captchaapi.eu is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy is provided under Article 13 GDPR — it covers personal data collected directly from you as a registered user of the service. It explains what data is collected, why it is collected, the legal basis for each processing activity, and all rights available to you.
1 Data Controller
The data controller responsible for your personal data is:
Vladislav Rajtmajer
Registered address:
Company ID (IČO):
Location: Czech Republic (European Union)
No Data Protection Officer (DPO) has been appointed, as the processing activities do not meet the thresholds set out in Article 37 GDPR (no large-scale systematic monitoring or processing of special categories of data). All data protection inquiries should be directed to the contact email above.
2 What Data We Collect
The service is designed with a privacy-first approach. Only the minimum data necessary to operate the service is collected. No special categories of personal data (Article 9 GDPR) are processed.
When you register: full name, email address, and password (stored as a bcrypt hash — the plaintext password is never retained). Additionally, your subscription tier (Free, Starter, Growth, or Pro), account state (active, grace period, or suspended), and a billing cycle anchor date are stored to enforce plan limits, manage billing status, and calculate monthly usage.
When upgrading to a paid plan, billing details are collected: postal address (street, city, ZIP/postal code, country), and — for business customers — company ID and VAT number. These are required to issue legally compliant invoices and to determine VAT treatment under EU rules. Providing them is optional until you upgrade to a paid plan, at which point they become required for invoicing.
Aggregated challenge and verification counts per project, linked to your account. Usage counts are account-linked and are therefore pseudonymous, not anonymous in the GDPR sense.
Data generated during the CAPTCHA challenge process (challenge tokens, solve results) is stored exclusively in Redis (in-memory cache) and is deleted immediately when the token expires (5 minutes) or is verified — whichever comes first. None of this data is written to persistent storage such as a database.
Visitor IP addresses used for rate limiting are stored only in memory (Redis), in one-way hashed form (SHA-256 with a secret salt). The original IP address cannot be recovered. Hashed values expire automatically after 5 minutes and are never written to the database.
Short-lived server logs (IP address, timestamp, HTTP status code) retained for up to 7 days for security monitoring and abuse prevention only.
No tracking or advertising cookies, no browser fingerprints, no tracking pixels, no cross-site identifiers, no behavioral profiles — ever. The CAPTCHA widget stores nothing on your visitors' devices.
Mandatory vs. optional data. Providing a name and email address is required to create an account. Without them the service cannot be provided. All other fields (e.g. two-factor authentication) are optional and can be configured or removed at any time from your account settings.
3 Legal Basis for Processing
Personal data is processed under the following legal bases (Article 6 GDPR). Consent (Art. 6(1)(a)) is not used as a legal basis for any of the processing activities described below.
| Processing activity | Legal basis (GDPR Art. 6) | Detail |
|---|---|---|
| Account registration and management | Art. 6(1)(b) — Contract | Processing is necessary to perform the service agreement you enter into when creating an account. |
| Transactional email (verification, password reset, 2FA) | Art. 6(1)(b) — Contract | Sending transactional emails is an integral part of account security and operation. |
| Rate limiting (hashed IP addresses) | Art. 6(1)(f) — Legitimate interests | Preventing automated abuse and protecting the service. IP addresses are one-way hashed (SHA-256 + secret salt) before use and are never stored in the database. |
| Security and server logs | Art. 6(1)(f) — Legitimate interests | Detecting intrusion attempts and diagnosing service errors. Logs are automatically purged after 7 days. |
| Aggregated usage statistics | Art. 6(1)(b) — Contract | Necessary to enforce plan limits and provide usage reporting to account holders. Counts are linked to your account and projects (pseudonymous). No visitor personal data is retained in statistics. |
| Subscription tier and billing cycle anchor | Art. 6(1)(b) — Contract | Necessary to determine applicable plan limits, calculate monthly usage within the billing period, and adjust PoW difficulty for the integrator's plan tier. |
| Account state (active / grace period / suspended) | Art. 6(1)(b) — Contract | Necessary to reflect the current billing status of the account and determine service access accordingly (e.g. suspending access after a grace period expires without payment). |
| Billing address, company ID, VAT number | Art. 6(1)(b) — Contract Art. 6(1)(c) — Legal obligation |
Required to issue legally compliant invoices and to determine correct VAT treatment under EU rules (Directive 2006/112/EC). Collected only from users on a paid plan. VAT number is used solely for VAT validation and invoice purposes — not shared with any third party beyond what is required for invoicing. |
4 Data Storage & International Transfers
Application data is stored and processed within the European Union (EU/EEA) on Hetzner infrastructure (Germany). Email delivery is handled by Brevo (Sendinblue SAS, France), also within the EU.
Billing and payment data is processed by Lemon Squeezy, a US-based Merchant of Record, acting as an independent data controller for payment processing purposes. This constitutes a transfer of billing data outside the EU/EEA. Such transfers are subject to appropriate safeguards under Article 46 GDPR and are governed by Lemon Squeezy's own privacy policy and standard contractual clauses where applicable.
EU-hosted infrastructure. Application data and email delivery are processed within the EU/EEA. Billing data is processed by Lemon Squeezy (US) as an independent controller under their own privacy policy.
5 Data Retention
Data is retained only as long as necessary for the stated purpose or legal obligation.
| Data category | Retention period | Notes |
|---|---|---|
| Account data (name, email, password hash) | Until account deletion | Profile data (name, email, password hash) deleted upon request via dashboard settings. Billing records are subject to separate retention obligations under accounting law — see below. |
| Project data & site keys | Until project or account deletion | Removing a project removes its site key and associated usage statistics. Aggregated monthly totals used for billing enforcement are retained separately for up to 12 months. |
| Daily request statistics | 12 months | Aggregated counts per project, linked to your account (pseudonymous). No visitor personal data attached. Automatically purged on a rolling 12-month schedule. |
| Server / technical logs | 7 days | Automatically rotated. Used solely for security monitoring. |
| Hashed IP addresses (rate limiting) | 5 minutes | Ephemeral cache only. Never written to the database. |
| CAPTCHA challenge tokens | 5 minutes | Deleted immediately on verification or upon expiry, whichever comes first. |
| Subscription tier & billing cycle anchor | Until account deletion | Removed when the account is deleted. Historical billing data is retained in invoice records as required by accounting law — the tier at time of invoicing is embedded in those records. |
| Billing address, company ID, VAT number | 10 years after last invoice | Retained for the period required by Czech and EU accounting law (Act No. 563/1991 Coll.). Cannot be deleted on request during this period due to legal obligation. The address stored in your account can be updated at any time; historical invoice copies retain the address as it was at the time of issue. |
| Session cookies | 120 minutes of inactivity | Invalidated on logout. Contain no personal data. |
6 Your Rights Under GDPR
As a data subject under GDPR you have the following rights. To exercise any of them, contact me at . I will respond without undue delay and at the latest within 30 days (extendable by a further two months for complex requests, with notice).
Right of Access (Art. 15)
Request a copy of the personal data I hold about you and information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or completion of incomplete personal data. Name and email can be updated directly in account settings.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"). Account deletion is available immediately from dashboard settings.
Right to Restriction (Art. 18)
Request that we restrict processing of your data — for example while you contest its accuracy or the lawfulness of processing.
Right to Portability (Art. 20)
Receive your account data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies to data processed under contract performance.
Right to Object (Art. 21)
Object at any time to processing based on legitimate interests (Art. 6(1)(f)). Processing will cease unless compelling legitimate grounds are demonstrated.
Right to withdraw consent. No personal data is processed on the basis of consent (Article 6(1)(a) GDPR). All processing relies on contract performance or legitimate interests. Therefore the right to withdraw consent under Article 7(3) GDPR is not applicable to this service.
7 Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
As the data controller is established in the Czech Republic, the lead supervisory authority is:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Web: www.uoou.cz
Email: posta@uoou.cz
I encourage you to contact me first at so I have the opportunity to address your concern directly.
8 Cookies
The dashboard sets two strictly necessary cookies required for authentication and security. These cookies do not contain directly identifiable personal data, but are associated with your session for authentication and security purposes. Both expire after 120 minutes of inactivity and are invalidated on logout. Under Article 5(3) of the EU ePrivacy Directive, strictly necessary cookies are exempt from consent requirements.
-
captchaapi-session— maintains your authenticated session (HTTP-only; not accessible to JavaScript) -
XSRF-TOKEN— prevents Cross-Site Request Forgery attacks on form submissions
The CAPTCHA widget embedded on your visitors' pages sets no cookies whatsoever. For full details see the Privacy Policy.
9 Automated Decision-Making and Profiling
None under Article 22 GDPR. I do not engage in automated decision-making or profiling as defined in Article 22 GDPR. No decisions producing legal or similarly significant effects are made solely by automated means. The Proof-of-Work challenge is a mathematical computation performed client-side; it does not analyse or profile user behaviour.
Adaptive PoW difficulty. Challenge difficulty is automatically adjusted based on two factors: (1) the number of recent requests from a given hashed IP address (a short-lived pseudonymous rate-limiting signal, not stored as a direct identifier), and (2) the integrator's subscription tier. This is a service-level parameter and does not involve identifying a natural person. No user profile is created or consulted. This mechanism does not constitute profiling under Article 4(4) GDPR.
10 Sub-processors
The following third-party processors handle personal data in connection with this service.
| Processor | Purpose | Data transferred | Location | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure — servers, storage, networking for all application services | All personal data stored in the application | Gunzenhausen, Germany (HQ) Frankfurt, Germany (data center) |
Hetzner Privacy & DPA ↗ |
| Brevo (Sendinblue SAS) | Transactional email — account verification, password reset, 2FA recovery codes, billing notifications | Email address, first name | Paris, France (EU) | Brevo Terms & DPA ↗ |
| Lemon Squeezy | Merchant of Record — payment processing, invoicing, VAT compliance. Acts as an independent data controller for payment data. | Billing address, payment details, invoice data | United States | Lemon Squeezy Privacy ↗ |
No other third-party services receive personal data. Analytics platforms and advertising networks are not used.
11 Changes to This Policy
I may update this policy from time to time. When I do, I will update the "Last updated" date at the top of this page and, where the changes are significant, notify registered users by email before the changes take effect, except where immediate changes are required for security or legal compliance.
Continued use of the service after the effective date of changes constitutes acceptance of the revised policy.
Questions about your data?
I am happy to help and will respond within 30 days.