Privacy Policy
Last updated: 2026-05-07
Who this policy applies to
Two groups of people interact with Playtcha:
- Customers — developers and businesses who sign up for a Playtcha account to integrate the widget on their site. We are the data controller for customer account data.
- End-users — people who solve a Playtcha challenge on a site that integrated us. We are a data processor on behalf of the customer; the customer is the controller.
What we collect from end-users
When you solve a Playtcha challenge on a site that uses our service, the only data we touch is what we need to issue a single-use verification token and confirm a real human played:
| Data | Why | Retention |
|---|---|---|
| IP address (anonymized to /24 IPv4 or /64 IPv6 before storage) | Per-IP rate limiting on token issuance | 24-hour sliding window, then deleted |
| Site key | Identifies which customer the verification belongs to | Permanent (the customer's own key) |
| User agent string (in-flight only, never stored as a column on a verification row) | Mobile vs desktop game selection; bot heuristics | Discarded with the request |
| Game inputs (taps, clicks, key events) during the ~10-second play window | Required to verify the game was played by a human, not a script. The backend re-simulates these to score the game. | Discarded the moment the game ends. Never persisted. |
| Hashed token identifier (jti) | Single-use enforcement (a token can never be redeemed twice) | Until token expiry plus 24 hours, then deleted |
What we do NOT collect: behavioral biometrics outside the game canvas, mouse paths on the host page, persistent cookies on end-users, cross-site identifiers, geolocation beyond what an IP implies, demographic inferences, referer chains.
Lawful basis: Article 6(1)(f) GDPR — the customer's legitimate interest in preventing fraud and abuse on their service. Recital 49 explicitly recognizes network security as a legitimate interest. We have minimized end-user data to balance against your privacy rights.
What we collect from customers
When you sign up for a Playtcha account, we collect what we need to provide the service:
- Email address (for sign-in and account messages)
- Password (handled by Supabase Auth with industry-standard password hashing; never stored in plaintext by Playtcha)
- Project metadata (project names, allowed domains, tier)
- Aggregate usage counts per month (for tier-cap enforcement)
Lawful basis: Article 6(1)(b) GDPR (contract). We need this data to provide the service you signed up for. Marketing emails (separately) require Article 6(1)(a) GDPR consent and can be revoked at any time.
Payments: Playtcha has Free, Starter, and Business plan shapes. The Free plan includes 5,000 verifications / month with graceful degradation past the cap. All accounts are currently on the Free plan; paid plans are coming soon. Stripe is the planned billing processor — when paid plans go live we will update this page, list Stripe under sub-processors, and notify customers via email before the change takes effect.
Cookies and tracking
The widget itself sets no cookies, reads no storage, and transmits no behavioral fingerprints. An in-memory variable holds your in-progress challenge token for the two minutes a token is valid; it is cleared when the page unloads or the verification completes. Nothing persists on your device.
The marketing site at playtcha.com uses strictly-necessary cookies (auth session for logged-in dashboard users, CSRF tokens). It also uses Google Analytics 4 — but only after you click “Accept” on the cookie banner. Reject and GA is never loaded, no GA cookies are set. Either way the dashboard (/app/*) and the embedded widget on customer sites are never instrumented — analytics is scoped to marketing pages only. We have configured the GA property with anonymize_ip: true, advertising signals disabled, and ad personalization disabled. You can change your choice any time via the “Cookie settings” link in the footer.
Your rights (GDPR / UK GDPR / Quebec Law 25)
If you are a Playtcha customer, you have the following rights and can exercise most of them self-serve in your dashboard:
- Access (Article 15) — download your data from your dashboard.
- Rectification (Article 16) — edit your account details directly.
- Erasure (Article 17) — “Delete account” in settings removes or replaces personal account identifiers such as email, password, and project names. Historical verification log rows and usage totals may still be retained as de-identified service records for service integrity, abuse-detection history, and legal obligations. If billing is enabled for your account, billing records are retained for the period required by tax law (typically 7 years). See “Retention summary” below.
- Restriction (Article 18) — email support@playtcha.com.
- Portability (Article 20) — same export as Access; JSON format.
- Object (Article 21) — marketing email opt-out is one click.
If you are an end-user who solved a challenge on a customer’s site, contact that customer first — they are the data controller for the verification you completed. We will assist them with your request.
Your rights (California / CPRA)
We do not sell or share personal information for cross-context behavioral advertising. For California residents, the CCPA/CPRA right to know, right to delete, and right to non-discrimination are honored through the same dashboard self-serve flows above. No “Do Not Sell or Share” link is required because we don’t do either; we provide one anyway at support@playtcha.com for completeness.
Children
Playtcha is not directed at children under 13. We do not collect age, and the verification flow does not infer it. If a site you operate is directed at children under 13, you are responsible under COPPA for whether you may use any third-party tool — including ours. We do not knowingly process data from services directed at children under 13 without compliant parental consent on the customer’s side.
Sub-processors
We use the following sub-processors to run the service. Each is contractually bound to the same data-protection commitments we make to you. A current public list is published at playtcha.com/legal/subprocessors; material additions get at least 14 days advance notice where contract or law requires it.
| Provider | Purpose | Data category |
|---|---|---|
| Supabase | Database, auth | Customer accounts, project metadata, hashed tokens |
| Vercel | Hosting, edge CDN | Widget delivery (no personal data at rest), API routing |
| Resend (or equivalent) | Transactional email | Customer email addresses for account messages |
International transfers
Where customer data is transferred outside the EU/EEA or UK, we rely on Standard Contractual Clauses (EU Commission 2021/914, UK IDTA addendum where applicable). Our database currently runs in a single region; a contractually-guaranteed EU-only deployment is on our roadmap and not generally available today — talk to us at support@playtcha.com if data residency is a hard procurement requirement. Our template DPA is published at playtcha.com/legal/dpa.
Retention summary
| Data | Retention | On account deletion |
|---|---|---|
| End-user IP (anonymized to /24 IPv4 / /64 IPv6 at write time) | 24 hours | Already short-lived; nothing further to do |
| Game inputs during play | Discarded the moment the game ends (never persisted) | n/a — not stored |
| Verification log rows (per-verification audit, no PII beyond /24-anonymized IP) | Tier-based retention: 7 days free, 30 days starter, 90 days business, 365 days enterprise | Retained as a historical service record: account-facing identifiers are removed or replaced, while the verification row stays available within the tier retention window |
| Customer email, password, project names | Until account deletion | Removed or replaced during account deletion |
| Aggregate per-month verification counts (project-level usage) | Indefinitely | Retained as historical usage totals after account identifiers are removed or replaced |
| Billing records, if billing is enabled for your account | 7 years (tax law) | Retained for the legally required period; access disabled |
The principle: anything that identifies you as a customer in the active product experience is removed or replaced when you ask. Anything that documents service operation (was a verification rejected for security reasons? did a project see an abuse wave?) may be retained as a de-identified historical record, because legitimate-interest fraud detection and statutory obligations require it.
Security and breach notification
If we ever confirm a personal-data breach, we will notify the relevant supervisory authority within 72 hours where required, and notify affected customers without undue delay (target: 24 hours from confirmation). Material incident summaries are sent by email to project owners.
Changes to this policy
Material changes will be announced via email to customers and prominently on the dashboard at least 30 days before they take effect. The version date at the top of this page is the source of truth.
Contact
Privacy questions, complaints, or requests: support@playtcha.com. You also have the right to lodge a complaint with your local supervisory authority.
