EU EU jurisdiction · Built in Czech Republic

I built this because the EU CAPTCHA market has a hole.

Vladislav Rajtmajer

Vladislav Rajtmajer

Founder, captchaapi.eu

@VRajtmajer · github.com/rajtik76

I work in EU billing & compliance code daily.

In Q1 2026, a German customer asked me to recommend a CAPTCHA they could put on their forms without triggering GDPR consent banners or sending visitor data outside the EU. I went looking. The shortlist was thin: a couple of EU-based providers, none of them cheap, most of them with generic enterprise pricing for what is, technically, a small piece of infrastructure.

I noticed the gap. I had spent the year building Billify (my Czech B2B invoicing tool) and working through VIES, Czech reverse-charge VAT, DUZP timing, and Schrems II implications for SaaS providers. I knew the EU compliance terrain well enough to build a CAPTCHA that fits it — not retrofitted, but designed for it from the start.

So I built captchaapi.eu.

EU

What "EU-focused" actually means here

When most providers say "GDPR-compliant," they mean a privacy policy and a checkbox. I mean three specific things — none of which are marketing claims.

1. The CAPTCHA never sends visitor data outside the EU.

All compute and storage runs in Hetzner Online GmbH's Nuremberg datacenter (Germany). I do not use any of Hetzner's US or Singapore regions. There is no replication or fail-over to non-EEA infrastructure. This is not a configuration choice that could change tomorrow; it is the entire deployment topology.

This matters because most large CAPTCHA providers are US-based. Under the CLOUD Act, US authorities can compel a US-headquartered provider to hand over data — including data held on EU servers — without notifying the person it belongs to. Schrems II confirmed this clashes with the GDPR unless extra safeguards close the gap. The current safeguard — the EU–U.S. Data Privacy Framework — has already been challenged in court: the first challenge was dismissed by the EU General Court in September 2025, but that ruling is under appeal to the Court of Justice, the same court that struck down both predecessors, Safe Harbour and Privacy Shield. Every US-adequacy bridge so far has proven shaky, so the simplest safeguard is to not be on a US provider at all.

2. Zero cookies — by design, not by choice.

The CAPTCHA uses a proof-of-work mechanism. There are no session cookies, no fingerprinting, and nothing is written to localStorage or any other device storage. The solved response is verified by a single server-side call to our EU-hosted API — never a third party.

Under the ePrivacy Directive (2002/58/EC, Article 5(3), as amended by 2009/136/EC), any storage or access to terminal-equipment information requires consent unless it is "strictly necessary" for the service the user requested. Most large CAPTCHA providers fail this test. They store cookies for behaviour modelling, which is not "strictly necessary" for verifying that a form submission is human.

Zero cookies means the integrator does not need a consent banner for the CAPTCHA layer. That alone removes one of the most common GDPR audit findings on B2B websites.

The only end-user data the CAPTCHA layer touches is the visitor's IP - one-way hashed (SHA-256 with a server-side secret salt) and held in cache only: up to 2 minutes for rate limiting and up to 24 hours as a cross-sitekey abuse-reputation counter. Two coarse signals derived from that IP - the country code and network (ASN) - are held up to 25 hours purely for distributed-attack detection and are never linked back to a visitor. Nothing is ever written to the database. The full detail is in the DPA.

3. Sub-processors are in the EU. Only the payment path reaches the US.

Hetzner (Germany) runs the infrastructure. WEDOS (Czech Republic) handles transactional email. Stripe handles B2B payments through Stripe Payments Europe Ltd. (Ireland); consumer payments run through Lemon Squeezy (US) as Merchant of Record. The full list with transfer mechanisms and DPA references is on the sub-processors page.

The unusual part: invoicing is in-house. Not a third-party SaaS. I built it myself (it is the same engine as my Billify product), running on the same Hetzner infrastructure under the same legal entity. There is no extra company in the data path with its own privacy policy.

My commitment: no second product on visitor data.

I will never collect, retain beyond technical necessity, or commercialise data about end-users gathered through the CAPTCHA layer. The business is the CAPTCHA itself — the API call, the verification, the proof-of-work. It is not behavioural profiles, fingerprints, or visitor patterns aggregated across integrators. There is no second product line built on visitor data, and there will not be one.

Why I am in a position to do this

I am not a marketing-first founder who pivoted into compliance. The opposite: I have been building EU-billing software for longer than captchaapi.eu has existed.

  • Billify is my Czech B2B invoicing tool — the same engine that issues captchaapi.eu's invoices. Building it gave me hands-on knowledge of EU VAT, reverse charge, and the B2B-vs-B2C tax routing a compliant EU SaaS has to get right.
  • I work in this terrain daily. EU SaaS compliance is not a side concern; it is the primary domain of my work.
  • That shows in the product. Three billing jurisdictions are handled separately — Czech direct, EU B2B reverse charge, and rest-of-world plus EU B2C via Lemon Squeezy as Merchant of Record — each a tax-law decision encoded in how the product behaves.

The pitch is simple: I am not asking you to trust marketing copy about EU compliance. I am asking you to read the code, the legal pages, and the sub-processor list — and verify each claim against the corresponding regulation.

What you can do next