Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ALTCHA is an open source, privacy friendly captcha alternative from BAU.PLUS (Slovakia, EU). It protects forms against spam and bots using a proof of work challenge solved in the visitor browser, with no cookies, no behavioural profiling and no fingerprinting in the default configuration. It can be fully self hosted or used through the EU hosted endpoint, making it one of the cleanest GDPR friendly defaults available.
ALTCHA is an open source captcha alternative developed by Daniel Regeci and the BAU.PLUS team in Slovakia. Instead of relying on behavioural tracking, fingerprinting or solving image puzzles, it uses a proof of work challenge that the visitor browser computes locally before the form is submitted. The server then verifies the signed token and accepts or rejects the submission, blocking the vast majority of spam bots without ever profiling the human user.
In its default configuration ALTCHA does not set any cookies, does not run device fingerprinting and does not build behavioural profiles. The only data processed are the visitor IP address (which is unavoidable for any HTTP request to the verification endpoint), the proof of work challenge and the short lived signed token returned by the browser. When the hosted variant on eu.altcha.org or us.altcha.org is used, a temporary altcha_session value may be kept server side for rate limiting, but no client side identifiers are persisted on the device.
Because ALTCHA performs only local computation in the browser and a single signed exchange with the verification endpoint, it falls comfortably within the strictly necessary exception of Art. 5(3) ePrivacy as transposed into national laws such as the German TDDDG. There is no profiling within the meaning of Art. 22 GDPR, no special category data and, when the EU endpoint or a self hosted instance is used, no transfer of personal data to third countries. The remaining GDPR obligations are limited to transparency in the privacy notice and a brief legitimate interest assessment.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In most deployments prior consent is not required. ALTCHA can be loaded under the ePrivacy strictly necessary exception because it is essential to protect the requested form submission against abuse, and the processing relies on Art. 6(1)(f) GDPR (legitimate interest in fraud and abuse prevention) or Art. 6(1)(b) GDPR (performance of the contract represented by the form). It should be placed in the strictly necessary category of the cookie banner, with a short explanation in the privacy notice. Consent only becomes relevant if the deployment is bundled with optional analytics or risk scoring features that go beyond pure spam protection.
When ALTCHA is self hosted or used through the eu.altcha.org endpoint, no personal data leaves the EU, which removes the Chapter V GDPR transfer problem entirely. If the publisher selects us.altcha.org, the processing relies on Standard Contractual Clauses and a transfer impact assessment, and that choice should be reflected in the privacy notice and records of processing. Practical steps: document the LIA, prefer the EU or self hosted variant, expose ALTCHA in the privacy notice under security, list it under strictly necessary in the cookie banner, and review the configuration each year to confirm that no optional tracking features have been enabled.
Websites using ALTCHA must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required for ALTCHA in its default configuration: there are no cookies, no fingerprinting and no behavioural profiling, and processing is limited to the temporary IP address and a short lived proof of work token used to confirm that a form submission is legitimate. A short legitimate interest assessment (LIA) is recommended, documenting that fraud and abuse prevention is the purpose, that the processing is the least intrusive option available compared to reCAPTCHA or hCaptcha, and that no profiles are built. If the US endpoint is selected, document the transfer impact assessment and the SCCs in place.
Sample consent text
ALTCHA is used on this site as a strictly necessary security control to protect our forms against spam and automated abuse. It runs locally in your browser as a proof of work challenge, sets no cookies and does not profile you. On this basis it is loaded without prior consent under Art. 5(3) ePrivacy and Art. 6(1)(f) GDPR. You can review the details in our privacy notice.
Third-party domains contacted
altcha.orgeu.altcha.orgus.altcha.orgcdn.altcha.orgapi.altcha.orgdocs.altcha.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| altcha_session | http_cookie | session | Optional short lived server side identifier used only by the hosted variant to apply rate limiting on the verification endpoint. Not set on the visitor device. |
| altcha_token | first_party_storage | request | Signed proof of work token returned by the widget and submitted with the form. Held only in the form payload, not persisted in cookies or localStorage by default. |
| altcha_challenge | first_party_storage | request | Challenge payload generated by the server and consumed by the widget during the single page lifecycle. Discarded as soon as the proof of work is solved. |
| altcha_rate_limit | http_cookie | session | Optional anti abuse counter used by self hosted deployments that opt in to per session rate limiting. Off by default. |
ALTCHA is an essential service, but transparency matters. Manage all your consent with FlowConsent.
None in the default configuration. ALTCHA runs a proof of work challenge in the browser and returns a signed token; no cookies and no client side identifiers are stored. The hosted variant may keep a short lived altcha_session record server side for rate limiting only.
In most cases no. ALTCHA protects the form submission requested by the user, which qualifies as strictly necessary under Art. 5(3) ePrivacy, so it can be loaded without prior consent. Document the legitimate interest analysis and mention it under strictly necessary in the cookie banner.
Art. 6(1)(f) GDPR (legitimate interest in fraud and abuse prevention) is the primary basis, with Art. 6(1)(b) GDPR (contract performance) as an alternative where the captcha is required to complete a service requested by the user.
No when you self host ALTCHA or use the eu.altcha.org endpoint, which is located in the European Union. Transfers to the United States only happen if you explicitly select us.altcha.org, in which case SCCs and a transfer impact assessment are required.
Usually not. ALTCHA does not profile users, set cookies or perform fingerprinting, so the risk is low. A short legitimate interest assessment is enough in most cases. A DPIA only becomes relevant if you combine ALTCHA with optional analytics or risk scoring features.
Prefer the self hosted version or the eu.altcha.org endpoint, document the LIA, list ALTCHA in the privacy notice under security, place it under strictly necessary in the cookie banner, and check the configuration each year to confirm no optional tracking is enabled.
Yes. Friendly Captcha is a close EU equivalent. mCaptcha is another open source proof of work option. hCaptcha is privacy oriented but US based, Cloudflare Turnstile is widely used but US infrastructure, and Google reCAPTCHA is the most invasive choice.
Add a short section in the privacy notice explaining that ALTCHA is used to protect forms against spam and abuse, that it runs a proof of work challenge locally, sets no cookies and does not profile users, and that processing relies on legitimate interest under Art. 6(1)(f) GDPR.