Privacy by design, not by policy.

Compliance is in the architecture: we don't collect what we don't need, we don't store what we don't collect, and everything material lives in the EU. From GDPR to the Australian Privacy Act, the same answer applies.

Zero visitor data collected
EU data residency
0 cookies on your site
Hard delete, no soft-delete
GDPR + 16 regulations covered
DPA published without negotiation

Le seul tableau de score qui compteBots 0 · Humains ∞

Points de données collectés: 0
Cookies déposés: 0
Hébergement des données dans l'UE: 100%
Réglementations couvertes: 16+

Our compliance posture

Three one-line claims describing how the architecture is built. Caputchin's own claims, not third-party certifications.

Privacy by design

No IP, no User-Agent, no fingerprint, no behavioral telemetry from visitors. Architectural, not policy.

EU data residency

State-bearing data (database, hosting, transactional email) lives in EU regions. Stripe processes payment data on its global infrastructure but we never receive card numbers.

GDPR-ready

Privacy by design, lawful basis documented, subject rights honored, DPA published, breach response runbook in place.

Regulations we cover in detail

The regimes most often raised in procurement discussions. Same architectural posture covers all of them; each card describes how it maps to a specific regulation.

Australia

Supervisory authority

Office of the Australian Information Commissioner (OAIC)

Australian Privacy Act 1988 + APPs + NDB scheme

Direct compliance with the Australian Privacy Principles (the 13 substantive privacy obligations in Schedule 1 of the Privacy Act).

Privacy by design: no behavioral collection from end users
Data minimisation: only what's needed to run the service
Access and correction: self-service in the dashboard
Notifiable Data Breaches scheme handled on the GDPR 72-hour budget
OAIC complaint rights respected without prior contact required

Supervisory authority:Office of the Australian Information Commissioner (OAIC)

EU + EEA + UK + Switzerland

Supervisory authority

Any EU member-state DPA · UK ICO · Swiss FDPIC

GDPR + UK GDPR + Swiss FADP

Direct compliance with the GDPR text. The UK Data Protection Act 2018 and Switzerland's revised FADP are substantively identical.

EU data residency for all state-bearing data
Lawful basis documented per processing activity (contract + legitimate interest; no consent dependency)
Full data subject rights: access, rectification, erasure, restriction, portability, objection
EU has adequacy decisions for both UK and Switzerland, so cross-border data flow is unrestricted
72-hour breach notification per Articles 33/34

Supervisory authority:Any EU member-state DPA · UK ICO · Swiss FDPIC

California, USA

Supervisory authority

California Privacy Protection Agency (CPPA)

CCPA + CPRA

Structural compliance: Caputchin's architecture doesn't enable the practices the CCPA and CPRA restrict.

We do not sell personal information
We do not share for cross-context behavioral advertising
We do not process sensitive personal information at scale
'Do Not Sell or Share My Personal Information' is honored without request, because we don't sell or share. Written confirmation available on request for your compliance file.

Supervisory authority:California Privacy Protection Agency (CPPA)

Additional regulations we cover

Covered by the same privacy-by-design architecture. Where a local right is stronger than what we describe in the Privacy Policy, the local right applies.

Regulation	Region	Coverage
APPI	Japan	Convergent with GDPR; same architectural posture Cross-border transfer disclosure handled by the DPA
Digital Personal Data Protection Act 2023 (DPDPA)	India	Convergent posture Local data subject rights honored on request
KVKK	Turkey	Convergent posture Local complaint right via KVK Kurumu
LGPD	Brazil	GDPR-aligned regime; same posture ANPD complaint right
Middle East PDPLs	UAE, Saudi Arabia, Bahrain, Qatar, Egypt, Jordan	Convergent posture across all listed regimes Local supervisory authority complaint rights
NDPA 2023	Nigeria	Convergent posture NDPC complaint right
PDPA	Singapore	Notification, access, and correction provisions met PDPC complaint right
PIPEDA	Canada	Ten fair information principles met by architecture OPC complaint right
POPIA	South Africa	Convergent posture Information Regulator complaint right
Privacy Act 2020	New Zealand	Convergent with GDPR; same posture OPC NZ complaint right
VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA + emerging state laws	Other US states	Same posture as CCPA + CPRA State-specific rights summarized in the Privacy Policy

APPI
Japan
- Convergent with GDPR; same architectural posture
- Cross-border transfer disclosure handled by the DPA
Digital Personal Data Protection Act 2023 (DPDPA)
India
- Convergent posture
- Local data subject rights honored on request
KVKK
Turkey
- Convergent posture
- Local complaint right via KVK Kurumu
LGPD
Brazil
- GDPR-aligned regime; same posture
- ANPD complaint right
Middle East PDPLs
UAE, Saudi Arabia, Bahrain, Qatar, Egypt, Jordan
- Convergent posture across all listed regimes
- Local supervisory authority complaint rights
NDPA 2023
Nigeria
- Convergent posture
- NDPC complaint right
PDPA
Singapore
- Notification, access, and correction provisions met
- PDPC complaint right
PIPEDA
Canada
- Ten fair information principles met by architecture
- OPC complaint right
POPIA
South Africa
- Convergent posture
- Information Regulator complaint right
Privacy Act 2020
New Zealand
- Convergent with GDPR; same posture
- OPC NZ complaint right
VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA + emerging state laws
Other US states
- Same posture as CCPA + CPRA
- State-specific rights summarized in the Privacy Policy

Adjacent regimes

Three nearby compliance areas worth knowing about, where Caputchin's responsibility is bounded by delegation, statutory consumer rights, or the customer's own site.

Children's privacy

We don't direct Caputchin at children. Customers operating child-directed sites retain their own obligations under COPPA (US, under 13), GDPR Article 8 (EU, under 16), the UK Age Appropriate Design Code (also called the Children's Code), and equivalents.

See Terms §4

Consumer protection

Statutory consumer rights apply on top of our Terms, not despite them, under the Australian Consumer Law, the EU Consumer Rights Directive, the UK Consumer Rights Act 2015, and equivalents.

See Terms §7

Payment data

PCI DSS is delegated to Stripe. Caputchin never receives or stores card numbers.

See Subprocessors

Marketplace games

The Caputchin marketplace publishes games authored by third parties. The protections below are structural, built into how publishing works.

Open, opt-in publishing

Authors publish by listing a public repository. Each game declares an approved license and explicitly accepts the Submission Terms before going live. No private review queue, no curated backroom.

Sandboxed runtime

Games run in an isolated environment that cannot reach visitors, the host page, or the network. Author intent is warranted; technical controls enforce the boundary.

Takedown

We process DMCA-shaped notices through our designated agent. Authors can withdraw at any time; previously-published versions remain available for customers that depend on them.

The documents

Short and plain. Each one drills into a different part of how Caputchin works.

What data we collect (very little) and what we do with it.

The customer contract. What you get, what you pay, how it works.

Data Processing Addendum

GDPR Article 28 processor terms for hosted verification.

Subprocessors

The third parties that touch customer data. All EU-jurisdiction.

Trademark guidelines

What use of “Caputchin” and our marks is permitted.

Marketplace Submission Terms

The agreement third-party game authors accept by publishing to the marketplace.

Third-party notices

Open-source software and assets we use, and the licenses behind them.

Have a procurement question? Email us.

We respond within 30 days as required by law, but usually within one business day in practice.

info@caputchin.com