ALTCHA

What Is ALTCHA?

Every CAPTCHA service solves the same problem the same way: it collects data about your users to decide whether they are human. reCAPTCHA sends behaviour signals to Google. hCaptcha sends them to Intuition Machines. Even ostensibly privacy-friendly alternatives frequently involve third-party servers that receive some signal about your visitors. The privacy cost of protecting your forms has been the standard assumption of the industry.

ALTCHA was built by a Czech developer to challenge that assumption. Released in 2023 under the MIT licence, it uses a fundamentally different mechanism — proof-of-work cryptographic challenges — that requires no data collection at all. The widget runs a short computation in the user's browser, generates a cryptographic proof, and submits it alongside the form. Your server verifies the proof. No third-party server receives anything. No cookies are set. No user data is transmitted.

The result is a CAPTCHA that is GDPR-compliant by architecture rather than policy. It is not GDPR-compliant because it has a privacy policy or a data processing agreement — it is GDPR-compliant because there is no personal data to collect, process, or transfer in the first place.

ALTCHA is headquartered in Prague and operated by a small independent team. The project is genuinely open-source: the server libraries, the client widget, and the cloud infrastructure code are all publicly available. This means independent security researchers can audit the implementation, and organisations that need proof of the security claims can inspect the code themselves.

Key Features

Proof-of-Work Challenge Engine

The core mechanism is elegant. When a user reaches a protected form, the ALTCHA widget requests a challenge from your server. The challenge is a cryptographic puzzle — specifically, finding a nonce that produces a hash matching a target pattern. The user's browser solves this puzzle in the background, typically in under two seconds on modern hardware.

The solved challenge is submitted with the form. Your server verifies the solution using ALTCHA's server library. If the solution is valid and within the challenge's time window, the submission is accepted. The entire exchange involves only your browser and your server — no external service sees any part of it.

Challenge difficulty is configurable. Higher difficulty means more CPU cycles for the user's browser, stronger resistance to automated brute-force attempts, and a longer solution time. For most web forms, the default settings strike the right balance.

Zero-Dependency Self-Hosting

Self-hosting ALTCHA requires no API keys, no accounts, no vendor relationship. You deploy the widget as a Web Component (a standard browser API, no framework required), add one of the server libraries to your backend, and you're done. The widget is under 10 KB and adds no meaningful latency to page loads.

Server-side libraries are available for Node.js, Python, Go, PHP, and Rust — covering the majority of backend environments. Community contributions extend this to additional frameworks. Each library handles challenge generation and verification in a few lines of code.

Invisible Mode

ALTCHA supports a fully invisible mode that requires no user interaction at all. In this mode, the proof-of-work runs silently when the form page loads, completing before the user typically finishes filling out the form. By the time they click submit, the challenge is already solved. From the user's perspective, there is no CAPTCHA — just a form that works.

This is particularly valuable for accessibility. Standard CAPTCHAs with image grids or audio challenges create barriers for users with visual impairments or cognitive disabilities. Invisible proof-of-work removes these barriers entirely.

ALTCHA Cloud — Managed Option

For teams that want ALTCHA's privacy properties without managing server infrastructure, the ALTCHA Cloud service provides a hosted alternative. The cloud option processes data on EU-hosted infrastructure (ALTCHA is Czech-operated), includes a free tier up to 1,000 verifications per month, and scales through paid plans for higher volumes.

The cloud option adds spam filtering capabilities beyond basic proof-of-work — analysing form field patterns and submission timing to catch bots that can solve computational challenges. This hybrid approach is more robust than pure proof-of-work for high-value or high-volume forms.

Open-Source with Auditable Security

The MIT licence means ALTCHA can be used commercially without restriction. More importantly, the source code is public. Security-conscious organisations can review the cryptographic implementation, run penetration tests against their own ALTCHA deployments, and verify that the privacy claims are true in code, not just in documentation.

This openness also means the project is not dependent on ALTCHA's continued operation. If the company ceases to exist tomorrow, every organisation running a self-hosted ALTCHA deployment continues to operate normally.

Pricing

ALTCHA's pricing divides cleanly into two tracks. Self-hosting is completely free, forever, with no usage limits, no API keys, and no account required. If you have a server and a few minutes, you can deploy ALTCHA at zero cost.

The ALTCHA Cloud service introduces pricing for teams that want a managed option. A free cloud tier covers up to 1,000 verifications per month — enough for low-traffic sites or evaluation purposes. The Pro plan at EUR 9/month covers up to 100,000 verifications monthly, adding spam filtering and an analytics dashboard. Business plans above that threshold are custom-priced.

At EUR 9/month for 100,000 verifications, ALTCHA Cloud competes directly with Captcha.eu's entry-level plans and undercuts hCaptcha's commercial pricing significantly. The free self-hosted option is obviously unbeatable on cost.

The trade-off is support. Self-hosted ALTCHA users rely on GitHub issues and community documentation. ALTCHA Cloud plans include email support, but this is a small team — response times will not match enterprise vendors.

EU Compliance & Privacy

ALTCHA's compliance position is the strongest of any CAPTCHA service in this directory, precisely because it is architectural. When self-hosted, there is literally no data transmission to any third party. No analytics platform receives your traffic. No CDN logs your users' IP addresses. The form submission process looks identical to a form with no CAPTCHA at all, from a network traffic perspective.

This means no data processing agreement is needed with ALTCHA when you self-host. There is no data processor — there is no data. GDPR Article 28 (processor agreements) simply does not apply because ALTCHA processes nothing about your users.

For the ALTCHA Cloud option, standard GDPR processor obligations apply. ALTCHA publishes a data processing agreement and processes data on EU-hosted infrastructure. The data minimisation is still much stronger than reCAPTCHA or hCaptcha — only the minimum signals needed for verification are collected, not behavioural profiles.

The Czech Republic is an EU member state. ALTCHA falls under EU jurisdiction. Open-source code means compliance claims can be verified by inspection rather than trusted on faith.

Who It's Best For

Privacy-first development teams building applications where minimising data collection is a genuine design requirement, not an afterthought. ALTCHA's self-hosted option literally collects nothing.

GDPR compliance teams who want to eliminate the cookie banner and data processing notice overhead that comes with reCAPTCHA or hCaptcha deployments. No cookies, no notice required.

Developers on tight budgets who need bot protection for contact forms, login pages, or comment sections without paying commercial CAPTCHA fees. Self-hosted ALTCHA is permanently free.

Teams building accessible applications where image-based CAPTCHAs create barriers for users with disabilities. ALTCHA's invisible mode removes the challenge entirely.

The Verdict

ALTCHA is the most privacy-sound CAPTCHA option available for EU-hosted web applications. The proof-of-work approach is genuinely novel in a market dominated by behavioural fingerprinting, and the self-hosted option's zero data collection is architecturally irreproachable from a GDPR standpoint. The limitations are real: proof-of-work cannot match ML-based fraud scoring for detecting sophisticated bots, the ecosystem is young, and low-power device users may notice the brief CPU spike. For forms where the threat model is unsophisticated spam bots rather than targeted attacks, ALTCHA solves the problem cleanly.

Frequently Asked Questions

Does ALTCHA collect any personal data?

No. When self-hosted, ALTCHA's proof-of-work mechanism requires no cookies, no fingerprinting, and no personal data. All challenge data stays on your own server. The ALTCHA Cloud option processes data on EU-hosted infrastructure and collects only the minimum needed to verify challenges — not user identity data.

Can I self-host ALTCHA?

Yes. ALTCHA is released under the MIT licence. The full server and widget source code is on GitHub. You can run it entirely on your own infrastructure with no external API calls. Server libraries cover Node.js, Python, Go, PHP, and Rust.

How does ALTCHA compare to reCAPTCHA?

reCAPTCHA sends data to Google's servers for analysis, which creates GDPR compliance obligations around international data transfers. ALTCHA has no third-party data flows when self-hosted. reCAPTCHA's ML-based risk scoring is more sophisticated at detecting advanced bots; ALTCHA's proof-of-work does not learn from attack patterns over time. For privacy-first deployments against standard spam, ALTCHA is the better choice.

Does ALTCHA's proof-of-work slow down users?

The challenge runs briefly in the browser, typically completing in under two seconds on modern hardware. Challenge difficulty is configurable. Users on low-power devices may notice a brief pause, particularly at higher difficulty settings. Invisible mode minimises perceived impact by starting the computation when the page loads.

Is ALTCHA suitable for high-traffic production sites?

Yes, with considerations. The self-hosted version scales with your own infrastructure — there are no rate limits or usage caps. For very high-traffic sites, the ALTCHA Cloud Business plan offers unlimited verifications with SLA guarantees. The main limitation is the lack of ML-based fraud scoring, which means sophisticated bots with significant computing resources can complete proof-of-work challenges given enough time.