Privacy Policy

uncaptcha.dev ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. By using uncaptcha.dev, you agree to the collection and use of information in accordance with this policy. We will never sell your personal data.

We collect the following categories of information: Account information • Email address (required for account creation) • Name (optional, provided by you or via OAuth) • Profile picture (optional, from OAuth providers only) • Hashed password (if using email/password login) Usage data • API request logs: timestamp, CAPTCHA type, site key, page URL, response time, success/failure status • API key identifiers (prefix only — full keys are never logged) • Browser and device type when accessing the dashboard • IP address (for rate limiting and abuse prevention, retained for 30 days) Payment information • Transaction IDs and order references from PayPal • Subscription plan and billing status • We do not store full card numbers — payment details are handled entirely by PayPal OAuth data (if you sign in with Google or GitHub) • Email address and display name provided by the OAuth provider • We do not receive or store OAuth access tokens beyond the authentication flow

We use the data we collect exclusively to operate and improve the service: • Authenticating you and securing your account • Processing API requests and returning CAPTCHA solutions • Billing, invoicing, and fraud prevention • Sending transactional emails (account alerts, billing receipts, usage warnings) • Monitoring service health and debugging errors • Improving solve accuracy and API performance • Complying with legal obligations We do not use your data for advertising, profiling, or sale to third parties.

Your data is stored in Supabase (PostgreSQL), hosted in a SOC 2-compliant cloud environment. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). API keys are stored as one-way hashed values — we cannot recover a key once created. Passwords are hashed with bcrypt. Access to production databases is restricted to authorized personnel only, and all access is logged and audited.

We share data with the following service providers only as necessary to deliver the service: • Supabase — database hosting and authentication • PayPal — payment processing (subject to PayPal's Privacy Policy) • Vercel — web application hosting (anonymized request logs only) • Google OAuth / GitHub OAuth — only used if you choose to sign in with these providers We do not share your data with any other third parties. Our service providers are contractually bound to use your data only to provide services to us.

We use minimal, essential cookies only: • Authentication session cookie — keeps you logged in during a browser session • No advertising cookies • No third-party tracking cookies • No analytics cookies by default If we add analytics in the future, we will update this policy and provide an opt-out mechanism.

We retain your data for the following periods: • Account data: retained while your account is active, and for 30 days after deletion (to allow recovery) • API request logs: 90 days rolling window • IP addresses: 30 days for rate limiting purposes • Payment records: 7 years as required by financial regulations • Deleted accounts: fully purged within 30 days of deletion request You may request deletion of your account and associated data at any time. See Section 9 for your rights.

If you are located in the European Economic Area (EEA), UK, or California, you have the following rights: GDPR (EU/UK) rights: • Right to access — request a copy of all data we hold about you • Right to rectification — correct inaccurate personal data • Right to erasure ("right to be forgotten") — request deletion of your data • Right to data portability — receive your data in a machine-readable format • Right to object — object to processing based on legitimate interests • Right to restrict processing — limit how we process your data CCPA (California) rights: • Right to know what personal information is collected and how it is used • Right to delete personal information • Right to opt-out of the sale of personal information (we do not sell data) • Right to non-discrimination for exercising your CCPA rights To exercise any of these rights, contact us at uncaptcha.dev@gmail.com. We will respond within 30 days.

Our service is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions, data requests, or concerns, contact our privacy team at: Email: uncaptcha.dev@gmail.com We aim to respond to all privacy inquiries within 5 business days.