Security

Manio connects to your bank through Open Finance Brasil, the official data-sharing framework regulated by the Banco Central do Brasil under Resolução Conjunta CMN/BCB nº 1/2020. When you connect a bank account, you authorize the connection directly in your bank's app or website. Manio never sees your banking password or login credentials. Open Finance consent is granular and revocable. You choose which accounts to share, and you can revoke access at any time from your bank's app. The consent is time-limited and must be renewed periodically. The integration chain works like this. Manio uses POLP as our integration layer, and POLP in turn relies on Pluggy Brasil Instituição de Pagamento LTDA. (CNPJ 37.943.755/0001-30) for the regulated bank connections. Pluggy is an Iniciador de Transação de Pagamento (ITP) authorised by the Banco Central do Brasil under Resolução BCB nº 80/2021 and listed in the official Open Finance Brasil participants directory. You will see Pluggy's name on your bank's authorisation screen when you grant consent. That is the institution authorised by the Banco Central that receives your authorisation.

Every sensitive value stored in our database is encrypted using AES-256-GCM, an authenticated encryption standard used by financial institutions worldwide. This includes: • OAuth tokens for YNAB, Google Sheets, and Notion • Bank account numbers • Transaction descriptions • Refresh tokens for all connected services Each encrypted value uses a unique random initialization vector (IV) and includes an authentication tag to prevent tampering. Encryption keys are stored separately from the database and are never exposed in application logs or error messages.

Manio requests read-only access to your bank data through Open Finance. This means we can see your transactions and balances, but we cannot initiate transfers, payments, or any other financial operations. The same principle applies to your connected destinations. For Google Sheets, we request the minimum permission scope (drive.file), which only allows access to spreadsheets that you explicitly select or that Manio creates. We cannot access other files in your Google Drive. For YNAB, we use OAuth limited to reading budgets and writing transactions to accounts you select. Manio is listed in YNAB's official app directory as an approved integration.

User passwords are hashed using bcrypt with a cost factor that meets current OWASP recommendations. Plaintext passwords are never stored. All API endpoints require session-based authentication. Every route that accesses user data verifies the session and scopes all database queries to the authenticated user's ID, preventing cross-account data access. API endpoints are rate-limited to prevent abuse. All user inputs are validated with strict schemas to prevent injection attacks.

Manio is hosted on Vercel and uses HTTPS for all connections. Security headers are enforced on every response: • HSTS (Strict-Transport-Security) with a two-year max-age, including subdomains • Content Security Policy (CSP) restricting script, style, and connection sources • X-Frame-Options: DENY to prevent clickjacking • X-Content-Type-Options: nosniff • Referrer-Policy: strict-origin-when-cross-origin Error responses are sanitized to prevent leaking internal details, tokens, or personally identifiable information to the client.

You can delete your account at any time from your profile settings. When you delete your account, Manio: • Disconnects all bank connections through the Open Finance provider • Revokes all stored OAuth tokens • Removes your sessions and authentication data • Deletes your account data from our database You can also revoke Open Finance consent at any time directly from your bank's app, independently of Manio. Payments are processed by Stripe. We do not store credit card numbers or payment details on our servers.