Privacy Policy

Last updated: 2026-04-20 · MANAVA Creator Cabinet (app.manava.media)

This Privacy Policy describes how MANAVA Media (the “Service”, “we”, “our”) collects, uses, stores, shares and deletes personal data when you use the MANAVA Creator Cabinet at app.manava.media. It is written to comply with Meta’s Platform Terms and Developer Policies, the EU GDPR, and the California Consumer Privacy Act (CCPA).

1. Data Controller

MANAVA Media (sole proprietor: Serhii Mariukhna) is the data controller. You can reach us for any privacy-related request at privacy@manava.media.

2. Data We Collect

2.1 Account information

• Email address (used as your login identifier)
• Display name
• Password — stored only as a bcrypt hash, never in plaintext
• Preferred interface language (EN, RU, UK, DE, ES)
• Timestamps: account creation, last login, email verification, soft-delete

2.2 Graph API Data (Instagram, Facebook, Threads)

When you connect an Instagram Business / Creator account, a Facebook Page, or a Threads account through the official Meta login flows, we receive and store Graph API Data strictly for the features we advertise:

• Account identifiers: ig_user_id, ig_username, fb_user_id, threads_user_id, threads_username, Page ID
• Profile data: follower count, media count, profile picture URL
• Per-post insights: views, reach, impressions, likes, comments, shares, saves, watch time, retention, saves rate
• Account-level insights: impressions, reach, follower growth, online followers, audience gender/age buckets, audience country, audience city
• Threads insights: per-post views, likes, replies, reposts, quotes; account-level followers and views
• Cross-post engagement: Facebook Page-level page_impressions_unique, page_post_engagements, page_video_views for Reels cross-posted to Facebook
• OAuth tokens: stored encrypted at rest, bound to the specific account that authorized them, revoked immediately on disconnect

2.3 Scopes we request

Every Meta permission we request is used by a feature visible in your own cabinet:

• instagram_basic — identify your Instagram Business/Creator account and list your own posts
• instagram_content_publish — publish Reels, feed posts and carousels on your behalf from the Studio or Calendar
• instagram_manage_insights — power every analytics dashboard in the cabinet
• pages_show_list — list the Facebook Pages you manage so you can pick which Instagram account to connect
• pages_read_engagement — read Facebook-side engagement for Reels you cross-post, so combined reach appears in one place
• business_management — let creators with multiple Meta Business assets add extra accounts without re-logging in
• threads_basic — identify your connected Threads account
• threads_content_publish — publish Threads posts on your behalf from the cabinet
• threads_manage_insights — surface Threads per-post and account-level insights in your dashboard

2.4 Usage and diagnostic data

• HTTP request logs (timestamp, path, status code, IP address, user-agent), retained 30 days for security and abuse monitoring
• Audit events for authentication (signup, verify, login, password reset, deletion), retained 90 days
• Internal AI-call telemetry (endpoint, token counts, cost, cache-hit flag) — no prompt or response content is stored alongside, only aggregate metadata

3. How We Use Your Data

• Operate the Creator Cabinet’s analytics dashboards, publishing flows, calendar, hashtag recommendations, best-time-to-post heatmap, Account Quality Score, competitor benchmarks, and Threads cross-post features.
• Authenticate you, keep your session live, and enforce tenant isolation.
• Protect the Service against abuse, spam, automated scraping and platform-terms violations.
• Send you transactional email strictly tied to your account: signup verification, password reset, security notices. We do not send marketing email.
• Generate anonymized, aggregated product metrics (e.g., % of creators who publish weekly). No Graph API Data is ever included in these aggregates in a form that could identify an individual creator or end-user.

We do not sell your personal data, share Graph API Data with third parties, use it for advertising, attempt to reverse-engineer identities, or build profiles of end-users of your Instagram/Facebook/Threads accounts. Graph API Data is used solely to operate features you initiated within your own cabinet.

4. Legal Basis (GDPR)

• Performance of a contract (Art. 6 §1(b) GDPR) — operating the Service you signed up for.
• Legitimate interests (Art. 6 §1(f)) — security, abuse prevention, product analytics in aggregated form.
• Consent (Art. 6 §1(a)) — each Meta permission is consented to explicitly through the official Meta login dialog before any Graph API Data is fetched.

5. Data Retention

6. Processors / Sub-processors

We rely on the following sub-processors strictly to operate the Service:

• DigitalOcean — hosting (EU/NL datacenter), backup storage (DO Spaces)
• Anthropic — Claude Sonnet LLM used for creator-facing AI features (hashtag suggestions, creative brief, competitor insights, best-time-to-post insights). Prompts contain aggregated per-creator metric summaries; they never contain OAuth tokens, passwords or raw end-user PII from your followers.
• Google — Gemini Flash Lite used for content-research pipeline and bio analysis during onboarding
• Resend — transactional email delivery (signup verification, password reset); receives only the recipient email address, subject line and one-time verify/reset link
• Meta Platforms — Facebook Login, Instagram Graph API, Threads API (not a sub-processor — a first-party integration you explicitly authorize)

7. Your Rights

Whether or not you are located in the EU or California, we honor the following rights for every MANAVA account:

• Access / Export — GET /api/me/export returns a JSON archive of every row scoped to your account (user profile, creators, video_metrics, publications, threads_posts, OAuth provider list).
• Rectification — edit your profile in /settings; contact us if you need a field we don’t expose in the UI.
• Erasure —
  • Soft-delete (30-day recovery window): /settings → Delete account.
  • Hard-delete (immediate): POST /api/me/delete with confirm=HARD_DELETE_MY_DATA.
  • If you revoke MANAVA from your Facebook Settings, Meta sends a signed request to POST /meta/data-deletion-callback and we perform the same hard-delete.
  • Public-facing instructions: /data-deletion.
• Portability — the JSON export is machine-readable and re-importable.
• Object / Restrict processing — email privacy@manava.media.
• Lodge a complaint — with your local EU data protection authority.

8. Security

• TLS 1.2+ for every connection (Caddy-managed Let’s Encrypt certificates)
• Passwords hashed with bcrypt
• OAuth tokens encrypted at rest
• Per-request tenant isolation via middleware (session_guard); routes never cross tenant boundaries
• Data-deletion callback signed-request verification (HMAC-SHA256 against the app secret)

9. Children

MANAVA is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email privacy@manava.media and we will delete the account.

10. International Transfers

MANAVA’s primary infrastructure is in the EU (DigitalOcean NL). Sub-processors (Anthropic, Google, Resend) may process data outside the EU under Standard Contractual Clauses.

11. Changes to this Policy

We will notify registered creators by email at least 14 days before any material change. The “Last updated” date at the top of this page always reflects the current version.

12. Contact

• Privacy: privacy@manava.media
• Terms of Service: /terms
• Data deletion instructions: /data-deletion