Notice: This Privacy Policy explains how we collect, use, and protect your personal information. Please read it carefully to understand our data practices.
Privacy Policy
Effective Date: January 1, 2024
Last Updated: January 27, 2026
At CaptchaShield, we are committed to protecting your privacy and handling your personal data with care and transparency. This Privacy Policy explains how we collect, use, store, and share information when you use our CAPTCHA and bot protection services.
1. Information We Collect
1.1 Account Information
When you register for a CaptchaShield account, we collect:
- Email address (required for account creation and communication)
- Name or company name (optional)
- Password (stored as a cryptographically hashed value)
- Billing information (if you subscribe to paid plans)
- Account preferences and settings
1.2 Site Configuration Data
When you configure CaptchaShield for your websites, we collect:
- Site keys and secret keys (cryptographic credentials)
- Domain names and URLs where the widget is deployed
- Widget configuration settings (theme, language, etc.)
- Integration preferences and customization options
1.3 Service Usage Data
To provide and improve our service, we collect:
- Challenge Attempts: Timestamps, success/failure status, and challenge completion times
- Verification Requests: Token verification attempts from your backend servers
- IP Addresses (Hashed): We hash IP addresses using one-way cryptographic functions for fraud detection. Original IP addresses are not stored beyond 24 hours.
- User Agent Strings (Hashed): Browser and device information in hashed form for bot detection
- Behavioral Signals: Non-identifying interaction patterns used solely for distinguishing humans from bots
- API Usage Metrics: Request volumes, rate limits, and performance statistics
1.4 Technical and Log Data
Our systems automatically collect:
- Server logs (access times, HTTP status codes, error messages)
- Performance metrics (response times, uptime statistics)
- Security events (authentication attempts, suspicious activities)
- Application telemetry for service monitoring and debugging
1.5 Cookies and Similar Technologies
We use cookies and similar technologies for:
- Essential Cookies: Required for authentication, security, and basic service functionality
- Analytics Cookies: Help us understand how you use our dashboard and services (optional, with consent)
- Preference Cookies: Remember your settings and customizations
The CAPTCHA widget may set a short-lived session cookie to prevent replay attacks and ensure token integrity.
2. How We Use Your Information
We use collected information for the following purposes:
2.1 Service Delivery
- Authenticating users and verifying CAPTCHA tokens
- Detecting and preventing bot attacks, fraud, and abuse
- Processing verification requests from your applications
- Providing dashboard access and account management features
- Generating analytics and usage reports for your sites
2.2 Security and Fraud Prevention
- Identifying suspicious patterns and automated bot behavior
- Protecting against account takeovers and unauthorized access
- Monitoring for service abuse and terms violations
- Responding to security incidents and threats
2.3 Service Improvement and Analytics
- Analyzing usage patterns to improve our algorithms
- Enhancing bot detection accuracy and user experience
- Developing new features and capabilities
- Optimizing performance and reliability
2.4 Communication and Support
- Responding to your inquiries and support requests
- Sending service announcements and security alerts
- Providing product updates and feature notifications
- Delivering billing statements and payment confirmations
2.5 Legal Compliance
- Complying with applicable laws and regulations
- Responding to lawful requests from authorities
- Enforcing our Terms of Service and other policies
- Protecting our legal rights and interests
3. Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on the following legal grounds:
- Contractual Necessity: Processing is necessary to provide our services under our Terms of Service
- Legitimate Interests: Fraud prevention, security, service improvement, and business operations (balanced against your rights)
- Legal Obligation: Compliance with laws, regulations, and legal processes
- Consent: For optional features like analytics cookies (you may withdraw consent at any time)
4. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 30 days | Service provision, support, legal obligations |
| Site Keys & Configuration | Duration of account + 30 days | Service provision, security |
| Challenge Completion Records | 90 days | Fraud detection, analytics, service improvement |
| Verification Logs | 30 days | Debugging, abuse prevention, support |
| IP Addresses (Unhashed) | 24 hours | Real-time fraud prevention |
| IP Addresses (Hashed) | 90 days | Fraud pattern detection |
| Server Access Logs | 90 days | Security monitoring, incident response |
| Billing Records | 7 years | Accounting, tax compliance, legal obligations |
| Support Communications | 3 years | Customer support, quality assurance |
After the retention period expires, data is securely deleted or anonymized. You may request earlier deletion subject to our legal obligations.
5. Data Sharing and Disclosure
5.1 Service Providers (Subprocessors)
We share data with trusted third-party service providers who help us operate our business:
- Cloud Infrastructure: Hosting providers for our servers and databases
- Email Services: Transactional email delivery
- Payment Processors: Secure payment processing (e.g., Stripe, PayPal)
- Analytics Tools: Usage analytics and monitoring (with appropriate data protection agreements)
- Customer Support: Support ticketing and communication platforms
All subprocessors are contractually bound to protect your data and use it only for specified purposes.
5.2 Legal Requirements
We may disclose information if required by law or in response to:
- Valid legal processes (subpoenas, court orders, search warrants)
- Law enforcement requests (when legally required)
- National security demands (with appropriate legal authorization)
- Protection of rights, property, or safety (ours or others')
We will challenge overbroad or inappropriate requests and notify affected users unless legally prohibited.
5.3 Business Transfers
If CaptchaShield is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and ensure continued protection of your data.
5.4 With Your Consent
We may share information for other purposes with your explicit consent.
6. International Data Transfers
CaptchaShield operates globally and may transfer data to countries outside your residence. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions recognizing equivalent data protection
- Data Processing Agreements with appropriate safeguards
- Encryption in transit and at rest
For EEA, UK, and Swiss users, we implement appropriate safeguards for transfers to countries without adequacy decisions.
7. Your Rights and Choices
You have the following rights regarding your personal data:
7.1 Access and Portability
- Request a copy of your personal data in a structured, machine-readable format
- Export your account data and configuration settings
7.2 Correction and Update
- Correct inaccurate or incomplete information
- Update your account details through the dashboard
7.3 Deletion (Right to be Forgotten)
- Request deletion of your account and associated data
- Note: Some data may be retained for legal obligations or legitimate interests
7.4 Restriction and Objection
- Restrict processing of your data under certain circumstances
- Object to processing based on legitimate interests
- Opt out of marketing communications
7.5 Withdraw Consent
- Withdraw consent for optional processing (e.g., analytics cookies) at any time
- Note: Withdrawal does not affect past processing or essential service functions
7.6 Complaint to Supervisory Authority
- Lodge a complaint with your local data protection authority
- We encourage you to contact us first to resolve concerns
To exercise your rights, contact us at [email protected]. We will respond within 30 days (or as required by law).
8. Cookies and Tracking
8.1 Types of Cookies We Use
Strictly Necessary Cookies (No Consent Required):
- Authentication and session management
- Security and fraud prevention
- CAPTCHA token validation
- Load balancing and service reliability
Functional Cookies (Consent Required in Some Jurisdictions):
- Language preferences
- Theme settings (light/dark mode)
- Dashboard customizations
Analytics Cookies (Consent Required):
- Usage statistics and feature adoption
- Performance monitoring
- Service improvement insights
8.2 Managing Cookie Preferences
You can control cookies through:
- Browser settings (block or delete cookies)
- Our cookie consent banner (when applicable)
- Account preferences in the dashboard
Disabling necessary cookies may affect service functionality.
9. Security Measures
We implement industry-standard security measures to protect your data:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Controls: Role-based access, least privilege principle, multi-factor authentication
- Network Security: Firewalls, intrusion detection/prevention systems, DDoS mitigation
- Monitoring: 24/7 security monitoring and incident response
- Regular Audits: Security assessments, penetration testing, vulnerability scanning
- Employee Training: Security awareness and data protection training
- Secure Development: Code reviews, security testing, dependency management
Despite our efforts, no system is 100% secure. We encourage you to use strong passwords and protect your credentials.
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify affected users within 72 hours of becoming aware of the breach
- Provide details of the breach, potential impact, and remedial actions
- Notify relevant supervisory authorities as required by law
- Take immediate steps to mitigate harm and prevent future incidents
11. Children's Privacy
CaptchaShield is not intended for children under 16 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected], and we will delete it promptly.
12. Your Role as a Controller
If you integrate CaptchaShield into your website, you are the data controller for information collected through your forms and applications. You are responsible for:
- Providing appropriate privacy notices to your users
- Obtaining necessary consents for data processing
- Complying with applicable privacy laws (GDPR, CCPA, etc.)
- Implementing a lawful basis for using CAPTCHA services
- Honoring user rights requests related to your data collection
We act as a data processor on your behalf for CAPTCHA verification. See our Data Processing Agreement for details.
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We will:
- Post the updated policy with a new "Last Updated" date
- Notify you of material changes via email or dashboard notification
- Provide at least 30 days' notice before changes take effect (when feasible)
- Maintain an archive of previous versions upon request
Continued use of our services after changes indicates acceptance of the updated policy.
14. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
- Email: [email protected]
- Website: https://captchashield.com
We aim to respond to all inquiries within 5 business days.