Privacy Policy

1. Data We Collect

We collect the following categories of data:

• Account information: email address, username, and hashed password.
• Usage data: IP address, user agent, request timestamps, and API call metadata, collected to operate and secure the service.
• Payment information: billing details are processed by Stripe. CaptchaLa does not store full card numbers on its own servers.
• Cookies and local storage: session tokens, locale preferences, and basic analytics identifiers.

2. How We Use Your Data

• Provide, maintain, and improve the CaptchaLa service, including API authentication and dashboards.
• Detect and prevent fraud, abuse, and automated attacks, which is a core function of the service.
• Meet legal, tax, and compliance obligations, and respond to lawful requests.
• Send transactional notices such as security alerts, billing receipts, and service announcements.

3. Third-Party Services

We share limited data with trusted processors strictly as needed to operate the service:

• Stripe — payment processing and subscription billing.
• Google OAuth — optional sign-in with a Google account.
• Analytics providers (e.g., Google Analytics) — aggregate traffic measurement, if enabled.
• Email delivery providers — transactional email such as verification and receipts.

4. Data Retention

We retain account data for as long as your account is active. After account deletion, personal data is removed within 30 days, except where longer retention is required for legal, tax, or fraud-prevention purposes.

5. Your Rights

Subject to applicable law (including GDPR and CCPA), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your account and associated data.
• Request a portable copy of your data.
• Object to or restrict certain processing activities.

To exercise these rights, contact us at [email protected].

6. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt. We perform regular security reviews and restrict internal access to personal data on a need-to-know basis. No system is perfectly secure, and we cannot guarantee absolute security.

7. Children

CaptchaLa is not directed to individuals under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product notice at least 14 days before they take effect.

9. Contact

For privacy questions or requests, contact [email protected]. You may also contact our EU/UK enquiries at the same address.

10. Legal Bases for Processing (GDPR Art. 6)

Where the EU/UK General Data Protection Regulation applies, we process personal data on the following legal bases:

• Performance of a contract — to provide the service you signed up for and to bill you.
• Legitimate interests — to secure the service, prevent fraud and abuse, and improve our product, balanced against your rights.
• Legal obligation — to meet tax, accounting, and other statutory requirements.
• Consent — for optional analytics cookies and marketing communications, which you can withdraw at any time.

11. Your GDPR Rights

If you are in the EU, UK, or another jurisdiction granting equivalent rights, you may exercise the following:

• Right of access — obtain confirmation of and a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to restriction — request that we limit processing in certain circumstances.
• Right to object — object to processing based on legitimate interests or for direct marketing.

You also have the right to lodge a complaint with your local supervisory authority. We aim to respond to all requests within 30 days.

12. Controller and Processor Roles

For data about your own account (registration, billing, support), SaaSoftware LLC acts as the data controller. When you use our APIs to process end-user data on behalf of your own users (for example, IP addresses or behavioural signals collected during a CAPTCHA challenge), SaaSoftware LLC acts as a data processor and you are the controller. A Data Processing Agreement governs that relationship — see Section 14.

13. Sub-Processors

We engage vetted sub-processors to deliver the service. Current sub-processors include:

• Stripe, Inc. (USA) — payment and subscription processing.
• Google LLC (USA) — optional OAuth sign-in and, if enabled, aggregate analytics.
• Email delivery provider — transactional email (verification, receipts, alerts).
• Cloud infrastructure and CDN providers — hosting, storage, and content delivery.

An up-to-date sub-processor list is available on request, and the Data Processing Agreement describes how we notify customers of changes.

14. International Data Transfers

Personal data may be processed in the United States and other countries. Where data is transferred from the EU, UK, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (and its UK Extension and Swiss-US framework), together with supplementary safeguards as needed.

15. Data Processing Agreement

Business customers who use CaptchaLa to process personal data of their own end users can enter into our Data Processing Agreement (DPA), which incorporates GDPR Art. 28 terms and the SCCs. The DPA is available at /dpa and on request at [email protected]. /en/dpa