Privacy Policy
Effective: 15 May 2026 Last updated: 25 May 2026
The short version
We don't collect data about the people solving CAPTCHAs. No IP, no User-Agent, no fingerprint, no behavioral telemetry. This is architectural, not a policy promise.
For customers (people who sign up to embed our widget), we hold the minimum we need: your email, your site key configurations, audit logs of your own actions, and a billing pointer to Stripe.
Who we are
Caputchin is operated by Praxa Lab, an Australian business (praxalab.com). Praxa Lab is the controller of personal data described below. "We", "us", and "our" in this policy mean Praxa Lab.
What we collect
From visitors solving CAPTCHAs
Nothing personally identifying. The widget protocol does not accept IP addresses, User-Agents, geolocation, fingerprints, behavioral telemetry, cross-site identifiers, or device IDs.
From customers
| Field | Why |
|---|---|
| Email address | Sign-in, transactional email, account contact |
| Pseudonymous session handle | Server-minted identifier like "thoughtful-monkey-42", not your real name or any tracking ID |
| Site key configurations | The site keys you create |
| Audit logs of your management actions | Security and accountability for your own actions on your own account |
| Stripe customer reference | Alpha plans and above. We don't store card numbers; Stripe holds those. |
We do not collect your name, organization, phone number, geolocation, IP, or fingerprint.
If you sign in via GitHub or Google OAuth, those providers share your OAuth subject and email; we store only the email.
From customers using hosted verification
Form submissions transit our infrastructure briefly on the way to your destination and are discarded after dispatch. We don't store them. The DPA governs this.
Operational error logs
When our service hits an unexpected, unhandled error, we record a technical error event so we can diagnose and fix it: the error type, message, and stack trace, the route path, and the build version. By construction these events cannot receive a visitor's IP, User-Agent, fingerprint, or request headers; they are not designed to capture request bodies or email addresses. They hold only what our own code emitted at the point of failure, are stored in the EU, and are deleted after 14 days.
Lawful basis
Customer account data, hosted-verification dispatch, billing: performance of a contract (GDPR Art. 6(1)(b)). Audit logs and operational error logs: legitimate interest (Art. 6(1)(f)). We don't rely on consent for any processing.
Retention
Plan-dependent (typically 30 days Solo, 6 months Alpha, 1 year Troop, 2 years Apex). At expiry, data is hard-deleted. Apex plan downgrades trigger a 30-day data freeze before deletion.
Subprocessors
Listed at /legal/subprocessors. State-bearing data sits in EU regions. We give 30 days advance notice on changes.
International transfers
State-bearing data (database, hosting, transactional email) stays in the EU under normal operation. Two cases involve non-EU infrastructure:
- Payments via Stripe. Stripe is contracted via its Australian entity (Stripe Payments Australia Pty Ltd) and processes payment data on its global infrastructure regardless of contracting entity. We never receive or store card numbers; Stripe handles the full PCI surface. Email and billing-address fields shared with Stripe transit Stripe's network.
- OAuth sign-in via GitHub or Google. User-initiated at sign-in. Users who prefer EU-only sign-in can use email magic-link instead.
EU representative (GDPR Article 27)
Praxa Lab is an Australian entity, not established in the EU. We have not appointed an EU representative under GDPR Article 27. Article 27(2) exempts non-EU controllers whose processing of EU residents' data is occasional, does not include large-scale processing of special categories (Art. 9) or criminal-convictions data (Art. 10), and is unlikely to result in risk to rights; our current processing falls within that exemption. We will appoint a representative and publish their contact details on this page if our EU processing crosses the threshold. EU residents can exercise their GDPR rights directly via info@caputchin.com.
Your rights
You can access, correct, delete, or export your data. Most is self-service in the dashboard. For anything that isn't, write to info@caputchin.com; we respond within 30 days.
These rights are granted by GDPR (EU/EEA), UK GDPR, the revised Federal Act on Data Protection (Switzerland), the Australian Privacy Act + APPs, CCPA + CPRA and other US state laws, LGPD (Brazil), PIPEDA (Canada), Privacy Act 2020 (New Zealand), APPI (Japan), PDPA (Singapore), POPIA (South Africa), the Digital Personal Data Protection Act 2023 (India), NDPA 2023 (Nigeria), KVKK (Turkey), and the personal-data laws of the Middle East. Where a local right is stronger than what we describe, the local right applies.
You can also complain to your country's data-protection supervisory authority:
| Region | Authority |
|---|---|
| Australia | Office of the Australian Information Commissioner (OAIC) |
| UK | Information Commissioner's Office (ICO) |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) |
| California | California Privacy Protection Agency (CPPA) |
| Elsewhere | Your country's data-protection authority |
Sale of personal information (California)
We do not sell personal information and do not share it for cross-context behavioral advertising. You can confirm this by writing to us.
Children's privacy
Caputchin is not directed at children. Customers operating child-directed sites have their own COPPA, GDPR Article 8, and UK Age Appropriate Design Code (Children's Code) obligations (see Terms §4).
Cookies and tracking
On your website (where our widget runs): no cookies set, ever. The widget runs entirely client-side without dropping cookies on your visitors' browsers.
On our dashboard (where you sign in to manage your account): one strictly-necessary opaque session cookie. Exempt from consent under the EU ePrivacy Directive. No analytics, no marketing cookies, no fingerprinting, no consent banner.
Breach notification
If a personal-data breach happens, we notify the supervisory authority within 72 hours where reasonably possible and affected individuals without undue delay when the risk is high.
Contact
Everything in this policy, including data-subject requests, complaints, and questions: info@caputchin.com.
Changes
We may update this policy. Material changes are announced by email and dashboard banner at least 30 days before they take effect.