Privacy Policy

1. Who We Are

Captxa ("we", "us", "our") is a privacy-first CAPTCHA service hosted in the European Union (Nuremberg, Germany). You can contact us at hello@captxa.com.

2. What Data We Collect

We collect only the minimum data required to provide the service. Nothing more.

2.1 Account Data (Registration & Login)

• Email address — used to identify your account and send essential notifications (e.g., password reset).
• Password — stored as a secure hash (bcrypt/Argon2). We never store plain-text passwords.
• Registration timestamp — when your account was created.

2.2 API Usage Data

When your application calls our verification endpoint, we log:

• Your API key (identifies your project, not you personally).
• Verification result (pass / fail) and timestamp.
• Request volume counters (to enforce plan limits).

End-user IP addresses are used transiently to bind a challenge to a session and are not stored persistently in any personally identifiable form.

2.3 What We Do NOT Collect

• No cross-site tracking or browsing history.
• No advertising IDs or third-party analytics pixels.
• No profiling data on end-users of your application.
• No data from unauthenticated visitors to captxa.com.

3. Cookies

We set cookies only when you are logged in to the Captxa dashboard, solely to keep your session active and protect against CSRF attacks. No cookies are set for visitors who are not logged in. See our Cookie Policy for full details.

4. How We Use Your Data

• Account management: authentication, password resets, account notifications.
• Service delivery: counting API verifications against your plan quota.
• Security: detecting abuse and protecting service integrity.
• Legal compliance: meeting obligations under EU law where applicable.

We do not use your data for advertising, profiling, or any purpose beyond those listed above.

5. Legal Basis (GDPR)

• Contract performance (Art. 6(1)(b)): processing account data is necessary to provide the service.
• Legitimate interests (Art. 6(1)(f)): security logging and abuse prevention.
• Legal obligation (Art. 6(1)(c)): where required by EU law.

6. Data Sharing

We do not sell, rent, or trade your personal data to any third party — ever. We share data only in these narrow cases:

• Infrastructure provider: Hetzner Online GmbH (Nuremberg, Germany) as our hosting processor, under a signed DPA and EU/GDPR safeguards.
• Legal requirement: if compelled by a valid EU court order. We will notify you where legally permitted.

7. Data Retention

• Account data: retained for the lifetime of your account, deleted within 30 days of account deletion.
• API usage counters: retained for up to 12 months for billing and audit, then aggregated or deleted.
• Session cookies: expire on logout or session timeout.

8. Your GDPR Rights

If you are in the EU/EEA, you have the right to access, rectify, erase, restrict, or port your data, and to object to processing. Email hello@captxa.com — we will respond within 30 days. You may also lodge a complaint with the German supervisory authority (BfDI).

9. Data Location

All data is stored and processed within the EU (Nuremberg, Germany). No transfers outside the EEA occur.

10. Security

We use TLS 1.3 for data in transit, encrypted storage for sensitive fields (Ed25519 token signatures, ChaCha20-Poly1305 challenge tokens), and strict access controls. Passwords are hashed with a strong algorithm and never stored in plain text.

11. Service Continuity — Honest Disclosure

12. Changes to This Policy

Material changes will be communicated by email to registered users at least 14 days in advance. The effective date at the top always reflects the current version.