Terms of Service

You agree to use the service in a lawful manner. The following are prohibited:

• Abusing, overloading, or attempting to degrade the service infrastructure
• Reverse engineering or attempting to bypass the verification system
• Using the service for illegal activities or to intentionally harm others
• Reselling or sublicensing access to the API without prior written consent
• Repeatedly exhausting the Free tier's monthly request cap. Commercial use of the Free tier is permitted — the only constraint is volume. A single month reaching the cap simply deactivates your projects until you upgrade or the cycle resets, but repeatedly hitting that cap can escalate to deactivation of the account itself and, if left unresolved, deletion of the account and its data (see Section 4 for the full mechanism). I also reserve the right to suspend or terminate any account, without prior notice and without refund, for any other breach of these terms.

Usage limits depend on your selected plan. Limits are applied per account (not per project) and are based on the number of challenge requests generated by the service. The following limits apply per billing period:

The Free tier does not include email support. Free tier users have access to documentation only. Email support is available exclusively on paid plans.

Each plan also limits the number of projects you may create. Project limits are hard limits — new projects cannot be created once the limit is reached.

Request limits are applied per account (not per project) and are based on the number of challenge requests generated. Challenge requests are counted when a challenge is generated via the API, regardless of whether it is subsequently verified.

Behaviour when the monthly request limit is exceeded depends on your plan. Both tiers receive an automated email notification when usage crosses 80 % of the limit and again at 100 %.

The Free plan is provided with a monthly request limit and is available for any use. It carries no service availability guarantee for end-users. By choosing the Free plan you accept that reaching the cap will deactivate your captcha protection until upgrade or cycle reset, and that any resulting impact on your visitors or downstream business is your responsibility, not mine. If your usage requires uninterrupted service, a paid plan is required.

I reserve the right to adjust monthly limits, cap thresholds, recovery mechanics, and enforcement procedures at any time, subject to the notice rules in Section 11.

The PoW difficulty applied to challenges issued from your projects is the same across all plans: approximately 4,096–65,536 hash iterations per visitor, scaling smoothly with per-IP request rate within the rolling 60-second window. Tiering applies to monthly quotas, project counts, and support eligibility, not to PoW difficulty — by design, a paid sitekey is never a cheaper attack target than a Free one. When a sitekey is observed under attack, an additional difficulty multiplier (1.5× / 8× / 16× depending on the detected severity) is applied for a sticky time window so that every visitor of that sitekey solves a proportionally harder PoW until the attack ends; the multiplier is observable in the response target and never causes a visitor to be blocked.

Upgrading to a paid plan requires providing a valid billing address. Business customers (entrepreneurs) must additionally provide a company registration number and VAT number where applicable, as required for invoicing under Czech and EU law. This information is retained for the period required by applicable accounting legislation (10 years from the date of the last invoice) regardless of account deletion.

Paid plans are billed on a monthly subscription basis. By subscribing, you authorize recurring charges at the rate associated with your chosen plan. The applicable payment provider for your subscription is identified at checkout and in every invoice you receive.

Payment processing depends on your customer type:

• Business customers — those who provide a company identification number (e.g. Czech IČO) or a VAT identification number at checkout — are billed directly via Stripe. captchaapi.eu is the seller of record for these transactions, and these Terms (including the refund and grace-period rules below) govern the contractual relationship in full.
• Consumer customers — natural persons not acting in the course of a trade or business, with no company or VAT identifier provided at checkout — are billed via Lemon Squeezy LLC, which acts as Merchant of Record. Lemon Squeezy is the seller of record for the transaction; their published customer terms, refund policy, and statutory consumer protections — including the EU 14-day right of withdrawal under Article 9 of Directive 2011/83/EU and § 1829 of the Czech Civil Code — govern the payment relationship and refund eligibility. captchaapi.eu remains responsible for delivering the underlying service.

Refund requests, withdrawal claims, payment-method changes, and tax invoice corrections must be directed to the applicable provider's support channel. For business customers (Stripe), contact me directly. For consumer customers (Lemon Squeezy), use Lemon Squeezy's customer portal — I will assist where the issue concerns the underlying service rather than billing.

If a payment fails, your account is not immediately suspended and does not revert to the Free tier. Instead, a grace period of 14 days begins during which your account continues to function normally. You will receive daily reminder emails with instructions on how to resolve the payment issue.

Accounts on a paid plan that fail to pay are not transferred to the Free tier; instead they enter a suspended state, which preserves your configuration and data until the payment issue is resolved.

The grace period and suspension mechanics in this section apply to Stripe-billed business accounts. Consumer accounts billed via Lemon Squeezy follow Lemon Squeezy's own dunning schedule and refund policy as Merchant of Record; the underlying service state (active / paused / cancelled) is synchronised from Lemon Squeezy via webhooks.

Suspended (paid) and limit-reached (Free) are distinct states. The "suspended" state described in this section applies only to paid accounts that have failed to pay within the grace period above and is triggered by the billing system. The Free plan limit-reached state described in Section 4 is triggered by usage (exceeding the monthly request cap), is not a billing event, and follows its own recovery rules (upgrade or cycle reset with manual project reactivation). The two states are surfaced through different API error codes (account_suspended, HTTP 402, vs free_tier_limit_reached, HTTP 403) so that customer-side error handling can route them to the correct recovery flow.

Unless otherwise stated or required by mandatory law, all payments are non-refundable.

When you integrate captchaapi.eu into your website or application, captchaapi.eu acts as a data processor on your behalf for the purpose of providing the CAPTCHA service to your end users. You remain the data controller responsible for that processing.

By accepting these Terms, you enter into a Data Processing Agreement (DPA) with captchaapi.eu in accordance with Article 28 GDPR. The full DPA, addressing all elements required under Article 28(3) GDPR (subject-matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller), is set out at https://captchaapi.eu/legal/dpa and is incorporated into these Terms by reference. In summary, captchaapi.eu commits to:

• Process personal data only on your documented instructions (i.e. providing the CAPTCHA service)
• Ensure that authorized personnel are bound by confidentiality
• Implement appropriate technical and organizational security measures (Art. 32 GDPR)
• Engage sub-processors only with your general authorization (the current and complete list is maintained on the Sub-processors page, the single authoritative source)
• Assist you in fulfilling your obligations regarding data subject rights and security incidents
• Delete or return all personal data upon termination of the service relationship, except where retention is required by applicable law

The subject-matter, nature, purpose, and duration of processing are described in the Privacy Policy and the standalone Data Processing Agreement, which is incorporated into these Terms by reference and addresses all elements required by Article 28(3) GDPR.

I reserve the right to modify, suspend, or discontinue any part of the Service, including features, pricing, and usage limits. For material changes that adversely affect paying customers, I will provide at least 30 days' prior notice by email, and you may cancel your subscription before the change takes effect with a pro-rata refund of any prepaid unused period (this is the exception referenced in the "non-refundable" rule above). The notice period does not apply to changes required for security, legal compliance, or to respond to a serious operational risk, which may take effect immediately.

I may update these terms from time to time. When I do, I will update the "Last updated" date at the top of this page and, for significant changes, notify registered users by email before the changes take effect, except where immediate changes are required for security or legal compliance. Continued use of the service after the effective date constitutes acceptance of the updated terms.