captchaapi.eu is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy is provided under Article 13 GDPR — it covers personal data collected directly from you as a registered user of the service. It explains what data is collected, why it is collected, the legal basis for each processing activity, and all rights available to you.
1 Data Controller
The data controller responsible for your personal data is:
Vladislav Rajtmajer
Registered address: U Porcelánky 862, 35735 Chodov
Company ID (IČO): 73396249
Contact email: info@captchaapi.eu
Location: Czech Republic (European Union)
No Data Protection Officer (DPO) has been appointed, as the processing activities do not meet the thresholds set out in Article 37 GDPR (no large-scale systematic monitoring or processing of special categories of data). All data protection inquiries should be directed to the contact email above.
2 What Data We Collect
The service is designed with a privacy-first approach. Only the minimum data necessary to operate the service is collected. No special categories of personal data (Article 9 GDPR) are processed.
When you register: full name, email address, and password (stored as a bcrypt hash — the plaintext password is never retained). Additionally, your subscription tier (Free, Starter, Growth, or Pro), account state (active, grace period, or suspended), and a billing cycle anchor date are stored to enforce plan limits, manage billing status, and calculate monthly usage.
When upgrading to a paid plan, billing details are collected: postal address (street, city, ZIP/postal code, country), and — for business customers — company ID and VAT number. These are required to issue legally compliant invoices and to determine VAT treatment under EU rules. Providing them is optional until you upgrade to a paid plan, at which point they become required for invoicing.
Aggregated challenge and verification counts per project, linked to your account. Usage counts are account-linked and are therefore pseudonymous, not anonymous in the GDPR sense.
Data generated during the CAPTCHA challenge process (challenge tokens, solve results) is stored exclusively in Redis (in-memory cache) and is deleted immediately when the token expires (2 minutes) or is verified — whichever comes first. None of this data is written to persistent storage such as a database.
Visitor IP addresses used for rate limiting are stored only in memory (Redis), in one-way hashed form (SHA-256 with a secret salt). The original IP address cannot be recovered. Hashed values expire automatically after 2 minutes and are never written to the database.
Routine HTTP access logging is disabled on our web servers — no log of visitor IP addresses, URLs, or user-agents is written for normal traffic. Only error-level events (e.g. server errors, upstream timeouts) are logged with a maximum retention of 14 days for operational diagnostics; such entries occasionally contain the IP of the client that triggered the error.
No tracking or advertising cookies, no browser fingerprints, no tracking pixels, no cross-site identifiers, no behavioral profiles — ever. The CAPTCHA widget stores nothing on your visitors' devices.
Mandatory vs. optional data. Providing a name and email address is required to create an account. Without them the service cannot be provided. All other fields (e.g. two-factor authentication) are optional and can be configured or removed at any time from your account settings.
3 Legal Basis for Processing
Personal data is processed under the following legal bases (Article 6 GDPR). Consent (Art. 6(1)(a)) is not used as a legal basis for any of the processing activities described below.
| Processing activity | Legal basis (GDPR Art. 6) | Detail |
|---|---|---|
| Account registration and management | Art. 6(1)(b) — Contract | Processing is necessary to perform the service agreement you enter into when creating an account. |
| Transactional email (verification, password reset, 2FA) | Art. 6(1)(b) — Contract | Sending transactional emails is an integral part of account security and operation. |
| Rate limiting (hashed IP addresses) | Art. 6(1)(f) — Legitimate interests | Preventing automated abuse and protecting the service. IP addresses are one-way hashed (SHA-256 + secret salt) before use and are never stored in the database. |
| Server error logs | Art. 6(1)(f) — Legitimate interests | Diagnosing service errors and detecting server-side issues. Only error-level events are logged; routine access logging is disabled. Logs are automatically purged after 14 days. |
| Aggregated usage statistics | Art. 6(1)(b) — Contract | Necessary to enforce plan limits and provide usage reporting to account holders. Counts are linked to your account and projects (pseudonymous). No visitor personal data is retained in statistics. |
| Subscription tier and billing cycle anchor | Art. 6(1)(b) — Contract | Necessary to determine applicable plan limits, calculate monthly usage within the billing period, and adjust PoW difficulty for the integrator's plan tier. |
| Account state (active / grace period / suspended) | Art. 6(1)(b) — Contract | Necessary to reflect the current billing status of the account and determine service access accordingly (e.g. suspending access after a grace period expires without payment). |
| Billing address, company ID, VAT number | Art. 6(1)(b) — Contract Art. 6(1)(c) — Legal obligation |
Required to issue legally compliant invoices and to determine correct VAT treatment under EU rules (Directive 2006/112/EC). Collected only from users on a paid plan. VAT number is used solely for VAT validation and invoice purposes — not shared with any third party beyond what is required for invoicing. |
4 Data Storage & International Transfers
Application data is stored and processed within the European Union (EU/EEA) on Hetzner infrastructure (Germany). Email delivery is handled by WEDOS, a.s. (Hluboká nad Vltavou, Czech Republic), also within the EU.
100% EU-hosted. All application data, email delivery, and user data are processed within the EU/EEA. No data is transferred outside the European Economic Area.
5 Data Retention
Data is retained only as long as necessary for the stated purpose or legal obligation.
| Data category | Retention period | Notes |
|---|---|---|
| Account data (name, email, password hash) | Until account deletion | Profile data (name, email, password hash) deleted upon request via dashboard settings. Billing records are subject to separate retention obligations under accounting law — see below. |
| Project data, site keys & secret keys | Until project or account deletion | Each project has a public site key (shipped in your HTML) and a private secret key (kept on your backend to verify attestations). Removing a project removes both keys and all associated usage statistics. Aggregated monthly totals used for billing enforcement are retained separately for up to 12 months. |
| Daily request statistics | 12 months | Aggregated counts per project, linked to your account (pseudonymous). No visitor personal data attached. Automatically purged on a rolling 12-month schedule. |
| Server error logs | 14 days | Error-level events only (access logging is disabled). Automatically rotated daily. Used solely for operational diagnostics. |
| Hashed IP addresses (rate limiting) | 2 minutes | Ephemeral cache only. Never written to the database. |
| CAPTCHA challenge tokens | 2 minutes | Deleted immediately on verification or upon expiry, whichever comes first. |
| Subscription tier & billing cycle anchor | Until account deletion | Removed when the account is deleted. Historical billing data is retained in invoice records as required by accounting law — the tier at time of invoicing is embedded in those records. |
| Billing address, company ID, VAT number | 10 years after last invoice | Retained for the period required by Czech and EU accounting law (Act No. 563/1991 Coll.). Cannot be deleted on request during this period due to legal obligation. The address stored in your account can be updated at any time; historical invoice copies retain the address as it was at the time of issue. |
| Session cookies | 120 minutes of inactivity | Invalidated on logout. Contain no personal data. |
6 Your Rights Under GDPR
As a data subject under GDPR you have the following rights. To exercise any of them, contact me at info@captchaapi.eu. I will respond without undue delay and at the latest within 30 days (extendable by a further two months for complex requests, with notice).
Right of Access (Art. 15)
Request a copy of the personal data I hold about you and information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or completion of incomplete personal data. Name and email can be updated directly in account settings.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"). Account deletion is available immediately from dashboard settings.
Right to Restriction (Art. 18)
Request that we restrict processing of your data — for example while you contest its accuracy or the lawfulness of processing.
Right to Portability (Art. 20)
Receive your account data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies to data processed under contract performance.
Right to Object (Art. 21)
Object at any time to processing based on legitimate interests (Art. 6(1)(f)). Processing will cease unless compelling legitimate grounds are demonstrated.
Right to withdraw consent. No personal data is processed on the basis of consent (Article 6(1)(a) GDPR). All processing relies on contract performance or legitimate interests. Therefore the right to withdraw consent under Article 7(3) GDPR is not applicable to this service.
7 Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
As the data controller is established in the Czech Republic, the lead supervisory authority is:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Web: www.uoou.cz
Email: posta@uoou.cz
I encourage you to contact me first at info@captchaapi.eu so I have the opportunity to address your concern directly.
8 Cookies
The dashboard sets two strictly necessary cookies required for authentication and security. These cookies do not contain directly identifiable personal data, but are associated with your session for authentication and security purposes. Both expire after 120 minutes of inactivity and are invalidated on logout. Under Article 5(3) of the EU ePrivacy Directive, strictly necessary cookies are exempt from consent requirements.
-
captchaapi-session— maintains your authenticated session (HTTP-only; not accessible to JavaScript) -
XSRF-TOKEN— prevents Cross-Site Request Forgery attacks on form submissions
The CAPTCHA widget embedded on your visitors' pages sets no cookies whatsoever. For full details see the Privacy Policy.
9 Automated Decision-Making and Profiling
None under Article 22 GDPR. I do not engage in automated decision-making or profiling as defined in Article 22 GDPR. No decisions producing legal or similarly significant effects are made solely by automated means. The Proof-of-Work challenge is a mathematical computation performed client-side; it does not analyse or profile user behaviour.
Adaptive PoW difficulty. Challenge difficulty is automatically adjusted based on two factors: (1) the number of recent requests from a given hashed IP address (a short-lived pseudonymous rate-limiting signal, not stored as a direct identifier), and (2) the integrator's subscription tier. This is a service-level parameter and does not involve identifying a natural person. No user profile is created or consulted. This mechanism does not constitute profiling under Article 4(4) GDPR.
10 Sub-processors
The following third-party processors handle personal data in connection with this service.
| Processor | Purpose | Data transferred | Location | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure — servers, storage, networking for all application services | All personal data stored in the application | Nuremberg, Germany (EU) | Hetzner Privacy & DPA ↗ |
| WEDOS, a.s. | Transactional email (mailhosting) — account verification, password reset, 2FA recovery codes, billing notifications | Email address, first name | Hluboká nad Vltavou, Czech Republic (EU) | WEDOS Terms ↗ |
No other third-party services receive personal data. Analytics platforms and advertising networks are not used.
11 Changes to This Policy
I may update this policy from time to time. When I do, I will update the "Last updated" date at the top of this page and, where the changes are significant, notify registered users by email before the changes take effect, except where immediate changes are required for security or legal compliance.
Continued use of the service after the effective date of changes constitutes acceptance of the revised policy.
Questions about your data?
I am happy to help and will respond within 30 days.