GDPR Compliance

1. Our Approach

GDPR compliance is not an afterthought — it is a core design requirement. The service was architected with data minimisation, purpose limitation, and privacy by default as first-class principles. We do not store end-user personal data, set tracking cookies, or enable cross-site profiling.

2. Roles Under GDPR

Captxa as Data Controller

When you create a Captxa account, we are the data controller for your personal data (email, hashed password, API usage). We determine the purposes and means of processing.

Captxa as Data Processor

When you integrate the Captxa widget on your website, we are your data processor. We process CAPTCHA verification data on your behalf. The widget does not collect or transmit personally identifiable information about your end-users in a stored or linkable form. A formal Data Processing Agreement (DPA) is available for customers who require it.

3. Data Processed and Legal Bases

4. EU-Only Data Storage

All personal data is stored and processed exclusively within the EU on servers in Nuremberg, Germany (Hetzner data centre). No data is transferred outside the EEA. No EU-US transfers occur.

5. Privacy by Design Highlights

• The CAPTCHA widget uses ephemeral, encrypted challenge tokens that cannot be linked to individual users after verification.
• End-user IP addresses are used transiently for challenge binding only — not stored persistently in personally identifiable form.
• Zero third-party analytics, advertising networks, or social media SDKs.
• The client-side script is ~16 KB with zero external dependencies — nothing communicating with other services.

6. Your Rights (Art. 15–22 GDPR)

Contact hello@captxa.com to exercise any right — we respond within 30 days:

• Access (Art. 15): obtain a copy of your personal data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure (Art. 17): request deletion.
• Restriction (Art. 18): limit processing.
• Portability (Art. 20): receive your data in JSON format.
• Object (Art. 21): object to processing based on legitimate interests.
• Supervisory authority: lodge a complaint with the BfDI (Germany) or your local authority.

7. Sub-Processors

We use one sub-processor: Hetzner Online GmbH (Nuremberg, Germany) for cloud infrastructure. Subject to GDPR and a signed DPA. We will notify registered users at least 14 days before adding any new sub-processor.

8. Data Breach Notification

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay where required (Art. 34 GDPR).

9. CAPTCHA Widget & Your Visitors

When you use Captxa on your website, the widget does not: set cookies on your visitors' browsers, send their IP addresses to us in a stored form, create user profiles, or communicate with any third-party service. This makes Captxa fundamentally different from reCAPTCHA and allows you to use it with minimal GDPR disclosure obligations in your own privacy policy.

10. Contact

For all GDPR enquiries: hello@captxa.com. As a small independent project, we do not have a formally appointed DPO (not required under Art. 37 GDPR for organisations of our size). The project owner handles all data protection matters directly.