Magnet Manager Magnet Manager — Privacy & Permissions
Core promise: This extension does not collect your browsing history, does not read any cookies except for 115.com, and does not report data to any third-party analytics service. All magnet processing happens locally in your browser; 115 offline / aria2 push operations are sent directly from your browser, never proxied through our servers.
1. Data we collect
| Data | Purpose | Storage | Uploaded? |
|---|---|---|---|
| Purchase email | License delivery, refund contact | Our license server (Cloudflare Worker + D1, deployed at api.magnet.gaoyatang.com) | You provide it at purchase |
| Device ID (browser-generated UUID) | License device binding (5-device cap) | Local chrome.storage.local, only sent during license check | Sent to our license server |
| License key | Paid user identifier | Local chrome.storage.local | Sent during license check |
| aria2 endpoint / token / save dir | RPC push config | Local chrome.storage.local | Never uploaded |
| 115 offline directory cid | Magnet push target | Local chrome.storage.local | Never uploaded |
| Last 3 extension crash diagnostics | Prompt the user on next popup open to optionally submit anonymous diagnostics | Local chrome.storage.local, 7-day TTL | Only uploaded after the user clicks "Submit diagnostics" |
| Last 50 full task logs | Detailed log view, troubleshooting, copying magnet / aria2 GIDs | Local chrome.storage.local | Never uploaded |
| 115 offline task list ("My 115 Files" page) | From v0.2.0: an in-extension page that lists every offline task on your 115 account, so you can one-click push to aria2 | Fetched live from 115's own API (in your browser context) when you open the page; not persisted locally | Never uploaded to our servers (request goes browser → 115 directly) |
Task logs may include the full magnet URL, entry source (popup / page button / context menu), per-step status, error messages, aria2 GIDs, and SmartResult JSON; stored only in your local browser. Clear all entries via the "Full log" page (popup → "📋 Full log").
2. What we do NOT collect
- No browsing history or visited site list
- No cookies from any domain other than 115.com
- No web form contents, passwords, or personal information
- No reporting to Google Analytics / Microsoft Clarity / any third-party analytics
- No reading of your local files or clipboard (unless you actively paste a magnet into the popup)
3. Per-permission justifications
API permissions
| Permission | Purpose | Where called |
|---|---|---|
storage | Persist license / config / task history | chrome.storage.local in background / popup / options |
cookies | Only reads 115.com domain cookies, used to call 115 offline-download APIs. When the "115 → aria2 relay" feature is enabled, also reads the 115 CDN auth cookie acw_tc and forwards it as an HTTP header to your own configured aria2 endpoint (required for aria2 to fetch files from 115's CDN); never sent to our servers | chrome.cookies.get({ url: 'https://115.com', ... }) in background |
notifications | Notify on magnet task completion / failure | chrome.notifications.create in background |
contextMenus | Add "Send to Magnet Manager" right-click menu item | chrome.contextMenus.create in background |
alarms | Daily background sync of license state / server time | chrome.alarms.create in background, daily interval |
Host permissions (granted at install)
| Origin | Purpose |
|---|---|
https://115.com/* + https://*.115.com/* | Call 115 offline-download APIs. 115 binds session cookie to issuing IP, so requests must originate from your browser context; the extension calls directly, never through our servers. |
https://api.magnet.gaoyatang.com/* | Call our license validation / order / refund services. All payment data transmitted over HTTPS + HMAC-signed. |
http(s)://localhost/* + http(s)://127.0.0.1/* | Local aria2 RPC (default scenario). |
Optional host permissions (granted on demand, with browser prompt)
If your aria2 is not on localhost (NAS, Tailscale, reverse proxy, etc.), the extension will prompt the browser permission dialog automatically when you save the endpoint. You can revoke at any time via chrome://extensions/ → "Site access".
Content Script <all_urls>
Content script is injected into all pages, but only does local-only magnet detection (regex scan of page magnet links). It does not send any data to any server. Detected magnet links get a "→ Offline" button injected next to them; the magnet is only sent to background after you click the button. The content script itself makes no outbound network requests or sensitive operations.
4. Third-party services
| Service | Purpose | Data scope |
|---|---|---|
| 115 Cloud Storage (115.com) | Offline downloads / file management | Magnet URL and 115 cookie only, called directly by the extension, never through our servers |
| Our license API (api.magnet.gaoyatang.com) | License validation, orders, refunds | Purchase email, license key, device ID |
| Alipay (landing page redirect only) | Purchase payment | Order amount and ID only, never via this extension |
| Your configured aria2 RPC endpoint | Download task push | Default mode ("aria2 only" button / smart-push fallback): magnet URL + save path. "115 → aria2 relay" mode (opt-in via Settings): 115 HTTPS download URL + filename/subdirectory path + User-Agent + Referer: https://115.com + 115 CDN auth cookie header Cookie: acw_tc=... (without it aria2 cannot pull from 115's CDN).Target address fully under your control; only enable relay for aria2 endpoints you trust. |
5. User-initiated feedback data (since v0.1.3)
When the user clicks the in-extension "Report problem" button to actively submit,
the extension uploads sanitized diagnostic data to our license server
(api.magnet.gaoyatang.com). Nothing is sent without that click.
What is uploaded:
- User description (≤ 500 chars, optional) + contact email (optional)
- The associated task log (per-step status / error code / aria2 GID / file size / elapsed) — by default only btih hash is sent, no filename and no magnet trackers
- Only when user explicitly checks "include filename" is the
dnfield uploaded (trackers/passkeys are still stripped) - Config summary (relay flag / aria2 domain only / license mode / Beta days remaining)
- Browser + OS + Chrome version
- Last 20 SW
[mm:-prefixed console warnings/errors - If the extension crashed during the previous run, the popup asks whether to submit anonymous diagnostics; only after that click do we upload a redacted and truncated crash message / stack summary
- Anonymous install id (one-time UUID, used only for rate-limiting, not bound to license)
Never uploaded: cookies / aria2 RPC token / license key / full aria2 endpoint URL / file path passwords / full magnet URLs / local paths, etc. Crash messages and stacks are redacted for URLs, secrets, license/cookie-like values, full magnets, and local paths, then truncated.
Retention: open / triaging tickets up to 180 days; resolved / spam tickets purged after 90 days.
6. Data retention and deletion
- Local data (
chrome.storage.local): cleared automatically when you uninstall the extension - License server data: email [email protected] to request deletion
- After refund, the license is invalidated immediately; related order data is retained as accounting records (per legal requirements)
- Feedback tickets: see §5
7. Contact
Privacy questions, data requests, bug reports:
Email [email protected]
Product home magnet.gaoyatang.com
Last updated: 2026-05-07