Skip to content

API GDPR Compliance Guidelines

For self-hosted deployments of ALTCHA, GDPR compliance is inherent, eliminating the need for updates to your privacy policy. The following guidelines are tailored specifically for users of the API.

When utilizing our API, achieving GDPR compliance necessitates certain adjustments based on the features you utilize. Below, we outline guidelines to assist you in achieving GDPR compliance.

Privacy Considerations

ALTCHA’s API prioritizes privacy and adheres to GDPR standards by working with limited and anonymized inputs. To ensure transparency, consider the following:

  • Data usage: We do not retain or utilize the data you submit for training machine learning models. Once classification is complete, the data is promptly forgotten and removed from memory.
  • Model usage: ALTCHA’s Spam Filter is a custom-built, privately hosted system. We do not employ commercially available LLMs (Large Language Models) such as ChatGPT or Claude. Your data remains exclusively on our servers and is never transmitted to external services, except for IP addresses, which are used for geolocation via external services.
  • User tracking: We do not track end-users or analyze their behavior. Our system does not employ tracking, marketing cookies, or fingerprinting techniques.
  • Request logging: Unless specifically enabled for paying customers using the “audit log” feature, we do not retain logs of your requests. We solely track IP addresses for rate-limiting purposes.
  • Cloudflare integration: Your requests pass through Cloudflare’s network, and responses may include necessary security measures (cookies).
  • Confidential information: Avoid submitting confidential data such as passwords or credit card numbers to the API.
  • Email addresses: Under GDPR, email addresses are considered personally identifiable information (PII) and should be treated accordingly. You can verify email addresses without disclosing the username by masking them and transmitting only the domain (e.g.,

Hosting Regions

ALTCHA’s API is hosted in two distinct regions: EU and USA. These deployments operate as separate systems, with no data sharing or transfer between them.

To select your desired region, utilize the corresponding hostname:

  • for the EU (hosted in Frankfurt, Germany).
  • for the USA (hosted in San Francisco, USA).

ALTCHA’s API incorporates security features provided by Cloudflare, and responses may include necessary security cookies. Refer to Cloudflare’s privacy policy for comprehensive details.

Practically, you do not require a cookie banner. A simple notice in your privacy policy suffices, as the cookies are temporary “necessary” or functional cookies used solely for security purposes. They are set only when end-users interact with the API, such as clicking “I’m not a robot,” which signifies an intent to submit a form. Ensure your privacy policy includes a notice or checkbox indicating user consent, such as “By submitting this form you agree and accept our Privacy Policy”.

Sub-Processor Status

ALTCHA assumes sub-processor status for your data in the following scenarios:

  • Submission of PII: If you submit personally identifiable information (PII) such as email addresses, names, or addresses to the API.

    To avoid this, refrain from transmitting any PII. You can still verify email addresses by masking them (sending only, etc.) and ensure data is anonymized before submission.

  • Usage of ALTCHA Forms platform: If you utilize the ALTCHA Forms platform to collect data from end-users.

When ALTCHA becomes a sub-processor for your data, include the legal operator of the ALTCHA website and API in your privacy policy: operated by:
BAU Software s.r.o.
Lidicka 700/19, 602 00 Brno, Czechia
Privacy policy: