Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MTCaptcha is a web technology service that provides essential functionality for websites and digital platforms. It delivers core capabilities that support site operations, content delivery, and user experience optimization. MTCaptcha integrates seamlessly with modern web architectures, ensuring reliable performance and compatibility across browsers and devices. Trusted by businesses worldwide, MTCaptcha helps organizations maintain robust websites that meet user expectations and technical requirements.
MTCaptcha is a CAPTCHA service designed as a GDPR friendly alternative to Google reCAPTCHA. It displays image or noPuzzle challenges that confirm a real human is interacting with a form. MTCaptcha is operated by a Hong Kong company with EU infrastructure in Germany and an explicit EU only mode that keeps every request inside the EEA.
MTCaptcha loads a small JavaScript widget that talks to service.mtcaptcha.com (or eu.mtcaptcha.com in EU only mode). It processes the visitor IP, the user agent, the timing of the challenge and a short lived nonce, but does not set advertising cookies and does not build a behavioural profile across websites. A first party verification token is stored in the form during the challenge to validate it server side.
Because MTCaptcha is only used to secure a service explicitly requested by the user (submitting a form, creating an account), the EDPB exemption for strictly necessary storage applies. Article 5(3) of the ePrivacy Directive does not require consent for that scope. The IP processing is covered by legitimate interest under article 6(1)(f) GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No prior consent is required as long as MTCaptcha is used exclusively for anti spam and bot detection on the operator forms. The legal basis is article 6(1)(f) GDPR. If MTCaptcha is integrated together with marketing scoring or advertising attribution, the situation changes and consent must be collected.
The EU only mode pins MTCaptcha to eu.mtcaptcha.com, where data stays in Frankfurt. In the global mode, edge servers may be located outside the EEA. Pick the EU mode for Schrems II sensitive use cases and sign the MTCaptcha DPA to document the residency choice.
Activate the EU only mode, sign the MTCaptcha DPA, list MTCaptcha as a security processor in the record of processing, mention it in the privacy notice with the legitimate interest basis and document the bot protection use case. No CMP category is needed for the default anti spam configuration.
Websites using MTCaptcha must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for MTCaptcha in normal anti spam configuration. It is recommended when the service is deployed in sensitive flows such as account creation in the health, public sector or financial industries, or combined with risk scoring.
Sample consent text
We use MTCaptcha to detect bots and protect our forms. MTCaptcha runs in our EU only configuration and uses strictly necessary technical storage to validate the challenge. No tracking cookie is involved.
Third-party domains contacted
mtcaptcha.comservice.mtcaptcha.comeu.mtcaptcha.comservice2.mtcaptcha.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mtcaptcha_verifiedtoken | first-party | session | Strictly necessary token stored on the form during the challenge to validate the visitor anti spam check server side. |
MTCaptcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.
MTCaptcha does not set advertising cookies. It uses a short lived verification token passed through the form and ephemeral storage to coordinate the challenge. Some technical localStorage entries can be created to remember the last challenge state but they do not identify the visitor across sites.
No, when MTCaptcha is used strictly for anti spam and bot detection on user submitted forms. The strictly necessary exemption of article 5(3) ePrivacy Directive applies and the legal basis is article 6(1)(f) GDPR (legitimate interest in protecting the service).
Article 6(1)(f) GDPR, legitimate interest in protecting the operator forms and services from abuse and bots. The balancing test is in favour of the operator because MTCaptcha is privacy oriented, does not profile users and is limited to the security purpose.
In the EU only configuration data stays on eu.mtcaptcha.com infrastructure in Germany. In the default global configuration edge servers may be located in the US or APAC; check the regional setting in the MTCaptcha dashboard and sign the appropriate Standard Contractual Clauses if a transfer is involved.
No, a DPIA is not required for a standard MTCaptcha integration. It becomes relevant when MTCaptcha is part of a sensitive flow (health, finance, public sector account creation) or coupled with risk scoring that could produce decisions with legal effects.
Enable EU only mode, sign the MTCaptcha DPA, list MTCaptcha as a security processor in the record of processing, mention it in the privacy notice with the legitimate interest basis and disable the captcha on pages where it is not strictly necessary to keep the data minimisation principle.
Privacy oriented CAPTCHA alternatives include Cloudflare Turnstile, hCaptcha, Friendly Captcha (EU based) and Altcha (open source). Each offers different trade offs in terms of accessibility, accuracy and data residency; Friendly Captcha is fully EU hosted.
State that MTCaptcha is used as a strictly necessary anti spam mechanism, that no advertising cookies are set, that the legal basis is legitimate interest, that the EU only mode is enabled and link to the MTCaptcha privacy notice. No CMP toggle is required.