# Privacy Policy for AniList Auto-Like

**Last updated:** May 2026

## Overview
AniList Auto-Like ("the Extension") is a Chrome extension that automatically likes activity feed posts on AniList. This policy explains what data the Extension collects, how it is stored, and your control over it.

## Data Collected

### Data Stored Locally
The Extension stores the following data **only on your device** using Chrome's built-in `chrome.storage.local` API:

| Data | Purpose | Scope |
|------|---------|-------|
| **AniList Client ID** | Identifies your AniList API client for OAuth | You provide this during setup |
| **AniList OAuth Access Token** | Authenticates API requests to like posts | Obtained via the OAuth2 PKCE flow you explicitly authorize |
| **User Blacklist** | List of usernames to skip when liking on the home feed | You manage this in the popup |

### Data NOT Collected
The Extension does **not** collect, transmit, or store:
- Personal identification information (name, email, address)
- Browsing history or navigation data outside `anilist.co`
- Passwords or login credentials (OAuth uses PKCE — your password is never shared with the Extension)
- Analytics, telemetry, or usage statistics
- Any data from non-AniList websites

## Data Storage & Security
- All data is stored locally in `chrome.storage.local`, which is sandboxed to the Extension and never accessible to other extensions or websites.
- The OAuth token is stored with an expiry timestamp. Expired tokens are automatically ignored.
- PKCE (Proof Key for Code Exchange) is used for OAuth — the code verifier is cryptographically random and never reused.

## Data Sharing
The Extension does **not** share, sell, or transmit any user data to third parties. The only external communication is:
- **AniList API** (`graphql.anilist.co`) — to perform the like operation with your token.
- **AniList OAuth** (`anilist.co/api/v2/oauth`) — to complete the authentication flow.

## User Control
You can delete all stored data at any time:
- **Disconnect Account** — removes only the OAuth token (click "Disconnect Account" in the Extension popup).
- **Reset Settings** — removes all data including Client ID, token, and blacklist (click "Reset Settings" in the Extension popup).

## Updates to This Policy
If this policy changes, the Extension will be updated and the "Last updated" date above will reflect the change.

## Contact
For support or privacy concerns, open an issue at:
[https://github.com/Hy4ri/anilist-autolike/issues](https://github.com/Hy4ri/anilist-autolike/issues)