LEGAL

Privacy Policy

Last updated: May 2026

1. Overview

CaptchaKit ("we", "us") is operated by didyu. This Privacy Policy describes what information we collect, how we use it, how we protect it, and your rights. By using CaptchaKit, you agree to the practices described here.

2. Information We Collect

  • Account data: Email address and hashed password when you register. We never store your password in plain text.
  • Purchase data: Transaction records including email and amount paid, processed by Stripe. We do not store or have access to raw card numbers.
  • Usage data: API verification requests including site key, timestamp, and pass/fail outcome. We do not log personally identifiable information from your end users.
  • Contact submissions: Name, email, and message content submitted via our contact form.
  • Session data: A session cookie to keep you logged in. No advertising or tracking cookies are used.
  • Server logs: Standard server logs including IP addresses, user agents, and request timestamps, retained for security and abuse prevention.

3. How We Use Your Information

  • To provide and maintain the Service, including delivering embed codes and verifying tokens.
  • To process payments and issue purchase records.
  • To communicate with you about your account, purchases, or service changes.
  • To detect, investigate, and prevent abuse, fraud, and unauthorized access.
  • To respond to contact form submissions.

We do not sell, rent, or share your personal information with third parties for marketing purposes, ever.

4. End-User Data (Your Visitors)

When your visitors complete a CaptchaKit widget, we receive only the game outcome (pass/fail) and a timestamp. We do not collect, store, or process any personally identifiable information from your end users. There is no fingerprinting, tracking pixel, behavioral profiling, or cross-site tracking of any kind.

5. Third-Party Services

  • Stripe: Handles all payment processing. Subject to Stripe's Privacy Policy. We do not receive or store your full card details.
  • MongoDB Atlas: Stores account, purchase, and contact records in encrypted form on servers operated by MongoDB, Inc.
  • Vercel: Hosts the Service and may retain server logs including IP addresses per their own privacy policy.

6. Data Retention

We retain account and purchase data for as long as your account is active and for a reasonable period thereafter for legal and business purposes. Server logs are retained for up to 90 days. You may request deletion of your account and associated personal data at any time via our contact form. Note that certain records may be retained as required by law or for fraud prevention.

7. Security

Passwords are hashed using bcrypt. All data in transit is encrypted via TLS. API keys and site keys are generated using cryptographically secure random values. We implement industry-standard security practices; however, no system is perfectly secure and we cannot guarantee absolute security of your data.

8. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data, or to object to or restrict certain processing. To exercise any of these rights, submit a request via our contact form. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Children

CaptchaKit is intended for developers and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact

Privacy questions or data requests? Use our contact form.