Trust Center

captchaapi.eu is operated as a sole-proprietor business under Czech law. The same legal person is the data controller for registered users, the seller of record for B2B transactions, and the responsible party for security disclosures.

Lead supervisory authority for data-protection matters is the Czech Úřad pro ochranu osobních údajů (ÚOOÚ) — www.uoou.cz. Disputes are subject to the exclusive jurisdiction of the competent courts of the Czech Republic, without prejudice to mandatory consumer-protection law in your country of residence.

All application data, including ephemeral CAPTCHA challenge state and the operational database, is hosted on infrastructure provided by Hetzner Online GmbH in Nuremberg, Germany — exclusively. No replication or fail-over to non-EEA Hetzner regions is configured. CAPTCHA verification data is not intentionally transferred outside the EU/EEA. Payment-provider data flows (Stripe / Lemon Squeezy) are documented separately on the Sub-processors page.

The minimal sub-processor footprint is a deliberate design choice. The full list is maintained on the Sub-processors page; what follows is the working summary.

• Hetzner Online GmbH — cloud infrastructure (Nuremberg, Germany, EU — exclusive). Processes all application data.
• WEDOS, a.s. — transactional email mailhosting (Hluboká nad Vltavou, Czech Republic, EU). Processes recipient email address and message body for account notifications only.
• Stripe Payments Europe Ltd. — payment processor for B2B customers (captchaapi.eu remains seller of record). Independent payment provider for consumer transactions: Lemon Squeezy LLC (acting as Merchant of Record under their own terms — independent controller, not a sub-processor in the strict GDPR sense).

Tax-invoice issuance is handled by in-house tooling running on the Hetzner-hosted application; no third party receives invoice data.

The CAPTCHA widget that runs on your visitors' devices is intentionally minimal. The full technical detail lives in the Privacy Policy; the headline guarantees are:

The exact bundle served to your visitors is publicly available at /captcha.js — minified but not obfuscated, no anti-debugger or anti-tamper layer, and the Proof-of-Work worker code is preserved verbatim with comments inside the bundle. Beautify it and you can audit byte-for-byte what runs on visitors' devices.

Comparison against the three most common CAPTCHA alternatives, with every claim cross-referenced to each provider's published documentation.

Sources for cross-checking: Google reCAPTCHA privacy / terms · hCaptcha privacy · Cloudflare Turnstile data & cookies. Where the underlying privacy policies are ambiguous or change behaviour by plan tier (notably hCaptcha's cookie-free mode), the table reflects the default configuration most integrations use.

Disclosure on the captchaapi.eu side: the "GDPR transfer mechanism for CAPTCHA data" row reflects the CAPTCHA verification path only (EU-internal, Hetzner Nuremberg). Billing-provider data flows are separate: Stripe (B2B) operates from Ireland with ancillary US transfers under EU–U.S. DPF + SCCs; Lemon Squeezy (B2C) operates from the US under DPF + SCCs Module 1 — see the Sub-processors page for the full international transfer disclosure.

Every legal document referenced from this page is publicly available and version-stamped:

Suspected vulnerability, data-handling concern, or security question? Use the dedicated disclosure channel — it goes directly to me, not to a customer-support queue:

Please give me a reasonable window to triage and remediate before public disclosure; coordinated disclosure is appreciated and reciprocated with credit (where the reporter consents) in the changelog or release notes.