0419@gmail.com

Article 11 (Remedies for Rights Infringement)

1. Personal Information Dispute Mediation Committee (Korea)

- Phone: 1833-6972 (without area code)

- Website: www.kopico.go.kr

2. Personal Information Infringement Report Center (Korea Internet & Security Agency)

- Phone: 118 (without area code)

- Website: privacy.kisa.or.kr

3. For EU Users: Local Data Protection Authority

- You have the right to lodge a complaint with your local data protection authority if you believe your personal data has been processed in violation of GDPR.

- Find your local authority: https://edpb.europa.eu/about-edpb/board/members_en

Article 12 (Changes to the Privacy Policy)

③ Changes will be notified through announcements within the service or individual notification via email, and the revised Privacy Policy will be effective from the date of announcement.

Supplementary Provisions

Article 1 (Effective Date)

This Privacy Policy is effective from December 1, 2025.

Article 2 (Relationship with Previous Policy)

Article 3 (Handling of Technical Detail Changes)

Article 4 (Contact Information)

If you have any questions regarding this Privacy Policy, please contact the following:

MUISIK Privacy Protection Officer

Email: visionary.0419@gmail.com

Company: MUISIK

Initial Publication Date: December 1, 2025Effective Date: December 1, 2025

Privacy Policy

Preamble

Privacy Policy Summary (Labeling)

Table of Contents

Article 1 (Purpose of Personal Information Processing)

1. Website Membership Registration and Management

2. Provision of Subconscious Analysis Service

3. Service Stability Assurance and Improvement

Article 2 (Categories of Personal Information Processed)

1. Personal Information Items Processed with Data Subject's Consent

2. Personal Information Items Processed without Data Subject's Consent

Article 3 (Processing and Retention Period of Personal Information)

Article 4 (Outsourcing of Personal Information Processing)

Article 5 (Cross-Border Transfer of Personal Information)

Article 6 (Destruction Procedures and Methods of Personal Information)

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise)

Article 8 (Measures to Ensure the Safety of Personal Information)

Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

Article 10 (Data Controller and Data Protection Officer)

Article 11 (Remedies for Rights Infringement)

Article 12 (Changes to the Privacy Policy)

Supplementary Provisions

Privacy Policy

Preamble

Privacy Policy Summary (Labeling)

Table of Contents

Article 1 (Purpose of Personal Information Processing)

1. Website Membership Registration and Management

2. Provision of Subconscious Analysis Service

3. Service Stability Assurance and Improvement

Article 2 (Categories of Personal Information Processed)

1. Personal Information Items Processed with Data Subject's Consent

2. Personal Information Items Processed without Data Subject's Consent

Article 3 (Processing and Retention Period of Personal Information)

Article 4 (Outsourcing of Personal Information Processing)

Article 5 (Cross-Border Transfer of Personal Information)

Article 6 (Destruction Procedures and Methods of Personal Information)

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise)

Article 8 (Measures to Ensure the Safety of Personal Information)

Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

Article 10 (Data Controller and Data Protection Officer)

Article 11 (Remedies for Rights Infringement)

Article 12 (Changes to the Privacy Policy)

Supplementary Provisions