Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Vaptcha is a Chinese CAPTCHA and bot-detection service that uses behavioral analysis and gesture verification to distinguish humans from bots. When embedded on EU websites, visitor behavioral data, IP addresses, and browser fingerprints are transmitted to Vaptcha servers in China. China has no EU adequacy decision, making this a high-risk international transfer. European data protection authorities strongly recommend replacing Vaptcha with EU-hosted CAPTCHA alternatives such as hCaptcha or Friendly Captcha.
Vaptcha is a Chinese CAPTCHA service that uses gesture-based human verification and behavioral analysis. It is widely used in China and increasingly embedded in international websites. When loaded on EU websites, it transmits visitor behavioral data, IP addresses, and browser fingerprints to Vaptcha servers in China.
China has no EU adequacy decision. The Chinese Cybersecurity Law, Data Security Law, and National Security Law require Chinese companies to provide data access to authorities upon request. SCCs with Chinese entities are theoretically possible but practically difficult to enforce. EU DPAs including the French CNIL and German DPAs have flagged transfers to China as problematic.
EU-hosted CAPTCHA alternatives: hCaptcha (privacy-focused, US but with EU data options), Friendly Captcha (German, EU-hosted, no personal data processing), Altcha (open-source, self-hostable), or CloudFlare Turnstile. All provide effective bot protection without China data transfers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Immediately replace Vaptcha with a GDPR-compliant CAPTCHA alternative. If replacement is not immediately possible: conduct a DPIA, implement consent before loading Vaptcha, attempt SCCs with Vaptcha, and document the risk assessment. Replacement is strongly recommended.
Websites using Vaptcha must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Vaptcha given the China data transfer with no adequacy decision, potential exposure to Chinese intelligence law, and the processing of behavioral biometric data. Consider this a high-risk processing activity.
Sample consent text
This site uses Vaptcha for bot protection. Vaptcha processes behavioral interaction data on servers in China. Please accept to use this feature or contact us for an alternative.
Third-party domains contacted
www.vaptcha.comapi.vaptcha.comcdn.vaptcha.comv.vaptcha.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| vaptcha_token | security | Session | Stores the CAPTCHA verification token after the user completes the challenge, used for server side validation. |
| vaptcha_vid | security | 24 hours | Assigns a visitor identifier for behavioral analysis to distinguish humans from bots. |
| vaptcha_risk_score | security | Session | Stores the computed risk score from client side behavioral analysis including mouse movements and interaction patterns. |
| vaptcha_lang | functionality | 1 year | Remembers the selected language preference for the CAPTCHA widget interface. |
Vaptcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Vaptcha is a human verification (captcha) service that sets cookies to distinguish legitimate users from bots. These include session tokens, risk assessment identifiers, and device fingerprint data. Vaptcha may store persistent cookies to remember verified users and reduce repeated challenges.
Vaptcha occupies a nuanced position under the ePrivacy Directive. If used solely for security purposes (bot protection on login or contact forms), it may qualify as strictly necessary and not require prior consent. However, if Vaptcha sets persistent tracking cookies beyond what is needed for verification, consent may be required.
The primary legal basis is legitimate interest under Article 6(1)(f) GDPR for protecting your website against automated abuse. For strictly necessary security cookies, Article 5(3) of the ePrivacy Directive provides an exemption. Document your legitimate interest assessment to justify why Vaptcha is needed.
Vaptcha is developed by a Chinese technology company, and data may be processed on servers located in China. This constitutes a transfer to a third country without an EU adequacy decision. You must implement appropriate safeguards and clearly disclose this transfer in your privacy policy.
A DPIA is recommended for Vaptcha implementations because the service processes device fingerprints and behavioral data, involves data transfers to China (a country without an EU adequacy decision), and applies automated decision making to determine human versus bot status.
Disclose Vaptcha's use in your privacy policy, including data transfers to China. If consent is required, integrate Vaptcha loading with your consent management platform. Consider using Vaptcha only on forms where bot protection is genuinely necessary rather than site wide. Document your legitimate interest assessment.
Consider EU based or privacy focused captcha solutions such as hCaptcha (with privacy options), Friendly Captcha (German company, GDPR focused), or mCaptcha (open source, self hosted). These alternatives process data within the EEA and minimize tracking, reducing compliance complexity.
Add Vaptcha to your cookie declaration listing all cookies it sets, including session tokens, verification identifiers, and any persistent cookies. Specify that data is processed by Vaptcha in China, state the purpose as security and bot prevention, and include cookie durations and types.