Does your website use third-party services? Get GDPR compliant in minutes.

Friendly Captcha

What does Friendly Captcha do?

Friendly Captcha is a privacy preserving CAPTCHA alternative developed in Munich that protects forms and accounts with a proof of work cryptographic puzzle solved by the browser, without cookies, fingerprinting or transfers to the United States.

Friendly Captcha is a privacy preserving alternative to Google reCAPTCHA developed by Friendly Captcha GmbH in Munich. Instead of analysing the visitor behaviour or fingerprinting their device, it asks the browser to solve a cryptographic proof of work puzzle that is computationally cheap for a real user but expensive for a bot at scale.

What Friendly Captcha does

The widget renders an inline status component that automatically requests a puzzle from api.friendlycaptcha.com, solves it locally in WebAssembly and submits a solution token to the form. The server side then validates the token against the Friendly Captcha API before accepting the request. No interaction with the visitor is required, which improves accessibility and conversion.

Data and cookies collected

Friendly Captcha does not set any cookie and does not perform device fingerprinting. The only data exchanged with the Friendly Captcha backend is a salted request hash, the truncated IP address used for fraud scoring (deleted within 30 minutes), the difficulty target of the puzzle and the resulting solution token. The customer site key and a counter of solved puzzles are stored to enable billing.

GDPR and ePrivacy implications

Because Friendly Captcha does not place any storage on the device, it falls outside the scope of Article 5(3) ePrivacy and therefore does not require consent. The minimal personal data exchanged (truncated IP) is processed under legitimate interest pursuant to Article 6(1)(f) GDPR as a security measure under Article 32 GDPR. The CNIL and the BfDI have publicly recommended Friendly Captcha as a compliant alternative to reCAPTCHA.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers

All Friendly Captcha endpoints are operated on EU only infrastructure (Hetzner Online in Falkenstein and Nuremberg, Cloudflare EU only zone). No personal data is transferred to the United States or any other third country. This makes Friendly Captcha the natural replacement for reCAPTCHA when the controller needs to avoid the Schrems II exposure created by Google.

Practical compliance steps

Sign the Friendly Captcha DPA, mention Friendly Captcha GmbH in your privacy notice as a recipient, document the security purpose in your record of processing activities, and prefer server side verification of the solution token. There is no consent banner to configure since Friendly Captcha is exempt from consent.

GDPR consent category

Essential

Websites using Friendly Captcha must obtain user consent under GDPR regulations.

Legal basisLegitimate interest under Article 6(1)(f) GDPR. Friendly Captcha is necessary to protect the website against bots, spam and credential stuffing without collecting personal data, so it falls under the strictly necessary exemption of Article 5(3) ePrivacy.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, TTDSG (Germany), LIL (France), UK GDPR, Swiss FADP, BSI IT Grundschutz

DPIA considerations

Friendly Captcha is designed around data minimisation: no cookie, no device fingerprint, only a truncated IP and a salted request hash for fraud scoring. A standalone DPIA is generally not required. Document Friendly Captcha in your record of processing as a security measure under Article 32 GDPR, signed under the Friendly Captcha DPA with the controller designated as Friendly Captcha GmbH, Munich.

Sample consent text

This form is protected by Friendly Captcha, an EU based, cookie free spam protection service operated by Friendly Captcha GmbH (Munich). Friendly Captcha processes only the technical data needed to verify that your browser solved the security puzzle, without setting cookies or tracking you. The processing is necessary to protect the site against abuse, no consent is required.

Technical details

Tracking methodJavaScript widget served from cdn.friendlycaptcha.com that issues a proof of work cryptographic challenge to the browser instead of tracking the user; no cookie or device fingerprint is stored.

Server locationGermany (Hetzner Online and Cloudflare Munich, Frankfurt), with EU only data processing under the control of Friendly Captcha GmbH, Munich.

Cookieless tracking availableYes

Third-party domains contacted

friendlycaptcha.comapi.friendlycaptcha.comcdn.friendlycaptcha.comeu-api.friendlycaptcha.eu

Cookies placed

Name	Type	Duration	Purpose
no_cookies	none	Not applicable	Friendly Captcha is intentionally cookieless and does not store any identifier in cookies or local storage; this placeholder entry documents the absence of cookies for the cookie register.

Friendly Captcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does Friendly Captcha set?

Friendly Captcha sets no cookies and uses no local storage. The widget exchanges only a cryptographic puzzle, a solution token and a truncated IP address with api.friendlycaptcha.com. This is a deliberate design choice that exempts the service from Article 5(3) ePrivacy and avoids any consent banner.

Do users have to consent to Friendly Captcha?

No. Because no information is stored on or read from the device, Friendly Captcha falls outside the scope of Article 5(3) ePrivacy and does not require consent. The minimal personal data exchanged is processed as a security measure under Article 32 GDPR, justified by legitimate interest.

What is the legal basis for using Friendly Captcha?

Legitimate interest under Article 6(1)(f) GDPR is the appropriate basis, paired with the security obligation of Article 32 GDPR. The controller must protect its forms and accounts from bots, spam and credential stuffing, which is a legitimate purpose that does not require the visitor consent.

Does Friendly Captcha transfer data to the United States?

No. Friendly Captcha GmbH is a German company that runs all infrastructure within the EU (Hetzner Online in Falkenstein and Nuremberg, Cloudflare EU only zone). No personal data is transferred to the United States or any other third country, which is the main reason controllers migrate from Google reCAPTCHA.

Is a DPIA required for Friendly Captcha?

A standalone DPIA is generally not required. Friendly Captcha processes only a truncated IP address and a request hash, both for fraud scoring purposes, and stores no persistent identifier. Document the service in the record of processing activities as a security measure under Article 32 GDPR.

How do I implement Friendly Captcha correctly?

Embed the Friendly Captcha JavaScript on the protected form, configure the sitekey from the dashboard, validate the solution token server side via the friendlycaptcha.com API and add Friendly Captcha GmbH to the privacy notice as a recipient. Optionally enable the EU API endpoint to ensure traffic stays inside the EU.

What are the alternatives to Friendly Captcha?

Privacy preserving alternatives include hCaptcha (EU edition with hosting in Frankfurt), Cloudflare Turnstile (cookie free, multi region), MTCaptcha (EU based, accessible), Altcha (open source, self hostable) and BotGuard. Google reCAPTCHA is generally not a privacy preserving alternative because it relies on Google cookies and US transfers.

How do I keep my cookie policy up to date with Friendly Captcha?

There is no cookie to declare. Add Friendly Captcha GmbH to the privacy notice as a recipient with the security purpose, the legitimate interest legal basis and a link to its DPA and sub processor list. Update only when Friendly Captcha announces new sub processors or new regions.

Get compliant — Try FlowConsent free

Free plan · 10-min setup