Privacy Policy

Mustel is built with a local-first philosophy. We believe that static analysis of your codebase should never compromise your code sovereignty.

Local & Offline Execution

Mustel runs entirely on your local machine. When you run commands such as mustel review, the analysis, linting (Ruff), security scanning (Bandit), and codebase structure parsing happen entirely in your local terminal or editor process. No source code files, text blocks, tokens, or abstract syntax trees are ever uploaded to, cached on, or processed by remote servers.

Telemetry & Analytics

Mustel does not collect telemetry, usage metrics, or error tracking data. We do not track which commands you run, the size of your repositories, the packages scanned, or the IDE configurations configured via the bootstrap system. Your usage remains fully private and offline.

Third-Party Dependency Checks

When Mustel runs in **Audit Mode** (either through the --audit flag or automatically in CI pipelines), it invokes pip-audit. The dependency check queries public vulnerability databases (such as OSV.dev) to audit package versions. During this check:

  • Only package names and version numbers are transmitted to look up active CVEs.
  • No actual codebase files, function definitions, or application logic are sent.
  • No personal identifiers, accounts, or developer metadata are transmitted.

Open Source Sovereignty

The entirety of Mustel is open source under the MIT License. You have complete transparency to audit the underlying Python package source code to verify that no tracking, analytics hooks, or network telemetry have been added.

Contact Information

If you have any questions or feedback regarding our privacy philosophy, please contact the maintainers at mustel.oss@gmail.com.

Last updated: July 1, 2026