Privacy & GDPR Policy

# 1 Data Controller

The data controller responsible for the personal data described in this policy is:

Vladislav Rajtmajer

Operating as: captchaapi.eu

Registered address: U Porcelánky 862, 35735 Chodov

Company ID (IČO): 73396249

Location: Czech Republic (European Union)

No Data Protection Officer (DPO) has been appointed. The processing activities do not currently meet the thresholds in Article 37(1) GDPR (no public-authority status, no core activities consisting of regular and systematic monitoring of data subjects on a large scale, and no processing of special categories of data on a large scale). I review this designation annually as the service scales. Direct any data-protection inquiries to the contact email above.

captchaapi.eu has a dual role under GDPR:

For your account data (registered users / integrators), I act as data controller under Article 4(7) GDPR — this Privacy Policy describes that processing.
For personal data of your end-user visitors processed through the CAPTCHA widget on your site, I act as data processor on your behalf under Article 28 GDPR — you, the integrator, remain the controller. Those processor terms are set out in the Terms of Service (§ 9) and the standalone Data Processing Agreement.

# 2 Overview

captchaapi.eu is designed to provide CAPTCHA protection with minimal data processing. The service avoids tracking technologies such as behavioral profiling or advertising cookies. Privacy is a core design principle, not an afterthought. No special categories of personal data (Article 9 GDPR) are processed.

# 3 What Data Is Processed

When the CAPTCHA is used, the service may process technical request data required to generate and verify challenges, prevent abuse, and measure usage.

This may include information such as IP address (or a derived, non-reversible representation), request metadata, and challenge-related identifiers. Data is handled in a privacy-conscious way and limited to what is necessary for security and operation.

For registered users (API integrators), I additionally store account details (name, email, password hash), the selected subscription tier (Free, Starter, Growth, or Business), a billing cycle anchor date used to calculate monthly usage, and account state (active, grace period, over-limit, or suspended) reflecting the current billing status. When upgrading to a paid plan, billing details are also collected: postal address, and — for business customers — company ID and VAT number. These are required for invoicing and VAT compliance and are processed solely to provide and administer the service.

Beyond the headline fields above, the service also stores the following supporting categories of personal data — disclosed here for full transparency under Article 13 GDPR:

Authentication credentials. If you enable two-factor authentication, an encrypted TOTP secret and a set of one-time recovery codes are stored on your account; both are encrypted at rest. An email_verified_at timestamp and a Laravel "remember me" token (when you tick that box at sign-in) are also stored as standard authentication infrastructure.
Authenticated session metadata. While you are signed into the dashboard, a session row contains the IP address you connected from, your browser's user-agent, a last-activity timestamp, and a serialized session payload (no plaintext credentials). This is invalidated on logout and pruned by Laravel's session garbage collection thereafter. This applies only to the dashboard — the public CAPTCHA widget on your visitors' pages stores nothing.
Subscription lifecycle data (paid plans). Subscription metadata received from the payment provider: current billing-period start / end dates, cancel-at-period-end flag, scheduled tier changes, payment-overdue and VAT-grace timers, the provider name (Stripe or Lemon Squeezy), and the provider's subscription identifier. Used to enforce plan access, drive grace-period reminders, and reconcile webhooks against the local account state.
VIES verification audit trail (EU B2B only). For EU B2B customers an append-only log of every VIES query is kept — country code, VAT ID, verdict (Valid / Invalid / Down), VIES consultation number, and the full VIES response payload (which may include the business name returned by VIES). I keep this log as part of my own due-diligence and accounting documentation for cross-border B2B invoicing and EU recapitulative-statement filings. A snapshot of the latest Valid result is also embedded into each invoice issued to the customer. These records are kept in line with the retention applied to the related invoices — see Section 8.
Free-tier hard-cap state. Two small flags on Free accounts: a timestamp of the first hard-cap event and a one-time-warning-seen marker. They drive the post-cap re-activation UX so the upgrade options are surfaced exactly once when service resumes after a billing-cycle reset.
Invoice ledger snapshots (paid plans). Each issued invoice carries a snapshot of the billing data at the time of issuance: invoice number, currency, total (and CZK equivalent for EUR invoices), VAT mode (no-VAT for CZ-resident neplátce, reverse-charge for EU B2B), billing reason, and the cross-reference to the upstream Stripe invoice. Past invoices are never rewritten — they are the legal accounting record.

No behavioral profiling. I never build user profiles, track browsing behavior, or share data with ad networks.

How your IP is handled (technical detail)

When a CAPTCHA challenge is issued or verified, your IP address is immediately transformed into a SHA-256 hash combined with a server-side secret (keyed hashing). Only this hash is used. The hash is held in transient cache storage and is never written to the database or to persistent logs. The raw IP address is never stored.

Two distinct retention windows apply, depending on the purpose:

Short-term rate limiting: maximum 2 minutes per hash, used to enforce the rolling 60-second per-IP request cap.
Cross-sitekey abuse reputation: maximum 24 hours per hash, used to detect distributed attacks that spread across many integrator sites. Refreshed on each new failure; if no further failure is recorded, the entry expires automatically.

Because the hash is keyed with a secret that you do not have access to, it cannot be reversed or cross-referenced against IPs from other services. Under GDPR Article 4(5), this qualifies as pseudonymization.

Offline GeoIP lookup (country code + ASN)

Before your IP address is hashed, two coarse-grained derived values are computed for the purpose of detecting distributed attacks: the two-letter ISO country code (e.g. CZ, DE) and the Autonomous System Number (ASN) of the network the request originated from. Both lookups happen against locally-hosted offline MaxMind GeoLite2 databases on the same EU server that serves the captcha — no outbound queries to any third party, ever.

These derived values feed into aggregate per-site counters (e.g. "share of requests from the most common country in the last minute", "share of requests from datacenter ASNs in the last minute") used to flag botnet activity. The original IP is then hashed and discarded as described above. The country code and ASN are retained for up to 24 hours in transient cache only, never written to the database, and never linked back to an identifier that could re-identify a specific visitor.

MaxMind, Inc. supplies the GeoLite2 databases as a data supplier, not as a sub-processor: I receive the databases as files, run lookups locally, and no end-user data is ever transmitted to MaxMind. This arrangement is documented in MaxMind's DPA Section 2(a).

Payment information

Card details (PAN, CVV, expiry) are processed and stored exclusively by your selected payment provider (Stripe Payments Europe Ltd. for business customers, Lemon Squeezy LLC for consumer customers). They are never transmitted to or stored on captchaapi.eu infrastructure. I receive only billing metadata (transaction ID, amount, status, provider subscription identifier) necessary for invoicing and account state management. For full details on payment-data flows and international transfer mechanisms, see the Sub-processors page.

What is NOT collected

No tracking or advertising cookies, no browser fingerprints, no tracking pixels, no cross-site identifiers, no behavioral profiles — ever. The CAPTCHA widget stores nothing on your visitors' devices.

# 4 Purpose of Processing

Data is processed solely for the following purposes:

Providing CAPTCHA challenge and verification functionality
Preventing automated abuse and ensuring service integrity
Enforcing usage limits per project and plan
Maintaining aggregated usage data for billing and service operation
Managing account state in connection with subscription billing (active, grace period, suspended)
Sending transactional and service-related notifications (payment reminders, usage alerts)
Operating aggregated server-side analytics on the captchaapi.eu marketing site (URL path, country code, referer host, UTM parameters — no IP, no cookie, no fingerprint; see Section 7 for the full disclosure)

# 5 Legal Basis for Processing

Processing of personal data is based on the following legal grounds under GDPR Article 6:

Performance of contract (Art. 6(1)(b)) — Account data, project data, subscription tier, account state, and billing cycle data are processed because they are necessary to provide the service you registered for.
Legal obligation (Art. 6(1)(c)) — Billing address, company ID, and VAT number are retained as required by Czech accounting and VAT law, which sets a 10-year retention period for accounting and tax documents.
Legitimate interests (Art. 6(1)(f)) — Technical data such as hashed IP addresses, server logs, and challenge tokens are processed pursuant to specific legitimate interests (see detail below).

Consent (Art. 6(1)(a)) is not relied upon. All processing falls under one of the three legal bases above.

Legitimate interests — specified

Pursuant to Article 13(1)(d) GDPR, the specific legitimate interests pursued under Article 6(1)(f) are:

Preventing automated abuse, denial-of-service attacks, and credential stuffing against the Service and the integrators using it;
Ensuring service availability and operational integrity for all users;
Diagnosing and resolving service errors and security incidents;
Protecting both my infrastructure and integrators' downstream applications from malicious actors;
Understanding which marketing content on the captchaapi.eu site reaches its audience, so that the service and its documentation can be operated and improved (first-party site analytics — see Section 7).

Balancing test. These interests have been balanced against the rights and freedoms of data subjects. The data is short-lived (maximum 2 minutes for IP hashes used in rate limiting, maximum 24 hours for IP hashes used in cross-sitekey abuse reputation, maximum 24 hours for derived geolocation signals — ISO country code + ASN — held in transient cache only, 14 days for error logs, 12 months for aggregated counters), pseudonymised wherever applicable (SHA-256 keyed-hashing with a server-side secret salt), never used for individual identification or tracking, and never combined with data from other services. Reasonable expectations of data subjects (visitors expecting a CAPTCHA on an integrator's site) are met. The processing is necessary for the integrity of the service, and the interests of data subjects do not override these processing operations.

Balancing test — first-party site analytics. A separate balancing test applies to visitors of the captchaapi.eu marketing site itself. The data persisted to the database per visit is intentionally minimal — URL path, host part of the Referer header, UTM parameters, and an ISO-3166-1 country code derived locally from the IP — with the raw IP, full User-Agent, full URL, and any cookie or fingerprint signal deliberately omitted. To count unique visitors per day a salted SHA-256 hash of the IP is held in Redis cache for up to 24 hours and then discarded; the daily salt rotation prevents cross-day correlation, and neither the IP nor the hash is ever written to the database. The counters are retained for 12 months (see Section 8) and are never shared with third-party analytics platforms or ad networks. The processing is necessary to understand whether the service's marketing reaches its intended audience; visitors have a reasonable expectation that a service operator will keep aggregated traffic statistics about its own site, and the limited data set leaves their interests, rights and freedoms uncompromised.

Right to object. You have the right under Article 21 GDPR to object at any time to processing based on legitimate interests; processing will cease unless I demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

# 6 Recipients of Personal Data

Pursuant to Article 13(1)(e) GDPR, the categories of recipients of personal data are summarised below. The Sub-processors page is the single authoritative source for the current list, including each entity's role (sub-processor or independent controller), location, certifications, signed DPA, and any applicable international transfer mechanism (Standard Contractual Clauses, EU–U.S. Data Privacy Framework). I will provide at least 30 days' advance notice of any change.

Recipient	Role	Purpose	Location
Hetzner Online GmbH	Sub-processor	Cloud infrastructure (servers, storage, networking)	Nuremberg, Germany (EU)
WEDOS, a.s.	Sub-processor	Transactional email (mailhosting)	Hluboká nad Vltavou, Czech Republic (EU)
Stripe Payments Europe Ltd.	Sub-processor	Payment processing for business customers (B2B)	Ireland (EU); transfers to Stripe, Inc. (US) under DPF + SCCs
Lemon Squeezy LLC	Independent controller (Merchant of Record)	Payment processing for consumer customers (B2C)	United States; transfers under DPF / SCCs Module 1

No analytics platforms or advertising networks receive personal data. No other third-party services receive personal data beyond what is shown above.

# 7 Cookies and Tracking

No advertising, analytics, or tracking cookies are used anywhere on this service. The CAPTCHA widget sets no cookies on your visitors' browsers whatsoever. The dashboard (account area) sets two strictly necessary cookies described below. Under Article 5(3) of the EU ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), strictly necessary cookies are exempt from consent requirements.

Widget (your visitors)

The widget sets no cookies and does not use tracking technologies. The Proof-of-Work challenge runs entirely client-side with no persistent browser state.

Dashboard (registered users)

Two strictly necessary cookies are set when you use the dashboard. No third-party cookies.

Cookie name	Purpose	Lifetime	Type
captchaapi-session	Maintains your authenticated session so you stay logged in while navigating the dashboard. HTTP-only; not accessible to JavaScript.	120 minutes of inactivity	Strictly necessary
XSRF-TOKEN	Prevents Cross-Site Request Forgery (CSRF) attacks. Validated server-side on every form submission and state-changing request.	120 minutes of inactivity	Strictly necessary

Both cookies expire after 120 minutes of inactivity and are invalidated immediately on logout. They persist beyond browser close (the session is time-based, not browser-session-based). These cookies contain only a random identifier and are not used to identify you directly or for tracking purposes.

First-party site analytics. For the marketing pages on captchaapi.eu itself (landing page, demo, documentation, blog, legal pages) I keep aggregated server-side page-view counters in PostgreSQL: the URL path, the host part of the Referer header (with path and query stripped), utm_source / utm_medium / utm_campaign if present, and the ISO-3166-1 country code derived from your IP via a local MaxMind GeoLite2 lookup. No IP address, no cookie, no browser fingerprint, no User-Agent string and no full URL is persisted to the database, and no third-party service or analytics platform receives any of this data. To count unique visitors per day without storing identifiers, a SHA-256 hash of the IP combined with a salt that rotates at midnight is held in Redis cache for up to 24 hours; the hash exists only to deduplicate repeat visits within the same day and is discarded automatically, the raw IP is never written anywhere, and the daily salt rotation makes hashes uncorrelatable across days. The counters exist so I can tell whether marketing content is reaching its audience; they are read only by me through the admin console. Lawful basis: legitimate interest under Art. 6(1)(f) GDPR (operating and improving the service).

# 8 Data Retention

Data is retained only for as long as necessary to operate the service, ensure security, and meet legal obligations. The table below lists specific retention periods for each category of data.

Data category	Retention period	Notes
Account data (name, email, password hash)	Until account deletion	Profile data (name, email, password hash) deleted upon request via dashboard settings. Billing records are subject to separate retention obligations — see below.
Project data, site keys & secret keys	Until project or account deletion	Each project has a public site key (shipped in your HTML) and a private secret key (kept on your backend to verify attestations). Removing a project removes both keys and all associated usage statistics. Aggregated monthly totals used for billing enforcement are retained separately — see Daily request statistics below.
Daily request statistics	12 months	Aggregated counts per project, linked to your account. No visitor personal data is stored. Automatically purged on a rolling 12-month schedule.
First-party site analytics (page views)	12 months	Server-side counters for visits to captchaapi.eu's own marketing pages: URL path, host part of the `Referer` header, UTM parameters, and ISO country code from a local GeoLite2 lookup. No IP, no cookie, no User-Agent, no full URL. Automatically purged on a rolling 12-month schedule. See Section 7 for the full disclosure.
Visitor-uniqueness hashes (analytics deduplication)	Up to 24 hours	SHA-256 hash of the visitor's IP combined with a salt that rotates at midnight, held in Redis cache to count repeat visits within the same day as one unique visitor. Never written to the database. The salt rotation makes hashes uncorrelatable across days. See Section 7.
Server error logs	14 days	Error-level events only (routine access logging is disabled). Automatically rotated daily. Used solely for operational diagnostics.
Hashed IP addresses — rate limiting	2 minutes	Held in cache only for the rolling 60-second per-IP request cap. Never written to the database.
Hashed IP addresses — cross-sitekey abuse reputation	Up to 24 hours	Counter incremented on each failed CAPTCHA verification across protected sites, used to detect distributed attacks. TTL is refreshed on every new failure; if no further failure is recorded, the entry expires automatically. Never written to the database.
Derived geolocation signals (country code + ASN)	Up to 24 hours	Two-letter ISO country code and Autonomous System Number derived from the raw IP via locally-hosted offline MaxMind GeoLite2 databases, used as inputs to the aggregate per-site botnet-detection counters. Transient cache only; never written to the database, never linked back to a visitor identifier, never transmitted to MaxMind.
Challenge tokens	2 minutes	Ephemeral cache entries. Deleted immediately on verification or upon expiry.
Subscription tier & billing cycle anchor	Until account deletion	Used to enforce plan limits and calculate monthly usage. Removed when the account is deleted. Historical billing data is retained in invoice records as required by accounting law.
Billing address, company ID, VAT number	10 years from end of tax period of last invoice	Retained for the period required by Czech accounting and VAT law (a 10-year retention of accounting and tax documents). Applies only to paid plan users. Cannot be deleted on request during this period due to this legal obligation (Article 17(3)(b) GDPR exception).
Session cookies	120 minutes of inactivity	See Section 6. Invalidated on logout.
Authenticated session metadata (IP, user-agent, payload)	Until logout / session GC	One row per active dashboard session. Pruned by Laravel session garbage collection after the inactivity window.
Two-factor authentication credentials (TOTP secret, recovery codes)	Until 2FA disabled or account deletion	Encrypted at rest. Stored only for accounts that have enabled 2FA. Removed immediately when 2FA is disabled.
Subscription lifecycle data (period dates, grace timers, scheduled tier changes)	Until account deletion + 10 y on invoice snapshots	Live operational copy is removed when the account is deleted. Snapshots embedded in invoices follow the 10-year accounting-records retention.
VIES verification audit trail — Valid & Invalid rows	10 years (aligned with related invoices)	EU B2B only. Kept as an internal due-diligence record supporting cross-border B2B invoicing and EU recapitulative-statement filings. Cannot be deleted on request during the legal retention period (Article 17(3)(b) GDPR exception).
VIES verification audit trail — Down rows	90 days	EU B2B only. Down rows that are not bound to an unsettled invoice are pruned daily after 90 days.
Free-tier hard-cap state (overlimit timestamp + warning-seen flag)	Until account deletion	Two flags driving the post-cap re-activation UX. Removed with the account.
Waitlist signups	Up to 30 days after launch notification	Email purged within 30 days of the launch notification being sent, unless you have separately created an account with the same email. A daily background task enforces this purge.

# 9 Data Location and International Transfers

Application data and CAPTCHA verification data are processed exclusively on EU-hosted infrastructure: Hetzner Online GmbH, Nuremberg datacenter, Germany. Transactional email is handled by WEDOS, a.s. (Hluboká nad Vltavou, Czech Republic, EU). No CAPTCHA verification data, IP hashes, account credentials, or session metadata leaves the EU/EEA.

Limited international transfers occur only in the payment-processing path, which is operated by independent payment providers as described in Section 6:

Stripe. Business-customer payment data is processed by Stripe Payments Europe Ltd. (Ireland); ancillary transfers to Stripe, Inc. (US) are protected by the EU–U.S. Data Privacy Framework (Commission Implementing Decision 2023/1795) and Stripe's binding Standard Contractual Clauses under Commission Implementing Decision 2021/914.
Lemon Squeezy. Consumer-customer payment data is processed by Lemon Squeezy LLC (US) acting as Merchant of Record (independent controller). Transfers are protected by the EU–U.S. Data Privacy Framework adequacy decision (where applicable) and Standard Contractual Clauses Module 1 (Controller-to-Controller) as a fallback.

CAPTCHA data — 100% EU. All CAPTCHA verification data, account data, and operational logs are processed within the EU/EEA. Only payment-related data may transit to US providers under the transfer mechanisms above.

# 10 Security (Article 32 GDPR)

I implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These include:

Encryption in transit (TLS 1.2+) for all client and inter-service communication;
One-way keyed hashing (SHA-256 with a server-side secret salt) for visitor IP addresses, with cache-only retention (maximum 2 minutes for rate limiting, maximum 24 hours for cross-sitekey abuse reputation);
Encryption at rest for two-factor authentication secrets and recovery codes;
Bcrypt password hashing for account credentials;
Strict access controls — production access is limited to me, the sole operator, and authenticated via SSH keys;
Short retention windows for operational data (maximum 2 minutes / 24 hours for IP hashes per their purpose, 14 days for error logs);
Routine HTTP access logging is disabled — only error-level events are logged;
Underlying infrastructure (Hetzner Online GmbH) is ISO 27001 / BSI C5 Type 2 / ISO 14001 certified; see Sub-processors for audit details.

# 11 Your Rights

As a data subject under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — You may request a copy of the personal data I hold about you.
Right to rectification (Art. 16) — You may request correction of inaccurate personal data. Account profile data can be updated directly in the dashboard.
Right to erasure (Art. 17) — You may request deletion of your personal data. Note that billing records are subject to mandatory retention periods and cannot be deleted early.
Right to restriction of processing (Art. 18) — You may request that processing be restricted in certain circumstances.
Right to data portability (Art. 20) — You may request your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — You may object to processing based on legitimate interests.

Right to lodge a complaint (Art. 77 GDPR). Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

As I am established in the Czech Republic, the lead supervisory authority is the Office for Personal Data Protection: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz, posta@uoou.cz.

If you reside in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority of your country of residence — a list is available at edpb.europa.eu. I encourage you to contact me first so I have the opportunity to address your concern directly.

To exercise any of these rights, contact me at info@captchaapi.eu. I will respond without undue delay and at the latest within one month of receipt of your request, as required by Article 12(3) GDPR. Where requests are complex or numerous, this period may be extended by a further two months — I will inform you of any such extension and the reasons for it within one month of receipt.

# 12 Automated Decision-Making and Profiling

None under Article 22 GDPR. I do not engage in automated decision-making or profiling as defined in Article 22 GDPR. No decisions producing legal or similarly significant effects are made solely by automated means. The Proof-of-Work challenge is a mathematical computation performed client-side; it does not analyse or profile user behaviour.

Adaptive PoW difficulty. Challenge difficulty is automatically adjusted based on two factors: (1) the number of recent requests from a given hashed IP address (a short-lived pseudonymous rate-limiting signal, not stored as a direct identifier), and (2) the integrator's subscription tier. This is a service-level parameter and does not involve identifying a natural person. No user profile is created or consulted. This mechanism does not constitute profiling under Article 4(4) GDPR.

Abuse-prevention telemetry. Aggregate per-site indicators are computed for abuse prevention: request volume, verification-failure ratio, distinct-IP ratio per site, a short-lived cross-sitekey reputation score keyed by hashed IP (maximum 24 hours, see Section 3), and coarse-grained geographic indicators derived via offline MaxMind GeoLite2 lookup (top country share + datacenter ASN share for the last minute). These are operational counters; none of them identify a natural person, no profile is built, and no decision producing legal or similarly significant effects is taken on the basis of these signals. This processing does not constitute profiling under Article 4(4) GDPR.

# 13 Children's Data

The Service is a developer-focused B2B integration tool and is not directed at individuals under 16 years of age. I do not knowingly collect personal data from children. If you become aware that a child has provided personal data to me without parental consent (Article 8 GDPR), please contact me at info@captchaapi.eu and I will delete the data promptly.

# 14 Your Responsibilities as an Integrator

As described in Section 1, I have a dual role under GDPR. For personal data of your end-users processed through the CAPTCHA widget on your website, I act as data processor on your behalf under Article 28 GDPR — you, the integrator, remain the data controller. The full processor–controller terms are set out in the standalone Data Processing Agreement, which is incorporated into the Terms of Service (§ 9) by reference.

As the controller of end-user data, you remain responsible for informing your users about the use of CAPTCHA on your website and for meeting your own applicable legal obligations under GDPR or other applicable data protection laws.

# 15 Disclosure Text for Your Privacy Policy

If you integrate captchaapi.eu into your website, you can copy the following text into your own privacy policy to inform your users:

"We use captchaapi.eu, an EU-based CAPTCHA service, to protect this website from automated abuse. The service operates on a proof-of-work mechanism that runs in your browser. It does not set any cookies, does not track your browsing behavior, and does not build user profiles. Your IP address is processed only in a pseudonymized (hashed) form for short-term abuse prevention — maximum 2 minutes for rate limiting and maximum 24 hours for cross-site abuse-reputation tracking — and is never stored in a personally identifiable way. All processing takes place on EU-hosted infrastructure. Provider: captchaapi.eu — Privacy Policy: https://captchaapi.eu/legal/privacy."

You are free to adapt this text to match the tone and structure of your own privacy policy. It is provided as a convenience and does not replace your own legal review.

# 16 Changes to This Policy

This Privacy Policy may be updated from time to time. When I do, I will update the "Last updated" date at the top of this page. For significant changes, registered users will be notified by email before the changes take effect, except where immediate changes are required for security or legal compliance. This policy is an information notice under Article 13 GDPR, not a contract — your rights under GDPR are not affected by continued use of the service.