Chrome Extension

Privacy Policy

neXusNerds Bulk Fetch SnapShot · Last updated: May 2026 · Covers Version 6, Version 9.5.x, and Version 9.6.0.x (latest submission)

Short version: This extension reads your own Unity node data directly from your authenticated Unity session and saves it to a local file on your device. It collects nothing about you, sends nothing to any neXusNerds server, and stores nothing remotely. There is no backend, no telemetry, and no third-party connections of any kind beyond Unity's own API.

About this page: Three versions of the extension exist in the wild or in the review queue. V6 was the original earnings-only export submission. V9.5.x added withdrawals, licenses, analytics, and the local SnapShot viewer. V9.6.0.x is the current submission and adds card flips, the Dashboard tab, five export formats, encrypted archive import, a forced PIN at first run, and an in-viewer Search Messages feature. Sections below are labelled so you can see which rules apply to which version. All three are local-only, operator-data-only, and send nothing to any neXusNerds server — the protections only become stronger in v9.6.0.x.

📋 Overview

neXusNerds Bulk Fetch SnapShot is a Chrome extension for Unity Node operators and lessees. It works around the 20-records-at-a-time pagination limit of the Unity operator portal by capturing your own data — earnings V6, plus withdrawals, licenses, and per-license analytics V9.5.4 — into a single downloadable JSON file. In v9.5.4, a built-in local SnapShot viewer then opens in a new tab to let you search, sort, and filter that data.

This privacy policy explains exactly what each version does with your data — which is, in both versions, nothing beyond saving it to your own device.

🔒 Data we collect All versions

Nothing is sent to any neXusNerds server. No version of this extension collects, transmits, or shares any personal data or usage data with neXusNerds or any third party. There is no backend server, no analytics pixels, no telemetry, and no external connections of any kind beyond the Unity API calls described below.

The items below are stored locally on your own device via Chrome's built-in chrome.storage.local. They never leave your device and are never synced across Chrome profiles.

Theme choice (dark / light / auto) All
Account label used in download filenames All
Privacy-mode toggle state 9.5+
First-run help-viewed flag 9.5+
Most recent captured snapshot — your earnings, withdrawals, licenses, analytics, and inbox metadata. So the viewer can render it after the popup closes. 9.5+
Short recent-downloads history 9.5+
Your custom lease aliases (names you set), group assignments, and task labels — for the Snapshot viewer to display them 9.6.0
Hashed encryption password and hashed PIN (PBKDF2 310,000 iterations, random salt) — used to gate access to your captured data and to decrypt encrypted archive imports. Plaintext password and PIN are never stored. 9.6.0
Your Unity API session tokens (a JWT authorization header and an apikey header) — captured live from Unity's own page traffic, used by the extension to call Unity's API on your behalf. Tokens are short-lived JWTs that expire on Unity's server-side session policy. 9.6.0
Cached message bodies for the Search Messages feature — fetched on demand from Unity for conversations you can already see in your Unity account. Cleared when you sign out or click Clear Session. 9.6.0

Every one of the items above is wiped instantly when you click Clear Session in the extension popup, when you uninstall the extension, or when Chrome itself clears extension storage.

⚡ What the extension does

V6 While you are signed in to manage.unitynodes.io, the extension intercepts the browser's request for your earnings data and asks Unity for more records per page (up to 1,000 instead of 20). Your earnings JSON is then saved to your device through Chrome's download API. No other data types are captured, and no viewer is opened.

V9.5.x The same capture mechanism is extended to also pull your withdrawal records, active licenses, per-license analytics, and inbox metadata (conversation IDs and unread counts) — all via the same authenticated Unity API calls Unity's own dashboard issues on your behalf. After capture, a separate local SnapShot viewer tab opens so you can search, sort, filter, and browse the data. The viewer is pure local rendering — no network calls.

V9.6.0.x The viewer gains a Dashboard tab (overview of all leases), tap-to-flip lease cards with timeline + tap-to-copy hex chips, five export formats (CSV, JSON, Backup, PNG, HTML), and an in-viewer Search Messages feature. Search Messages requires the extension to call Unity's message-thread RPC (messaging_conversation_get) once per conversation, so message bodies can be indexed locally for the search. Those calls are made through the open Unity tab using your existing session — no separate authentication, no credentials stored beyond Unity's own short-lived session tokens.

In all versions, your lease data goes directly from Unity's servers to your browser to a file on your own disk. It never passes through any neXusNerds server. The extension is only involved in making the request, sanitizing sensitive fields (see below), and triggering the file save.

🔐 Optional encryption & PIN gate V9.5.4+

V9.5.4 added an optional password field. If you enter one, the downloaded archive is encrypted with AES-256-GCM using a key derived via PBKDF2 with 310,000 iterations, a random 16-byte salt, and a random 12-byte IV. If you leave the password blank, the file is saved as plain JSON.

V9.6.0 requires both an encryption password and a 4–6 digit PIN at first run. Both are hashed (PBKDF2 310,000 iterations, separate random salts) before being stored. The PIN provides quick re-authentication after the snapshot viewer sits idle for ~60 seconds; the password is needed to decrypt encrypted archive imports and is reused as the recovery path if you forget the PIN.

Encryption and hashing happen entirely in your browser. No key material, no plaintext password, no plaintext PIN, and no encrypted content ever leaves your device. The password and PIN you type are used to derive keys and are never stored in plaintext form.

🔑 Unity session tokens V9.6.0

For the Search Messages feature, the extension stores your Unity API session tokens locally so the viewer page can call Unity's message-thread RPC on your behalf. Specifically:

The tokens captured are the authorization JWT and apikey headers that Unity's own page already sends with every request. The extension captures them passively from your own page traffic — it does not request them, prompt for them, or read them from any login form.
They are stored only in chrome.storage.local, which is sandboxed to this extension. Other extensions cannot read it. The tokens never travel to any neXusNerds server.
The tokens are short-lived JWTs. Unity's server-side session policy enforces expiry; once they expire, the extension cannot make any further calls without a new Unity sign-in.
The tokens are used for two operations: (a) the messaging_conversation_get RPC that fetches a single conversation thread for the Search Messages cache, and (b) the same RPC when you open a chat in the viewer to read or reply.
Clicking Clear Session in the extension popup wipes the tokens immediately along with every other piece of captured data.

This is the same posture used by the vast majority of Chrome extensions that authenticate to APIs on the user's behalf. We disclose it explicitly here because the previous v9.5.x submission did not store auth tokens at all (the v9.5.x viewer had no need to call Unity from the extension context).

🛡️ Data handling — sensitive fields V9.5.4

Version 9.5.4 introduces a strict whitelist sanitizer on withdrawal records that version 6 does not have. These protections are new in v9.5.4:

Wallet addresses. Your full payout wallet address is never transmitted or stored by this extension. Only the last 4 characters appear in your downloaded JSON file as a reference aid, so you can match a withdrawal to the correct destination account at a glance. The full address is stripped on ingest before the record is ever written to disk.

Internal identifiers. Unity's withdrawal records include two internal identifiers (userId and externalId) that identify you inside Unity's own systems. Both are stripped from withdrawal records on ingest — they never appear in the downloaded JSON.

Unknown future fields. Sanitization is whitelist-based, not blacklist-based. If Unity adds new fields to their API in the future, those fields are silently dropped by default rather than silently leaked into your export.

Honest note about v6. Version 6 was an earnings-only export. Unity's earnings records do not include wallet addresses, userId, or externalId, so those sanitizers had nothing to apply to. The sanitizers exist in v9.5.4 because v9.5.4 captures withdrawal records, where those fields are present. If you are running v6, your download does not contain wallet or identifier data in the first place — it only contains earnings line items.

🚫 What the extension cannot do Both versions

Access any website other than manage.unitynodes.io (v6) or manage.unitynodes.io and api.unityedge.io (v9.5.4 — both are Unity-owned endpoints)
Read your passwords, cookies, or login credentials
Send your data to any server — including neXusNerds servers
Run in the background when you are not on the Unity portal
Access your browsing history or any other tab
Modify page content on the Unity portal beyond intercepting its own API requests
Execute any remote code — Content Security Policy (v9.5.4) forbids inline scripts and remote sources; no eval, no dynamically-loaded scripts

🔑 Permissions

The extension requests the minimum permissions necessary. Version 9.5.4 requires two additional entries that version 6 does not: the downloads API (to save the archive file) and the api.unityedge.io host (for withdrawal / license / analytics RPC calls).

Permission	Why it is needed	Version
scripting	Inject a content script into the Unity operator portal to capture the authenticated API request templates Unity itself uses. Runs only on the Unity domain.	Both
storage	Save user preferences (theme, label, privacy toggle, help-viewed flag, most recent snapshot, recent downloads) locally via `chrome.storage.local`. No sync across devices.	Both
downloads	Save the captured archive JSON (plain or encrypted) to your Downloads folder. Only triggered by your Download click.	V9.5.4
manage.unitynodes.io	Host permission for the Unity operator dashboard where you are already authenticated. The content script runs only here.	Both
api.unityedge.io	Host permission for the Unity Edge API domain. Needed for the additional RPC calls that retrieve withdrawals, licenses, and per-license analytics — the same endpoints Unity's own dashboard calls.	V9.5.4

🌐 External links V9.5.4

Version 9.5.4 adds two buttons to the extension's toolbar that open a new tab in your browser:

A help button that opens the extension's bundled help page (help.html, included in the extension — no network call)
A globe button labelled "Visit neXusNerds" that opens nexusnerds.io in a new tab

Both are user-initiated — the buttons do nothing until you click them. The destination website nexusnerds.io has its own privacy practices separate from this extension; the extension does not read anything back from that tab once it opens.

🔗 Third-party services Both versions

The extension interacts only with Unity's own infrastructure (manage.unitynodes.io for both versions; api.unityedge.io additionally in v9.5.4), using the session and credentials your browser already has with Unity. Your Unity credentials are never read, stored, or transmitted by this extension.

neXusNerds is not affiliated with Unity Network or Unity Network Tech Limited. Use of the Unity platform is subject to Unity's own terms of service and privacy policy.

🔍 Independent security review V9.5.4

Version 9.5.4 was independently reviewed by a third-party security auditor on 2026-04-20. The review examined the extension's JavaScript source for malware, backdoors, data exfiltration, telemetry, obfuscation, cross-site scripting, and injection vectors. No issues were found in any of those categories.

Following the audit, two defensive improvements were applied to version 9.5.4: the fetch monkey-patch capture gate was narrowed from a regex-based check to an explicit allow-list of exact Unity endpoint URLs, and an explicit content_security_policy was added to the manifest declaring that scripts may only run from the extension's own package.

📜 Version history

Substantive changes across versions:

Data captured. v6: earnings only. v9.5.x: earnings plus withdrawals, licenses, analytics, inbox metadata. v9.6.0: same as v9.5.x, plus on-demand message-thread bodies for the Search Messages feature.
Viewer. v6: no viewer — export-only. v9.5.x: local SnapShot viewer with search / sort / filter / tap-to-flip lease cards. v9.6.0: adds Dashboard tab, tap-to-copy hex chips, lease-timeline bars, archive-import button, Settings overlay, and a five-format Export modal (CSV / JSON / Backup / PNG / HTML).
Encryption. v6: plain JSON export only. v9.5.x: optional AES-256-GCM with PBKDF2 310k iterations. v9.6.0: same encryption, plus a mandatory PIN gate at first run (PIN hashed PBKDF2 310k).
Sensitive-field handling. v6: earnings records do not include wallet or identifier data, so no sanitizer was needed. v9.5.x: strict whitelist sanitizer on withdrawal records strips full wallet address, userId, and externalId; preserves only the last 4 characters of wallet address for reconciliation. v9.6.0: same whitelist; sanitizer extended to scout-report metadata (also strips a second userId field that appears there).
Auth token storage. v6 and v9.5.x: Unity session tokens lived only in the Unity page's memory; the extension never persisted them. v9.6.0: Unity session tokens are stored in chrome.storage.local so the Snapshot viewer can fetch message threads for the Search Messages feature. Tokens are short-lived JWTs governed by Unity's session policy and wipe on Clear Session.
Permissions. v9.5.x adds downloads (for file save) and the api.unityedge.io host (for the additional RPC calls). v9.6.0 adds no further permissions — the manifest is byte-identical with v9.5.11sv on permissions, host_permissions, content_scripts, and CSP.
Hardening. v9.5.x uses an explicit fetch URL allow-list and declares an explicit content_security_policy. v9.6.0 keeps both, adds a PIN gate against opportunistic local access, and adds front-face-only sanitization to visual exports so PNG / HTML captures cannot accidentally leak hidden-by-CSS card-back content.

👤 Children's privacy Both versions

This extension is intended for use by Unity Node operators and lessees who are adults. It does not knowingly collect any data from anyone, including minors.

✏️ Changes to this policy

Any changes to this privacy policy will be reflected on this page. The "Last updated" date at the top will change accordingly. Material changes will be noted in the extension's Chrome Web Store listing changelog.

✉️ Contact

For questions about this privacy policy or the extension:

Email: nexusnerdsdashboard+privacy@gmail.com
Website: nexusnerds.io