This Privacy Policy explains how captchaapi.eu processes data in connection with its CAPTCHA service and website.
1 Overview
captchaapi.eu is designed to provide CAPTCHA protection with minimal data processing. The service avoids tracking technologies such as behavioral profiling or advertising cookies. Privacy is a core design principle, not an afterthought.
2 What Data Is Processed
When the CAPTCHA is used, the service may process technical request data required to generate and verify challenges, prevent abuse, and measure usage.
This may include information such as IP address (or a derived, non-reversible representation), request metadata, and challenge-related identifiers. Data is handled in a privacy-conscious way and limited to what is necessary for security and operation.
For registered users (API integrators), I additionally store account details (name, email, password hash), the selected subscription tier (Free, Starter, Growth, or Pro), a billing cycle anchor date used to calculate monthly usage, and account state (active, grace period, or suspended) reflecting the current billing status. When upgrading to a paid plan, billing details are also collected: postal address, and — for business customers — company ID and VAT number. These are required for invoicing and VAT compliance and are processed solely to provide and administer the service.
No behavioral profiling. I never build user profiles, track browsing behavior, or share data with ad networks.
3 Purpose of Processing
Data is processed solely for the following purposes:
- Providing CAPTCHA challenge and verification functionality
- Preventing automated abuse and ensuring service integrity
- Enforcing usage limits per project and plan
- Maintaining aggregated usage data for billing and service operation
- Managing account state in connection with subscription billing (active, grace period, suspended)
- Sending transactional and service-related notifications (payment reminders, usage alerts)
4 Legal Basis for Processing
Processing of personal data is based on the following legal grounds under GDPR Article 6:
- Performance of contract (Art. 6(1)(b)) — Account data, project data, subscription tier, account state, and billing cycle data are processed because they are necessary to provide the service you registered for.
- Legal obligation (Art. 6(1)(c)) — Billing address, company ID, and VAT number are retained as required by Czech and EU accounting legislation.
- Legitimate interests (Art. 6(1)(f)) — Technical data such as hashed IP addresses, server logs, and challenge tokens are processed to prevent abuse, enforce rate limits, and ensure service security. These interests are proportionate and do not override your fundamental rights.
5 Sub-processors and Data Recipients
To operate the service, I engage the following third-party processors and service providers that may process personal data:
| Sub-processor | Role | Location | Data processed |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure / hosting | Frankfurt, Germany (EU) | All data stored on the platform |
| Lemon Squeezy | Merchant of Record / payment processing | United States | Billing address, payment details, invoice data. Lemon Squeezy acts as an independent controller for payment processing under their own privacy policy. |
| Brevo (Sendinblue SAS) | Transactional email delivery | Paris, France (EU) | Email address and message content for service notifications |
6 Cookies and Tracking
No advertising, analytics, or tracking cookies are used anywhere on this service. The CAPTCHA widget sets no cookies on your visitors' browsers whatsoever. The dashboard (account area) sets two strictly necessary cookies described below. Under Article 5(3) of the EU ePrivacy Directive, strictly necessary cookies are exempt from consent requirements.
The widget sets no cookies and does not use tracking technologies. The Proof-of-Work challenge runs entirely client-side with no persistent browser state.
Two strictly necessary cookies are set when you use the dashboard. No third-party cookies.
| Cookie name | Purpose | Lifetime | Type |
|---|---|---|---|
| captchaapi-session | Maintains your authenticated session so you stay logged in while navigating the dashboard. HTTP-only; not accessible to JavaScript. | 120 minutes of inactivity | Strictly necessary |
| XSRF-TOKEN | Prevents Cross-Site Request Forgery (CSRF) attacks. Validated server-side on every form submission and state-changing request. | 120 minutes of inactivity | Strictly necessary |
Both cookies expire after 120 minutes of inactivity and are invalidated immediately on logout. They persist beyond browser close (the session is time-based, not browser-session-based). These cookies contain only a random identifier and are not used to identify you directly or for tracking purposes.
7 Data Retention
Data is retained only for as long as necessary to operate the service, ensure security, and meet legal obligations. The table below lists specific retention periods for each category of data.
| Data category | Retention period | Notes |
|---|---|---|
| Account data (name, email, password hash) | Until account deletion | Profile data (name, email, password hash) deleted upon request via dashboard settings. Billing records are subject to separate retention obligations — see below. |
| Project data & site keys | Until project or account deletion | Removing a project removes its site key and associated usage statistics. Aggregated monthly totals used for billing enforcement are retained separately — see Daily request statistics below. |
| Daily request statistics | 12 months | Aggregated counts per project, linked to your account. No visitor personal data is stored. Automatically purged on a rolling 12-month schedule. |
| Server / technical logs | 7 days | Automatically rotated. Used solely for security monitoring and error diagnosis. |
| Hashed IP addresses (rate limiting) | 5 minutes | Held in cache only for rate-limit enforcement. Never written to the database. |
| Challenge tokens | 5 minutes | Ephemeral cache entries. Deleted immediately on verification or upon expiry. |
| Subscription tier & billing cycle anchor | Until account deletion | Used to enforce plan limits and calculate monthly usage. Removed when the account is deleted. Historical billing data is retained in invoice records as required by accounting law. |
| Billing address, company ID, VAT number | 10 years after last invoice | Retained as required by Czech and EU accounting law. Applies only to paid plan users. |
| Session cookies | 120 minutes of inactivity | See Section 4. Invalidated on logout. |
8 Data Location
Personal data is primarily processed on EU-hosted infrastructure (Hetzner, Germany). Billing and payment data is processed by Lemon Squeezy, a US-based Merchant of Record, under appropriate contractual safeguards.
EU-hosted infrastructure. Application data and email delivery are processed within the EU/EEA. Billing data is handled by Lemon Squeezy (US) as an independent controller under their own privacy policy.
9 Security
Reasonable technical and organizational measures are applied to protect data against unauthorized access, loss, or misuse. This includes encrypted communications (TLS), access controls, and short data retention windows for sensitive operational data.
10 Your Rights
As a data subject under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — You may request a copy of the personal data I hold about you.
- Right to rectification (Art. 16) — You may request correction of inaccurate personal data. Account profile data can be updated directly in the dashboard.
- Right to erasure (Art. 17) — You may request deletion of your personal data. Note that billing records are subject to mandatory retention periods and cannot be deleted early.
- Right to restriction of processing (Art. 18) — You may request that processing be restricted in certain circumstances.
- Right to data portability (Art. 20) — You may request your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — You may object to processing based on legitimate interests.
Right to lodge a complaint. You have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz. You may also lodge a complaint with the supervisory authority of your country of residence.
To exercise any of these rights, contact me at . I will respond within 30 days as required by GDPR.
11 Your Responsibilities as an Integrator
When integrating captchaapi.eu into your website or application, you remain responsible for informing your users about the use of CAPTCHA on your website and for meeting your own applicable legal obligations under GDPR or other applicable data protection laws.
12 Changes to This Policy
This Privacy Policy may be updated from time to time. When I do, I will update the "Last updated" date at the top of this page. For significant changes, registered users will be notified by email before the changes take effect, except where immediate changes are required for security or legal compliance. This policy is an information notice under Article 13 GDPR, not a contract — your rights under GDPR are not affected by continued use of the service.
Questions about this Privacy Policy?
I am happy to help and will respond promptly.