Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
RingCaptcha is a phone number based anti, bot service that replaces image CAPTCHAs with SMS or voice verification codes. The publisher embeds a JavaScript widget that collects the visitor's phone number, browser fingerprint and IP, forwards them to RingCaptcha servers in the United States, and triggers an SMS or call to confirm ownership of the number. As it processes a directly identifying identifier and uses electronic communications, it falls under both the GDPR and the ePrivacy Directive.
RingCaptcha is an alternative to image and behavioural CAPTCHAs. The visitor enters a phone number in a JavaScript widget; RingCaptcha sends a short verification code by SMS or voice call; the visitor types the code back into the widget to prove they control the number. The product is used during sign, up, password reset and high, value form submissions to keep bots out without breaking accessibility the way image puzzles do.
The widget collects the phone number, the visitor''s IP address, a lightweight browser fingerprint (User, Agent, language, screen size, timezone) and the verification outcome (success, failure, number of attempts). RingCaptcha sets a session cookie to bind the challenge to a specific user, a persistent visitor cookie (rc_visitor, 1 year) used for repeat, abuse detection, and a language preference cookie. Phone numbers are stored alongside a verification record for an antifraud window of up to 90 days.
The phone number is by itself a direct identifier under Article 4(1) GDPR. Sending an SMS is an electronic communication regulated by Article 13 ePrivacy Directive : it requires the recipient''s prior consent unless it is strictly necessary to deliver a service the user explicitly requested. In practice, RingCaptcha at sign, up qualifies as such a strictly necessary service, but the persistent rc_visitor cookie used for anti, fraud scoring requires consent or a documented legitimate, interest balancing test. The widget itself should not load before the user explicitly initiates the verification.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
RingCaptcha is based in the United States and runs its infrastructure on AWS us, east, 1. Personal data (phone, IP, fingerprint) is therefore transferred to the United States. SMS and voice traffic is routed through carriers in dozens of countries, with onward processing of telecom metadata by those carriers. The publisher should sign the RingCaptcha DPA, attach SCCs, document the routing chain in its processing register, and verify whether the carrier set used is restricted to EU operators where required.
Trigger the RingCaptcha widget only when the user explicitly asks to verify their number. Display a short notice naming RingCaptcha Inc. as a recipient, the United States as a destination and the right to refuse with an alternative (email link). Configure short retention windows. Audit your cookie policy to list the RingCaptcha cookies in the strictly necessary and functional categories. Run a DPIA if RingCaptcha is used in a high, volume or sensitive sector (finance, health, public services).
Websites using RingCaptcha must obtain user consent under GDPR regulations.
DPIA considerations
RingCaptcha processes a direct identifier (the phone number), a behavioural fingerprint (browser, IP, time, to, type), and the verification result (success, fail, retry count). Key DPIA considerations: (1) the phone number alone is sufficient to identify or re, identify an individual; (2) SMS or voice transit through international carriers can expose the number to telecom metadata processing in third countries; (3) RingCaptcha shares verification signals with its anti, fraud network, which may constitute a separate purpose requiring its own legal basis; (4) US transfers under SCCs require a Transfer Impact Assessment given FISA 702 exposure; (5) risk of unwanted SMS to repurposed or recycled numbers requires a clear unsubscribe and minimal retention. A DPIA is recommended whenever the verification gate is applied at scale (sign, up, password reset) and mandatory for sensitive sectors (finance, health).
Sample consent text
To prevent fraud we use RingCaptcha (RingCaptcha Inc., United States) to verify that the phone number you provide really belongs to you. RingCaptcha will send a single verification code by SMS or voice call and will store the phone number, your IP address and the verification result. Data is transferred to the United States under Standard Contractual Clauses. You can refuse this verification and use an alternative method (email confirmation, captcha image) at any time.
Third-party domains contacted
ringcaptcha.comapi.ringcaptcha.comcdn.ringcaptcha.comwidget.ringcaptcha.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rc_session | Strictly necessary | Session | Identifies the current RingCaptcha verification attempt and links the entered phone number to the SMS/voice challenge. |
| rc_visitor | Functional | 1 year | Persistent visitor identifier used by RingCaptcha to detect repeated verification attempts from the same browser and to feed its anti, fraud scoring. |
| rc_lang | Functional | 30 days | Stores the language used for the verification widget so that subsequent challenges are served in the same locale. |
RingCaptcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.
RingCaptcha sets a session cookie (rc_session) to tie the challenge to the user, a persistent visitor cookie (rc_visitor, 1 year) used for repeat, abuse scoring, and a language preference cookie (rc_lang, 30 days). All cookies are first, party from RingCaptcha domains, not from yours.
You need explicit consent for the rc_visitor persistent cookie used in antifraud scoring. The session cookie used to deliver the challenge itself can rely on the strictly necessary exemption of Article 5(3) ePrivacy provided the user knowingly triggered the verification. As a matter of best practice, only load the widget after a user action.
A combination of consent (Art. 6(1)(a) GDPR) for the phone challenge and the SMS sent, and legitimate interest (Art. 6(1)(f) GDPR) for the antifraud scoring that uses IP and fingerprint signals. Document both bases in your processing register.
Yes. RingCaptcha Inc. is US, based and operates on AWS us, east, 1. Standard Contractual Clauses cover the transfer; a Transfer Impact Assessment is expected. SMS routing may add carriers in other third countries, which should be listed in your privacy notice.
A DPIA is recommended when RingCaptcha is used at scale (sign, up, password reset) and mandatory in sensitive sectors (finance, health, public services) because phone number plus IP plus device fingerprint create a high re, identification risk.
Lazy, load the widget on user action. Show a short notice naming RingCaptcha Inc. and the United States. Offer an alternative (email link, image CAPTCHA). Keep retention short (less than 90 days). Sign the RingCaptcha DPA and attach SCCs. Update the privacy notice and cookie policy.
Yes: Friendly Captcha (Germany), MTCaptcha (Hong Kong infra but configurable EU region), hCaptcha (US but offers EU residency for enterprise), or a phone OTP service from a European operator (Sinch EU, OVHcloud SMS) combined with a simple email alternative. For pure anti, bot without phone, Friendly Captcha and Cloudflare Turnstile are the strongest European, friendly options.
List rc_session under strictly necessary, rc_visitor under functional or security, and rc_lang under functional. Add RingCaptcha Inc. to the list of recipients in the privacy notice, mention the United States and any SMS carrier countries, and link to RingCaptcha's privacy policy.