What we use, why, and what's optional. Last updated: 2026-05-01
The marketing site (this domain) sets no cookies. The dashboard sets one strictly-necessary first-party session cookie. The challenge iframe sets no cookies. We use no third-party tracking, analytics, or advertising cookies anywhere on our properties.
| Cookie | Purpose | Domain | Lifetime | Necessary? |
|---|---|---|---|---|
tc_session | Authenticated dashboard session ID | trustedcaptcha.com | 14 days | Yes — strictly necessary |
The tc_session cookie is HttpOnly + Secure + SameSite=Lax. It contains a randomly-generated session ID; the actual session data is stored server-side in Redis. The cookie is only set when you log in to the dashboard.
Under the ePrivacy Directive (Recital 25 + Art. 5(3)) and EDPB Guidelines 2/2023, strictly-necessary first-party cookies for authenticated sessions do not require consent. Since we use only that one cookie and only after explicit login, no consent banner is required. We've taken the more privacy-respecting position of simply not using cookies that would require one.
The CAPTCHA challenge iframe (challenges.trustedcaptcha.com) sets no cookies and uses no localStorage. All session state for in-flight challenges is held server-side and identified by the challenge ID returned to the browser.
The widget loader (api.js, served from cdn.trustedcaptcha.com) sets no cookies on your customer's site. The iframe it embeds (challenges.trustedcaptcha.com) likewise sets no cookies. There is therefore no cookie-related consent obligation triggered on your site by embedding TrustedCaptcha.
