Last updated: 2026-05-01
This privacy policy explains how AESHA Technology Services Limited ("TrustedCaptcha", "we") processes personal data in connection with the TrustedCaptcha service. Our company registration number is 210193 (Seychelles), registered at 1032 Office House of Francis Ilu de Port, Mahe, 00000, Seychelles.
For data we process about customers (people who sign up for accounts, log in to dashboards, manage sites, pay invoices), we are the controller. For data we process about your end-users (people who solve CAPTCHA challenges on your sites), we are the processor; you are the controller. The legal basis, retention, and rights differ between the two.
Categories: name, email, password (hashed), billing address, VAT ID (if provided), payment method (handled by Stripe; we receive only the last 4 digits and brand), audit-log entries, IP address (truncated) at login, two-factor secrets (encrypted), recovery codes (hashed).
Legal basis: Article 6(1)(b) GDPR — performance of the contract you entered when signing up.
Retention: while your account is active, plus 7 years for invoices and tax records (German tax law via subprocessor obligations) or 6 years (Seychelles statutory requirement), whichever is longer.
Categories: IP address (truncated to /24 or /64 before storage), browser language, viewport dimensions, device pixel ratio, hardware concurrency, coarse pointer entropy hash, user-agent string (hashed before storage), challenge solutions (encrypted; only hashes of solutions are checked, not solutions themselves).
Legal basis: as processor we don't determine this — your service's privacy policy does. The legitimate basis you'd typically invoke is Article 6(1)(f) — legitimate interest in protecting your service from automated abuse.
Retention: 7 days for raw challenge rows, 90 days for verification rows, 13 months for aggregated daily usage statistics.
All processing happens in the European Union (Hetzner Online GmbH, Germany). Email is sent via Mailgun (Sinch Email Europe AB) operating in the EU region. Payments are processed by Stripe Payments Europe Ltd (Ireland). MaxMind GeoIP databases are downloaded from MaxMind Inc. (US); lookups happen locally on our EU servers. We do not transfer end-user personal data to non-EU controllers or processors.
The full list is at /legal/subprocessors. We update it 30 days before adding any new subprocessor.
Under GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). Exercise them by emailing dpo@trustedcaptcha.com. We respond within 30 days. You also have the right to lodge a complaint with your supervisory authority — typically your country's data protection authority.
The marketing site uses no third-party cookies. We use a single first-party session cookie (tc_session) for authenticated dashboard sessions, with HttpOnly + Secure + SameSite=Lax. The challenge iframe uses no cookies.
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If a child has created an account, contact us and we will delete it.
Material changes to this policy will be notified by email at least 30 days in advance.
Data protection: dpo@trustedcaptcha.com.
