CaptchaShield

GDPR & Data Rights

For EEA, UK, and Swiss Users: This page provides detailed information about your data protection rights under the General Data Protection Regulation (GDPR).

GDPR & Data Rights

Effective Date: January 1, 2024
Last Updated: January 27, 2026

This page provides detailed information about how CaptchaShield complies with the General Data Protection Regulation (GDPR) and respects the data protection rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

1. Data Controller and Contact Information

1.1 Data Controller

For the purposes of data protection law, the data controller is:

1.2 Data Protection Officer (DPO)

If you have questions about data protection or wish to exercise your rights, contact our Data Protection Officer:

2. Categories of Personal Data Processed

We process the following categories of personal data:

Category Data Elements Source
Account Data Email address, name (optional), password hash, account settings Directly from you
Identification Data IP addresses (hashed), browser fingerprints (hashed) Automatically collected
Technical Data User agent, device type, browser version, operating system Automatically collected
Usage Data CAPTCHA challenge results, verification requests, API calls Service interaction
Behavioral Data Interaction patterns, timing data (non-identifying) Widget interaction
Communication Data Support tickets, email correspondence, feedback Directly from you
Financial Data Payment method (last 4 digits), billing address, transaction history Payment processor
Site Configuration Domain names, site keys, integration settings Directly from you

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes, based on specific legal grounds:

Purpose Legal Basis Data Categories Used
Providing the CAPTCHA service Contractual necessity Account, Technical, Usage, Behavioral
Account management and authentication Contractual necessity Account, Identification
Bot detection and fraud prevention Legitimate interests (security) Identification, Technical, Behavioral, Usage
Service improvement and analytics Legitimate interests (service quality) Usage, Technical
Customer support Contractual necessity Account, Communication
Payment processing Contractual necessity Financial, Account
Legal compliance and obligations Legal obligation Account, Financial, Usage logs
Security monitoring and incident response Legitimate interests (security) Identification, Technical, Usage
Marketing communications (optional) Consent Account (email)

3.1 Legitimate Interests Assessment

Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms. Our legitimate interests include:

  • Protecting our services and users from fraud and abuse
  • Ensuring service security, stability, and availability
  • Improving our products and user experience
  • Operating an efficient and sustainable business

You have the right to object to processing based on legitimate interests (see Section 5.6).

4. Data Recipients and International Transfers

4.1 Internal Recipients

Personal data is accessed by our employees and contractors on a need-to-know basis, subject to confidentiality obligations and access controls.

4.2 External Recipients (Subprocessors)

We share data with the following categories of third parties:

  • Cloud Infrastructure Providers: Data storage and hosting
  • Payment Processors: Stripe, PayPal (payment processing)
  • Email Service Providers: Transactional emails
  • Analytics and Monitoring Tools: Service performance and security monitoring
  • Support Platforms: Customer support and ticketing systems

A complete, up-to-date list of subprocessors is available upon request at [email protected].

4.3 International Data Transfers

Personal data may be transferred to and processed in countries outside the EEA, UK, and Switzerland. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses with all non-EEA processors
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
  • Additional Safeguards: Encryption, access controls, and security measures

You may request copies of the safeguards in place by contacting [email protected].

5. Your Rights Under GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

5.1 Right of Access (Article 15)

You have the right to:

  • Confirm whether we process your personal data
  • Obtain a copy of your personal data
  • Receive information about how we process your data

How to exercise: Email [email protected] with "Data Access Request" in the subject line.

5.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your account information in the dashboard, or email [email protected].

5.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • Deletion is required for legal compliance

Limitations: We may retain data if required for legal obligations, exercising legal rights, or defending legal claims.

How to exercise: Email [email protected] or use the account deletion feature in the dashboard.

5.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

  • You contest the accuracy of the data (while we verify)
  • Processing is unlawful, but you prefer restriction to erasure
  • We no longer need the data, but you need it for legal claims
  • You object to processing (pending verification of legitimate grounds)

How to exercise: Email [email protected] with details of your request.

5.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Applies to: Data provided by you and processed based on consent or contract, where processing is automated.

How to exercise: Use the data export feature in the dashboard or email [email protected].

5.6 Right to Object (Article 21)

You have the right to object to:

  • Processing based on legitimate interests: We will stop processing unless we demonstrate compelling legitimate grounds
  • Direct marketing: We will immediately stop sending marketing communications
  • Profiling: Object to automated decision-making (we do not currently engage in automated decision-making with legal/significant effects)

How to exercise: Email [email protected] or click "unsubscribe" in marketing emails.

5.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

How to exercise: Manage consent preferences in your account settings or email [email protected].

5.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated data protection laws.

Supervisory Authorities:

We encourage you to contact us first at [email protected] so we can address your concerns directly.

6. Exercising Your Rights

6.1 How to Submit a Request

To exercise any of your rights, contact us at:

  • Email: [email protected]
  • Subject Line: Specify the right you wish to exercise
  • Include: Your account email, description of your request, and any relevant details

6.2 Identity Verification

To protect your privacy, we may request additional information to verify your identity before processing requests. This may include:

  • Email verification via your registered account email
  • Login to your account to confirm identity
  • Answers to security questions

6.3 Response Time

We will respond to your request within 30 days of receipt. If your request is complex or we receive multiple requests, we may extend this period by 60 days with notice.

6.4 No Fee

Exercising your rights is free of charge. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse the request.

7. Data Processing Roles

7.1 CaptchaShield as Data Controller

For our own operations (account management, billing, service delivery), we act as the data controller. We determine the purposes and means of processing.

7.2 CaptchaShield as Data Processor

When you integrate CaptchaShield into your website or application, the relationship is typically:

  • You (Customer): Data Controller - You determine why and how CAPTCHA is used on your site
  • CaptchaShield: Data Processor - We process data on your behalf to provide CAPTCHA services

7.3 Data Processing Agreement (DPA)

As a data processor, we have a Data Processing Agreement that includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Your rights and obligations as controller
  • Our obligations as processor (security, confidentiality, subprocessing, data subject rights assistance)
  • Audit rights and data breach notification procedures

To obtain a signed DPA: Email [email protected] with "DPA Request" in the subject line.

7.4 Your Responsibilities as Controller

If you integrate CaptchaShield into your sites, you must:

  • Inform your users about CAPTCHA processing in your privacy policy
  • Ensure a lawful basis for using CAPTCHA (e.g., legitimate interest in fraud prevention)
  • Implement appropriate technical and organizational measures
  • Respond to data subject requests from your users related to CAPTCHA data
  • Notify us promptly if you receive requests affecting data we process on your behalf

8. Security and Data Protection Measures

We implement comprehensive security measures to protect personal data:

8.1 Technical Measures

  • Encryption: TLS 1.3+ for data in transit; AES-256 for data at rest
  • Access controls: Role-based access, multi-factor authentication, least privilege
  • Pseudonymization and hashing: IP addresses and user agents are hashed
  • Network security: Firewalls, intrusion detection, DDoS mitigation
  • Secure development: Code reviews, vulnerability scanning, dependency updates

8.2 Organizational Measures

  • Data protection policies and procedures
  • Employee training on data protection and security
  • Confidentiality agreements with staff and contractors
  • Incident response plan and breach notification procedures
  • Regular security audits and assessments
  • Vendor management and subprocessor due diligence

8.3 Data Minimization and Purpose Limitation

  • We collect only data necessary for specified purposes
  • Data is retained only as long as necessary
  • Access to data is restricted to authorized personnel

9. Data Breach Notification

In the event of a personal data breach, we will:

9.1 Notification to Supervisory Authority

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law)
  • Provide details of the breach, affected data, potential consequences, and mitigation measures

9.2 Notification to Data Subjects

  • Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
  • Provide clear, plain language information about the breach and protective measures
  • Offer assistance and support to affected individuals

9.3 Notification to Customers

  • If we process data on your behalf and experience a breach, we will notify you promptly
  • Provide details to help you meet your own notification obligations

10. Automated Decision-Making and Profiling

CaptchaShield does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

Our bot detection algorithms analyze behavioral patterns to distinguish humans from bots, but:

  • These decisions do not have legal or similarly significant effects
  • Users can retry CAPTCHA challenges if they fail
  • Decisions are not based on sensitive personal data categories
  • The primary impact is temporary access delay, not substantive rights denial

If we implement automated decision-making in the future, we will update this policy and provide appropriate safeguards.

11. Children's Data

CaptchaShield does not knowingly collect or process personal data of children under 16 years of age (or the applicable age of consent in your jurisdiction) without parental consent.

If you believe we have inadvertently collected data from a child, contact [email protected] immediately, and we will delete it promptly.

12. Updates to This GDPR Information

We may update this page to reflect changes in our data processing practices or legal requirements. Material changes will be communicated via:

  • Email notification to registered users
  • Dashboard notification
  • Website announcement

We encourage you to review this page periodically. The "Last Updated" date at the top indicates the most recent revision.

13. Contact and Further Information

For questions about GDPR compliance, data processing, or exercising your rights:

Commitment to Data Protection: At CaptchaShield, we take data protection seriously. We are committed to transparency, accountability, and respecting your rights. If you have concerns or suggestions, we welcome your feedback at [email protected].