TrustedCaptcha TrustedCaptcha
Sign in Get started
Documentation

Privacy & GDPR

What we collect from your users, where it lives, and what you need to say in your own privacy policy.

What the widget collects

  • IP address — truncated to /24 (IPv4) or /64 (IPv6) before storage. We never store full IPs.
  • User agent — SHA-256 hashed with a per-deployment pepper. Used for risk scoring, never exported.
  • Browser hints — language, timezone, viewport, hardware-concurrency, device-memory, prefers-color-scheme. Used by the risk engine, never tied to an identity.
  • Pointer entropy — a small fingerprint of mouse/touch movement before the click. Discarded after the challenge.
  • Submitted answer — for non-smart modes, the actual selected tiles / typed text / chosen option. Discarded after verification.

We do not set cookies on your customers, do not fingerprint browsers beyond what's needed for the score, and do not share any of this with anyone.

Where it lives

Frankfurt, Germany (Hetzner). All processing inside the EU. No US sub-processors for the verification API. Mailgun EU is used for transactional email; Stripe Ireland for billing. Neither receives end-user data — only your account-holder data.

Retention

WhatHow long
Challenge state (encrypted)7 days
Verifications (Free)30 days
Verifications (Pro)90 days
Audit log13 months

What to say in your privacy policy

Here's template text you can adapt. (Run it past your DPO; we're not lawyers.)

Sample text:
"We use TrustedCaptcha (operated by AESHA Technology Services Limited, Seychelles, processing in Germany) to prevent automated abuse of our forms. When you interact with a TrustedCaptcha widget on this site, the service collects your IP address (truncated to /24 or /64 before storage), a hashed user-agent string, and minimal browser hints (language, timezone, viewport size). This data is processed under our legitimate interest (GDPR Art. 6.1.f) in preventing abuse, retained for 30–90 days depending on our subscription tier, and never shared with third parties. Full details at trustedcaptcha.com/legal/privacy."

DPA (Article 28)

Pro customers get a signed Article 28 DPA. Email the DPO with your company details — we countersign within 2 business days.

Data subject requests

For DSARs from your end users: route them through your own DPO/process. We can usually only identify a user by their truncated IP plus device-hash, which means we can't reliably match data to a person — by design.

Data export & deletion (Art. 15, 17, 20)

For your own account data (not your end users'), use the buttons in Account → Privacy:

  • Export my data generates a ZIP of all account-related data within 24 hours. Includes account, sites, verification metadata (counts only, not individual rows), and audit log.
  • Delete my account soft-deletes immediately, hard-deletes after 30 days (during which you can recover via support).