captchaapi.eu uses a minimal set of carefully selected sub-processors to deliver the CAPTCHA service. This page lists every third-party processor that handles any personal data on our behalf, in compliance with Article 28(2) GDPR. All current sub-processors are located within the European Union.
# 1 Core Infrastructure
These processors are essential for delivering the CAPTCHA service. All end-user CAPTCHA verification data is processed exclusively by the core infrastructure provider.
| Sub-processor | Purpose | Location | Certifications | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure, servers, storage, networking | Nuremberg, Germany (EU) - exclusive |
ISO 27001
BSI C5 Type 2
ISO 14001
|
Signed 17 Apr 2026
|
Annual independent audit
Hetzner's compliance with the agreed Technical and Organizational Measures is audited annually by TÜV Rheinland, an independent German certification body. The most recent audit report is dated 19 February 2026 and is available to Controllers on request under our DPA.
EU-only data residency — confirmed
All captchaapi.eu compute, storage, and Hetzner-managed backups run exclusively from Hetzner's Nuremberg datacenter (Germany). I do not use any of Hetzner's non-EEA datacenter regions (e.g., Ashburn / Hillsboro in the United States, or Singapore). No replication or fail-over to non-EEA regions is configured.
# 2 Ancillary Services
These processors handle auxiliary data such as account notifications. They do not process end-user CAPTCHA verification data.
| Sub-processor | Purpose | Location | Data processed | Terms |
|---|---|---|---|---|
| WEDOS, a.s. | Transactional email (mailhosting) — account verification, password reset, billing notifications | Hluboká nad Vltavou, Czech Republic (EU) | Email address, message content | WEDOS Terms ↗ |
# 2.5 Data Suppliers (not sub-processors)
The following third parties supply data or software used by captchaapi.eu but do not receive any personal data from me. They are listed here for full transparency, even though they do not meet the GDPR Article 28 definition of a sub-processor and are not subject to the change-notification policy in Section 3.
| Entity | Role | What is supplied | What they receive | Terms |
|---|---|---|---|---|
| MaxMind, Inc. | Data supplier | GeoLite2 Country + ASN databases (offline mmdb files) | No end-user data — lookups are performed locally on EU infrastructure | MaxMind DPA Section 2(a) ↗ |
Attribution: This product includes GeoLite2 Data created by MaxMind, available from https://www.maxmind.com (attribution required by the GeoLite2 EULA).
# 3 Change Notification Policy
Before adding or replacing any sub-processor, I provide at least 30 days' advance notice to all customers by:
- Updating this page with the "Last updated" date
- Sending email notification to the billing contact of all active accounts
If you object to a proposed sub-processor change, you may within the 30-day notice period:
- (a) Request additional information about the proposed change to assess its impact;
- (b) Propose alternative arrangements (e.g. a different sub-processor or supplementary safeguards), which I will consider in good faith; or
- (c) Terminate your service agreement without penalty before the change takes effect, with a pro-rata refund of any prepaid unused period.
Objections must be sent to info@captchaapi.eu within the notice period. See the DPA for the full Article 28 procedure.
# 4 Payment Processing
Payment processing is split by customer type, as described in Terms of Service Section 5. Business customers (with company / VAT identifier) are billed directly via Stripe with captchaapi.eu as seller of record; consumer customers are billed via Lemon Squeezy acting as Merchant of Record. The legal status of each entity in relation to your personal data differs accordingly:
| Entity | Role | Customer scope | Data processed | Terms |
|---|---|---|---|---|
| Stripe Payments Europe Ltd. |
Sub-processor Payment processor; captchaapi.eu remains seller of record |
Business customers (B2B with IČO or VAT ID) | Business name, billing address, IČO / VAT ID, email, payment-method token, transaction history. Card details (PAN, CVV, expiry) are processed exclusively by Stripe and are never transmitted to or stored on captchaapi.eu infrastructure (PCI DSS scope reduced to SAQ A). | Stripe DPA ↗ |
| Lemon Squeezy LLC |
Independent controller Merchant of Record — separate seller of record under their own terms |
Consumer customers (B2C — no business identifier provided at checkout) | Name, billing address, country, email, payment-method token, transaction history, IP at checkout | LS DPA ↗ |
International transfer mechanisms
Stripe. Stripe Payments Europe Ltd. is an Irish-registered subsidiary of Stripe, Inc. (Delaware, USA). EU/EEA payment data is processed primarily in Ireland and Frankfurt under the Stripe Services Agreement (Ireland). Where international transfers to Stripe, Inc. occur (e.g. for fraud prevention or customer support), they are protected by the EU–U.S. Data Privacy Framework (Commission Implementing Decision 2023/1795 of 10 July 2023) and Stripe's binding Standard Contractual Clauses under Commission Implementing Decision 2021/914 as a fallback.
Lemon Squeezy. Lemon Squeezy LLC operates from the United States. Personal data of EU/EEA consumers transferred to Lemon Squeezy as part of the payment relationship is protected by the EU–U.S. Data Privacy Framework adequacy decision (where Lemon Squeezy maintains a current self-certification on dataprivacyframework.gov) and, as a fallback, Standard Contractual Clauses (Module 1: Controller-to-Controller) under Commission Implementing Decision 2021/914, supplemented by appropriate technical and organisational measures. The current transfer mechanism in effect is documented in the Lemon Squeezy DPA linked above.
Tax-invoice issuance for Stripe-billed business customers is handled by in-house tooling running on the same EU-hosted infrastructure listed in Section 1 (Hetzner Online GmbH), under the same legal entity as captchaapi.eu. No third-party processor receives invoice data; therefore no separate sub-processor entry applies.
Lemon Squeezy is not a sub-processor in the strict GDPR sense
For consumer transactions, Lemon Squeezy acts as the Merchant of Record under its own terms — which means Lemon Squeezy is the independent data controller for the payment relationship, not a processor acting on captchaapi.eu's behalf. They issue your invoice, hold your payment data under their own privacy policy, and handle refunds and consumer-rights requests directly. captchaapi.eu only receives an aggregated payout settlement and the information needed to provision the underlying CAPTCHA service to your account (email, plan tier, subscription status). Both classifications — sub-processor and independent controller — are listed here for full transparency, even though only the sub-processor entries fall under our DPA's change-notification policy in Section 3.
Compliance questions?
Happy to answer vendor due diligence questionnaires.