A short summary of how TrustedCaptcha helps you meet GDPR obligations.
You are the data controller, we are the processor (Art. 28). The lawful basis for processing is legitimate interest (Art. 6.1.f) — preventing automated abuse of your forms. We've documented the legitimate interest assessment; it's available on request.
We collect IPs truncated to /24 (IPv4) or /64 (IPv6) — never full IPs. User-agent strings are SHA-256 hashed with a per-deployment pepper. No browser fingerprinting beyond what's needed for the risk score.
All processing happens in Frankfurt, Germany (Hetzner). No data leaves the EU. No US sub-processors for the verification API. Email goes through Mailgun's EU region; payments via Stripe Ireland.
Available to all Pro customers on signing. Email the DPO with your company name + signatory and we'll countersign within 2 business days.
The Account → Privacy page in your dashboard has one-click data export (Art. 20) and account deletion (Art. 17). For data subjects requesting access through your service, route them to us via your DPO.
Any confirmed personal-data breach gets disclosed to affected customers within 24 hours; to the supervisory authority (DPC Ireland for our EU operations) within 72 hours; to affected data subjects without undue delay where required.
This page summarises our practical posture. The legally binding documents are the privacy policy, terms, and DPA.
