100% EU-hosted
Hetzner Nuremberg; no CAPTCHA data leaves the EEA.
No cookies on widget
No tracking, no fingerprints, no profiling — ever.
Pre-signed DPA
Print-ready Article 28 GDPR processor agreement.
# 1 Operating Entity
captchaapi.eu is operated as a sole-proprietor business under Czech law. The same legal person is the data controller for registered users, the seller of record for B2B transactions, and the responsible party for security disclosures.
Vladislav Rajtmajer
Registered address: U Porcelánky 862, 35735 Chodov
Company ID (IČO): 73396249
VAT status: Identifikovaná osoba (CZ) - not a domestic VAT payer (no Czech VAT on invoices); reverse charge for EU B2B
Jurisdiction: Czech Republic (European Union)
General contact: info@captchaapi.eu
Lead supervisory authority for data-protection matters is the Czech Úřad pro ochranu osobních údajů (ÚOOÚ) — www.uoou.cz. Disputes are subject to the exclusive jurisdiction of the competent courts of the Czech Republic, without prejudice to mandatory consumer-protection law in your country of residence.
No Data Protection Officer (DPO) is appointed. The current processing activities do not meet the thresholds in Article 37(1) GDPR (no public-authority status, no large-scale systematic monitoring of data subjects, no large-scale processing of special categories of data). I review this designation annually as the service scales. Direct any data-protection inquiries to the contact email above.
# 2 Business Continuity
A one-person operation raises a fair question: what happens to your integration if I'm not around to run it? Here is the honest answer, laid out the way a continuity reviewer would want it. The protection is not a promise that I will never disappear. It is that leaving costs you an afternoon, not a quarter.
Low switching cost by design
The integration is a script tag and one server-side verification call. There is no SDK to rip out and no proprietary data model to migrate. The widget is ~19 KB of readable, un-obfuscated JavaScript (/captcha.js), and the backend check is a single documented HTTPS call to our API (backend docs). Moving to another CAPTCHA is an afternoon, not a project.
Nothing of yours is locked in here
No visitor data is stored to begin with (see Data Handling below), so there is nothing to be stranded if the service ends. Your own account data - projects, site keys, invoices - is available to you on request by email for as long as the account is open.
If I ever wind the service down
You get at least 30 days' written notice to the billing contact on every active account, and any period you have already paid for is honored or refunded pro rata. No silent shutoff. The binding notice period is set in Terms of Service, Section 11.
The protocol is not a black box
The widget ships un-obfuscated and the verification is a single documented HTTP call. On a permanent wind-down, I will publish the challenge and verification protocol specification so a compatible endpoint can be self-hosted or rebuilt by anyone.
The honest limit: while the service is live, challenge issuance runs on my infrastructure, and that is a dependency you take on. The points above are about making that dependency cheap to exit, not pretending it isn't there.
# 3 Hosting & Infrastructure
All application data, including ephemeral CAPTCHA challenge state and the operational database, is hosted on infrastructure provided by Hetzner Online GmbH in Nuremberg, Germany — exclusively. No replication or fail-over to non-EEA Hetzner regions is configured. CAPTCHA verification data is not intentionally transferred outside the EU/EEA. Payment-provider data flows (Stripe / Lemon Squeezy) are documented separately on the Sub-processors page.
Observed availability
Uptime of the live CAPTCHA API over the last 90 days, measured independently by an external monitor (Better Stack). This is observed historical performance, not a contractual SLA.
Sub-processor certifications (Hetzner)
- ISO 27001
- BSI C5 Type 2
captchaapi.eu does not currently hold an independent ISO 27001 / SOC 2 / BSI C5 certification of its own — these certifications belong to the upstream infrastructure provider and are referenced honestly as such, not claimed for the application layer.
Independent annual audit
Hetzner's compliance with the agreed Technical and Organizational Measures is audited annually by TÜV Rheinland, an independent German certification body. The most recent audit report is dated 19 February 2026 and is available to Controllers on request under the DPA. A written Article 28 GDPR Data Processing Agreement with Hetzner was signed 17 April 2026.
# 4 Sub-processors
The minimal sub-processor footprint is a deliberate design choice. The full list is maintained on the Sub-processors page; what follows is the working summary.
- Hetzner Online GmbH — cloud infrastructure (Nuremberg, Germany, EU — exclusive). Processes all application data.
- WEDOS, a.s. — transactional email mailhosting (Hluboká nad Vltavou, Czech Republic, EU). Processes recipient email address and message body for account notifications only.
- Stripe Payments Europe Ltd. — payment processor for B2B customers (captchaapi.eu remains seller of record). Independent payment provider for consumer transactions: Lemon Squeezy LLC (acting as Merchant of Record under their own terms — independent controller, not a sub-processor in the strict GDPR sense).
Tax-invoice issuance is handled by in-house tooling running on the Hetzner-hosted application; no third party receives invoice data.
Data supplier (not a sub-processor): MaxMind, Inc.
MaxMind, Inc. supplies the GeoLite2 Country + ASN databases used to derive coarse-grained geographic signals (two-letter ISO country code, Autonomous System Number) for botnet detection. The lookup is performed entirely offline on the Hetzner-hosted application server — MaxMind receives no end-user data and is therefore a data supplier, not a sub-processor in the GDPR Article 28 sense (this distinction is documented in MaxMind's DPA Section 2(a)). This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com (attribution required by the GeoLite2 EULA).
Change-notification policy
At least 30 days' advance notice before any sub-processor is added or replaced. Notification is dual-channel: this page is updated and an email is sent to the billing contact of every active account. If you object to a proposed change, you may request additional information, propose alternative arrangements, or terminate without penalty before the change takes effect — see Sub-processors, Section 3.
# 5 Data Handling on the Visitor Side
The CAPTCHA widget that runs on your visitors' devices is intentionally minimal. The full technical detail lives in the Privacy Policy; the headline guarantees are:
No cookies
The widget sets nothing in the visitor's browser. Strictly necessary dashboard session cookies apply only to logged-in integrators.
No fingerprinting
No canvas, font, or device-fingerprint signals are collected. The Proof-of-Work challenge is purely mathematical.
Hashed IP, cache-only retention
Visitor IP is one-way hashed (SHA-256 + server-side secret salt) and held in cache for up to 2 minutes for rate limiting and up to 24 hours as a cross-sitekey abuse-reputation counter. Never written to the database.
No cross-site profiling
Visitor data is never combined with other services, not shared with ad networks, never used for risk scoring across sites.
No per-verification logging
Successful verifications are not individually logged — only an aggregate per-project counter is maintained for quota enforcement. Single-use is enforced server-side: a short-lived marker (minutes) stops a solved response from being verified twice, then expires automatically. It carries no visitor data, and nothing about the visitor is retained beyond the counter.
The exact bundle served to your visitors is publicly available at /captcha.js — minified but not obfuscated, no anti-debugger or anti-tamper layer, and the Proof-of-Work worker code is preserved verbatim with comments inside the bundle. Beautify it and you can audit byte-for-byte what runs on visitors' devices.
How this compares to other CAPTCHAs
The full head-to-head against reCAPTCHA, hCaptcha, Turnstile and Friendly Captcha — privacy, EU hosting, cookies and price — is on its own page.
# 6 Key Timelines
The commitments a due-diligence review usually asks for, in one place. Each row is the binding figure from the document linked beside it; that document is the source of truth if the two ever disagree.
| Commitment | Timeline | Source |
|---|---|---|
| Data breach notification | Within 48 hours of becoming aware | DPA |
| Data subject request | Within 1 month (up to 2 more if complex) | Privacy |
| Sub-processor change notice | At least 30 days before it takes effect | Sub-processors |
| Security report acknowledgement | Within 72 hours (target) | security.txt |
| Data deletion after account closure | Within 30 days (bar legal retention) | DPA |
| Service wind-down notice | At least 30 days, paid time honored | Terms of Service |
Retention windows for specific data categories (logs, billing records, VIES audit trail) are itemized in the Privacy Policy retention table and DPA Section 8.
# 7 Compliance Documents
Every legal document referenced from this page is publicly available and version-stamped:
Terms of Service
Liability cap, refund policy, change-notice rules, integrator obligations.
Privacy & GDPR Policy
Article 13 disclosure, data categories, legal basis (Art. 6), retention table, cookie inventory, data-subject rights, supervisory authority.
Data Processing Agreement
Article 28 GDPR processor agreement with signature block — print-ready.
Sub-processors
Full list with change-notification policy and objection flow.
security.txt
RFC 9116 disclosure metadata for security researchers.
# 8 Security Contact
Suspected vulnerability, data-handling concern, or security question? Use the dedicated disclosure channel — it goes directly to me, not to a customer-support queue:
Disclosure metadata in machine-readable form is published at /.well-known/security.txt per RFC 9116. I aim to acknowledge legitimate reports within 72 hours and to keep the reporter informed throughout remediation.
Please give me a reasonable window to triage and remediate before public disclosure; coordinated disclosure is appreciated and reciprocated with credit (where the reporter consents) in the changelog or release notes.
Vladislav Rajtmajer
Founder & sole operator · Czech Republic (CET)
What you see in the legal documents is what runs in production. The same person writes the code, signs the DPA, and answers the security email.
For positioning context and origin story — why I built captchaapi.eu →
Vendor due-diligence questions?
Happy to fill in a CAIQ Lite, security questionnaire, or supply audit references.