Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
hCaptcha is a privacy-focused CAPTCHA service by Intuition Machines designed as a GDPR-friendly alternative to Google reCAPTCHA. Unlike reCAPTCHA, hCaptcha does not share challenge data with Google for advertising purposes, provides clear GDPR contractual terms, and offers a privacy-pass mode that minimises data processing. Legitimate interest supports its use for bot prevention without requiring consent. It is a drop-in reCAPTCHA replacement widely used by privacy-conscious organisations.
hCaptcha is a CAPTCHA service developed by Intuition Machines as a privacy-focused alternative to Google reCAPTCHA. Like reCAPTCHA, it presents visual challenges (image selection grids) or invisible challenges to verify users are human. Unlike reCAPTCHA, hCaptcha does not share challenge or risk data with Google for advertising purposes. It processes the minimum data necessary for bot detection and provides clearer GDPR contractual terms.
The primary GDPR concern with Google reCAPTCHA is that challenge data may be used by Google for advertising and profiling purposes beyond bot detection. hCaptcha contractually commits to using challenge data only for security purposes. It provides a GDPR-compliant DPA, offers a privacy-pass mode that reduces data collection further, and does not read or influence existing Google account cookies. Legitimate interest is a more supportable legal basis for hCaptcha than for reCAPTCHA precisely because of this narrower data use.
hCaptcha provides a drop-in replacement for Google reCAPTCHA v2 with a compatible JavaScript API. Replacing reCAPTCHA with hCaptcha typically requires only a script URL change and a new site key. The visual challenge interface is similar to reCAPTCHA v2. For invisible verification (reCAPTCHA v3 equivalent), hCaptcha''s Enterprise tier provides score-based invisible challenges.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sign the hCaptcha DPA and accept US data transfer under SCCs. Replace Google reCAPTCHA script tags with hCaptcha equivalents. Document the legitimate interest basis for bot prevention in your RoPA. Disclose hCaptcha in your privacy policy: bot prevention service, US data transfer, SCCs, and minimal data processing scope.
Websites using hCaptcha must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for hCaptcha standard deployments. Its privacy-minimising design and absence of advertising data sharing significantly reduce privacy risk compared to Google reCAPTCHA.
Sample consent text
This website uses hCaptcha to protect forms from spam and bots. hCaptcha processes minimal technical data for security purposes under legitimate interest. Data is processed in the US under Standard Contractual Clauses. See hCaptcha's privacy policy for details.
Third-party domains contacted
hcaptcha.comnewassets.hcaptcha.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| hmt_id | session | Session | hCaptcha session identifier maintaining challenge state during bot verification — minimal data footprint |
hCaptcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.
hCaptcha contractually restricts data use to security purposes only — it does not share challenge data with advertising platforms. reCAPTCHA data may be used by Google for advertising. This makes legitimate interest more defensible for hCaptcha and reduces the privacy risk profile significantly.
Generally no. hCaptcha's data processing for bot prevention can be justified under legitimate interest (Art. 6(1)(f)) as a necessary security measure. The legitimate interest balancing test supports bot prevention as proportionate to the security benefit. No consent banner is typically needed for hCaptcha.
Yes. hCaptcha is operated by Intuition Machines (US). Challenge data is processed on US infrastructure. SCCs are required. Sign the hCaptcha DPA. Disclose the US transfer in your privacy policy.
hCaptcha sets hmt_id (session identifier) for maintaining the challenge state. Unlike reCAPTCHA, hCaptcha does not set long-lasting tracking cookies or read existing Google account cookies. The data footprint is minimal.
For reCAPTCHA v2, yes. hCaptcha provides a compatible JavaScript API and visual widget. Replacing reCAPTCHA v2 with hCaptcha typically requires only changing the script URL and site key. For reCAPTCHA v3 (invisible, score-based), hCaptcha Enterprise provides equivalent invisible challenge capabilities.
Yes. hCaptcha provides a "privacy pass" mode that allows users who have previously verified to bypass the visual challenge, and audio challenges for visually impaired users. Accessibility was specifically designed into the challenge system.
State: that forms are protected by hCaptcha for bot prevention, that hCaptcha processes minimal technical data (browser fingerprint, IP, challenge interaction) for security analysis, that this is processed under legitimate interest, that data is transferred to Intuition Machines in the US under SCCs, and link to hCaptcha's privacy policy.
Cloudflare Turnstile: CAPTCHA-free, minimal data, free, strong privacy design. Arkose Labs: enterprise-level bot protection. Friendly Captcha: EU-hosted (Germany), proof-of-work based, no data sent to third parties. For maximum GDPR simplicity, Friendly Captcha (EU-hosted) or Cloudflare Turnstile are the strongest alternatives.