SSL Encryption & Secure Connections
All data in transit is encrypted
HTTPS on every page
All connections to Manva.ai use TLS 1.3 encryption. Your browser shows the padlock icon on every page.
API calls encrypted end-to-end
Every request between your device and our servers is encrypted. Nobody in between can read your data.
Passwords hashed with bcrypt
We never store your password in plain text. Passwords are hashed with bcrypt (12 rounds) — even we can't read them.
Instagram, Facebook & WhatsApp Access
We only take what we need — nothing more
When you connect your Instagram or Facebook account, we request only the specific permissions needed to post on your behalf. Here's exactly what we access and why:
| Permission | Why we need it | What we never do |
|---|---|---|
| instagram_basic | Read your Instagram profile and follower count for your analytics dashboard | Never share with third parties |
| instagram_content_publish | Publish posts to Instagram when you tap "Post" or schedule them | Only posts you explicitly approve |
| instagram_manage_insights | Show you reach, likes and engagement in your analytics | Your stats are private — visible only to you |
| pages_manage_posts | Publish to your Facebook Page | Only when you schedule or post from Manva |
| pages_read_engagement | Facebook analytics in your dashboard | Never sold or shared |
| whatsapp_business_messaging | Send WhatsApp messages when you use the WhatsApp agent feature | Only triggered by you — never automated without permission |
Token storage: Your access tokens are stored encrypted using AES-256 encryption. When you disconnect your account or delete your Manva account, tokens are immediately revoked with Meta and deleted from our systems.
Payment Security
We never touch your card details
Powered by Razorpay
All payments are processed by Razorpay — India's most trusted payment gateway, PCI DSS Level 1 certified. Your card number never passes through our servers.
We store zero card data
Manva.ai does not store, log or have access to your credit card, debit card or UPI details at any point.
Webhook verification
All payment confirmations from Razorpay are verified using HMAC-SHA256 signatures before being processed.
Data Storage & Privacy
Your data stays in India
Data stored in India
All user data is stored on servers located in India, compliant with India's IT Act 2000 and PDPB guidelines.
We never sell your data
Your business information, post history, captions and analytics are never sold to or shared with advertisers or third parties.
Right to deletion
You can delete your account at any time from Settings. All your data — posts, designs, analytics, tokens — is permanently deleted within 30 days.
Sensitive fields encrypted at rest
OAuth tokens, API keys and sensitive account data are encrypted at rest using AES-256 before being stored in our database.
Account Security
Built-in protections on every account
Auto account lockout after 10 failed logins
Cloudflare Turnstile CAPTCHA on login & signup
Sessions expire automatically after inactivity
Secure password reset via email link (1 hour expiry)
Admin accounts protected with 2FA (TOTP)
Express.js fingerprint hidden from public
Found a Security Issue?
We take vulnerability reports seriously
If you've found a security vulnerability in Manva.ai, please let us know responsibly. We commit to:
Acknowledge within 48 hours
We'll confirm receipt of your report within 2 business days.
Fix critical issues within 7 days
Critical vulnerabilities are treated as top priority and patched immediately.
Report to: security@manva.ai
Please include steps to reproduce, potential impact, and any proof of concept. We do not take legal action against good-faith researchers.
Questions about security?
Our team is happy to answer any questions before you sign up.