Privacy Policy

yCAPTCHA is a customizable image-based CAPTCHA platform. Site owners create image-selection puzzles from their own image sets and embed a widget on their websites to protect forms and endpoints from automated abuse. This Privacy Policy (“Notice”) describes how we collect, use, disclose, retain, and secure personal information in connection with the Sites and Services.

In this Notice, “Customer” refers to an account holder who uses yCAPTCHA to protect their website, and “End User” refers to a visitor of a Customer’s site who interacts with an embedded CAPTCHA challenge. “We,” “us,” and “our” mean yCAPTCHA.

By using or accessing the Sites and Services in any manner, you accept the practices and policies outlined in this Notice and you acknowledge that we may process and share your information as described here.

This Notice explains our practices when you:

• Visit yCAPTCHA’s websites, including ycaptcha.xyspg.moe and related subdomains (collectively, our “Sites”);
• Access or use products or services made available by yCAPTCHA, including the dashboard, API, public Gallery, and embeddable widget (collectively, the “Services”); and
• Interact with us in any other way.

Under this Notice, yCAPTCHA acts as a data controller (or equivalent “business”) for personal information we process about Customers, visitors to our Sites, and people who contact us.

This Notice does not apply to:

• Information we process on behalf of a Customer as their data processor — for example, End User IP addresses and image selections processed during a CAPTCHA challenge on the Customer’s site. In those cases the Customer is the data controller, and the Customer’s own privacy policy governs how the End User’s personal information is collected and used on their site. Customers are solely responsible for notifying their End Users of this processing and for complying with applicable laws. If your personal information is contained in Customer Content and you have questions about the Customer’s settings or privacy practices, please contact the Customer directly or review their privacy notice.
• Third-party products, services, or websites that are accessible via or integrate with the Services. Review those third parties’ own privacy notices.

The information we collect depends on how you interact with us, the choices you make, the features you use, your location, and applicable law.

Information you provide directly to us

• Account information. When you create an account, we collect the information provided by your chosen authentication method: email and hashed password (email sign-up), OAuth profile returned by GitHub (GitHub sign-up), or a registered passkey credential (passkey sign-up). We never see or store passwords in plaintext. You may optionally provide a display name.
• Customer Content.Images you upload to your image sets (collectively, “Customer Content”). We store each image plus metadata such as filename, content hash, and the owning account.
• Site configuration. Site names, origins, generated site keys and secret keys, puzzle configurations, and associated image sets.
• Support communications. If you contact us for support, we collect the content of your message, attachments, and any account context you share.
• Anything else you voluntarily provide. For example, feedback you submit or content you publish to the Gallery.

Information we collect from Customers about End Users

When End Users interact with a CAPTCHA widget embedded on a Customer’s site, we receive the following on the Customer’s behalf:

• The End User’s IP address (used for rate limiting and abuse prevention);
• The reported embedding origin of the Customer’s site (advisory site-context metadata sent by the widget);
• Challenge-flow data such as the images selected, the generated challenge session token, and the timestamp of the interaction.

This data is short-lived (challenge sessions expire after 5 minutes) and is processed to verify the CAPTCHA solution and protect Customers from automated abuse. Customers are responsible for disclosing this processing in their own privacy notices.

Information we collect automatically

• Usage information. Pages viewed, clicks, searches, browser type, request timestamps, referring and exit pages, and time spent on our Sites.
• Device information. Browser type and version, operating system, device type, screen size, language preferences, and similar technical identifiers reported by your browser.
• Service-generated information. Log files, server diagnostics, error traces, performance metrics, IP address, coarse location derived from IP (city/country only — we do not collect precise geolocation), and rate-limit counters.
• Telemetry. Anonymized or aggregated statistics about how the Sites and Services are used.
• Cookies and similar technologies.We set a single HTTP-only session cookie after sign-in to keep you authenticated. On the public marketing Sites, we may set a preference cookie to remember your theme and language. Our self-hosted analytics (Umami) uses a first-party identifier without cross-site tracking cookies. The embedded CAPTCHA widget does not set cookies on the Customer’s site; challenge state is carried in a short-lived opaque token passed in memory.

We use your information to:

• Operate the Services. Authenticate you, store and serve your image sets, generate and verify CAPTCHA tokens, maintain and upgrade the platform, and troubleshoot issues.
• Improve the product. Analyze usage trends and aggregated telemetry to improve functionality, reliability, and user experience.
• Provide support. Respond to your inquiries and resolve technical issues. We do not routinely view Customer Content; we only access it when necessary to resolve a support request you initiate, or as required for security, Service integrity, or legal purposes.
• Communicate service notices. Send transactional and administrative messages such as security alerts, account changes, or legal notices. We do not currently send marketing email. If that changes, we will honour opt-out requests.
• Protect the Services. Detect, investigate, prevent, and respond to fraud, abuse, unauthorized access, and other deceptive, malicious, or illegal activity.
• Comply with legal obligations. Respond to lawful requests and enforce our agreements and policies.
• Any other purpose you consent to.

We retain your information for the minimum period necessary to fulfill the purposes described in this Notice, including to satisfy legal or contractual obligations, resolve disputes, and enforce our rights.

• Account data is retained while your account is active.
• Uploaded images are retained until you delete them, your image set, or your account.
• CAPTCHA challenge sessions and verified sessions auto-expire in our cache within 5 minutes of creation.
• Rate-limit counters expire within the window they measure against (typically seconds to minutes).
• Log data is retained for a short operational window sufficient for debugging and abuse investigation, then rotated out.

When we no longer have a legitimate business need to process your information, we delete or anonymize it. Where deletion is not immediately possible (for example, encrypted backups), the information remains isolated until the backup cycles out.

We disclose information only as described below, on a need-to-know basis and under appropriate safeguards.

Sub-processors

We rely on the following third parties to operate the Services. Each sub-processor only receives the data it needs to perform its role.

• Neon — managed PostgreSQL hosting (accounts, sites, image set metadata, puzzle configurations).
• Cloudflare R2 — object storage for uploaded images. The bucket is configured for public read at r2.ycaptcha.xyspg.moe.
• Upstash Redis — short-lived CAPTCHA session tokens and rate-limit counters.
• Vercel — application hosting, edge delivery, and platform-level logging.
• GitHub — OAuth identity provider when you choose to sign in with GitHub.
• Umami (self-hosted) — first-party web analytics on our public marketing Sites only (not loaded inside the embeddable CAPTCHA widget).

Corporate and legal transfers

• Corporate transactions. If yCAPTCHA is involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or similar transaction, your information may be part of the assets transferred. We will notify you of any such change by email or prominent notice.
• Legal and public authorities. We may disclose information when reasonably necessary to comply with applicable law, respond to a valid legal process, enforce our agreements and this Notice, protect the security or integrity of the Services, protect the rights, property, or safety of yCAPTCHA, our users, or others, or respond in good faith to an emergency involving risk of death or serious bodily injury.
• With your consent. We may disclose your information to third parties when you direct us to or otherwise consent.

We do not sell your personal information, and we do not share it with advertising networks or data brokers. We may share aggregated or de-identified information that does not identify a specific individual.

We use reasonable administrative, technical, and physical safeguards to protect information against unauthorized access, use, modification, destruction, loss, or disclosure. Passwords are hashed using better-auth’s default scrypt parameters. Traffic is served over HTTPS. Database, session, and storage credentials are held as environment secrets on our hosting platform and are never shipped to the browser.

We require third parties acting on our behalf to provide security measures consistent with industry standards and with their contractual obligations. We are not responsible for the security practices of third parties outside of the information we receive from or disclose to them.

No online service can guarantee absolute security. If you suspect a security issue, please report it to ycaptcha@xyspg.moe rather than disclosing it publicly.

Our Sites and Services may link to or integrate with third-party websites and applications that we do not operate or control (“Third-Party Services”). Third-Party Services have their own terms and privacy notices that are independent of this Notice. We are not responsible for the content, accuracy, or practices of Third-Party Services. We recommend reviewing their terms and privacy notices before use.

Publishing an image set to the public Gallery makes those images and the associated puzzle configuration world-readable and redistributable to any other yCAPTCHA user. See the Acceptable Use Policy for the licence you grant when publishing and for the content rules. Do not publish content that identifies private individuals or otherwise violates the policy.

yCAPTCHA operates from and stores data in the United States, and our sub-processors may operate from other regions. By using the Sites and Services or providing information to us, you consent to the processing of your information in the United States and in the jurisdictions where our sub-processors operate. These jurisdictions may have data protection laws that differ from, and may not offer the same level of protection as, the laws of your country. Where required, we rely on standard contractual clauses or other lawful transfer mechanisms offered by our sub-processors.

Your rights depend on your jurisdiction and applicable law. Below is a summary of rights that may be available to you.

• Access and portability. Request a copy of the personal information we hold about you in a portable format.
• Correction. Ask us to correct inaccurate or incomplete personal information. You can update most account fields directly in your dashboard.
• Deletion. Request deletion of your personal information. You can delete individual image sets from the dashboard. For full account deletion, email us from the address on your account; we will honour the request within 30 days. Gallery items you have already published remain visible until you request their removal separately.
• Withdraw consent. Where we process information based on consent, you can withdraw it at any time without affecting the lawfulness of processing before the withdrawal.
• Object or restrict. Where we process based on our legitimate interests, you may object to that processing or ask us to restrict it.
• Lodge a complaint. You have the right to file a complaint with your local data protection authority.

To exercise a right, email ycaptcha@xyspg.moe from the address associated with your account. We may need to verify your identity before acting on the request, and we may decline or limit a request where permitted by law (for example, to comply with a legal obligation or to protect the rights of another person).

United States

This section applies to individuals residing in the United States, including residents of states with comprehensive privacy laws (such as California, Colorado, Connecticut, Virginia, Utah, Texas, and others that enact similar laws, collectively “US Data Privacy Laws”).

The categories of personal information we collect, as classified by US Data Privacy Laws, include: identifiers (name, email, IP address, account ID); internet or other electronic network activity information (browsing and usage data, device metadata, log files); geolocation information (coarse location derived from IP); commercial information (account records); and inferences drawn from the above. We describe how we use and disclose each category in the sections above.

We do not sell personal information, and we do not share personal information for cross-context behavioural advertising, as those terms are defined under US Data Privacy Laws. We honour Global Privacy Control (GPC) opt-out preference signals where applicable.

In addition to the rights listed above, US residents may have the right to: (i) request information about the collection and disclosure of their personal information over the preceding 12 months; (ii) opt out of the sale, sharing, or targeted advertising of their personal information (which we do not perform); (iii) limit use of sensitive personal information (we do not use or disclose sensitive personal information except as necessary to provide the Services or as permitted by law); (iv) non-discrimination for exercising their rights; and (v) appeal our decision on a privacy request.

EEA and UK

This section applies to individuals based in the European Economic Area or the United Kingdom and supplements the rest of this Notice under the General Data Protection Regulation (“GDPR”) and UK GDPR.

yCAPTCHA acts as a data controller for information we collect about you when you use the Sites and Services as a Customer or when you interact with us. When processing End User data during a CAPTCHA challenge on a Customer’s site, we act as a data processor on behalf of that Customer, and the Customer’s privacy notice governs.

Our legal bases for processing are:

• Contract. Where necessary to provide the Services you have requested (account administration, serving images, verifying CAPTCHA tokens, responding to support requests).
• Legitimate interests. To improve, secure, and defend the Services — for example, to operate rate limiting and fraud detection, and to review aggregated usage to improve the product — balanced against your rights and freedoms.
• Legal obligations. To comply with applicable law, respond to lawful requests, and retain billing and account records as required.
• Consent. Where we ask for it, for example for optional cookies on our Sites.

In addition to the rights listed above, EEA/UK individuals have the right to restrict processing in limited circumstances and the right to object to processing based on legitimate interests. If you have unresolved concerns, you may lodge a complaint with your local supervisory authority, though we ask that you contact us first so we can try to resolve the issue.

We aim to respond to verified requests within 30 days. Requests may be limited where fulfilling them would adversely affect others’ rights, where there are overriding public-interest reasons, or where we are required by law to retain the information.

The Sites and Services are not directed to children under 16. Do not create an account or upload content if you are under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

We periodically review and update this Notice. The “Last updated” date at the top of this page reflects the current version. Material changes will be announced on the dashboard or by email. Your continued use of the Sites and Services after the effective date of a change constitutes acceptance of the updated Notice.

Questions about this Notice, requests to exercise your rights, deletion requests, or other privacy concerns: ycaptcha@xyspg.moe.