Captcha.eu

What Is Captcha.eu?

A mid-sized Austrian e-commerce business needed to protect its checkout flow from bot-generated fraud. The obvious answer — Google's reCAPTCHA — was off the table. Legal had flagged that reCAPTCHA v3's data flows to Google's US servers required a transfer impact assessment, a data processing agreement update, and a cookie notice revision. The timeline for that paperwork stretched past the project deadline.

Captcha.eu was the answer they landed on. Founded in Salzburg in 2023, it is an invisible CAPTCHA service designed from the ground up for GDPR-constrained environments. No cookies. No personal data. All processing in Austrian EU data centres. No transatlantic transfers to document. The integration took an afternoon; the compliance review took none at all.

This origin story — compliance-driven adoption — captures Captcha.eu's positioning precisely. It is not trying to outcompete reCAPTCHA on threat intelligence or fraud scoring sophistication. It is offering something reCAPTCHA cannot: a frictionless CAPTCHA that your legal team can approve without paperwork.

The service works through invisible behavioural analysis. When a user interacts with a protected form, Captcha.eu's JavaScript analyses a combination of signals — timing patterns, interaction sequences, browser environment characteristics — without storing identifiers or setting cookies. It assigns a score, and your backend decides what to do with low-confidence submissions. Most legitimate users never know a CAPTCHA was present.

Captcha.eu is based in Salzburg, Austria, an EU member state. The team is small; the company was founded in 2023. That youth is both a limitation and a source of focus — every product decision is shaped by the single use case of GDPR-compliant bot protection.

Key Features

Invisible Verification by Default

Captcha.eu's defining characteristic is that users never encounter a challenge. There is no "I'm not a robot" checkbox, no image grid, no audio puzzle. The verification runs silently during form interaction and completes before the user clicks submit. From a user experience standpoint, the protected form behaves identically to an unprotected one.

This has two practical benefits beyond convenience. First, it removes the accessibility barrier entirely. Screen reader users, users with motor disabilities, and users with cognitive impairments that make image-based CAPTCHAs difficult do not encounter any obstacle. Second, it eliminates abandonment from CAPTCHA friction — studies consistently show that visible CAPTCHA challenges cause measurable form abandonment, particularly on mobile.

Zero Cookie, Zero Personal Data Architecture

Captcha.eu does not set cookies. It does not collect IP addresses, device fingerprints, or any other personal data as part of its verification process. The behavioural signals it analyses are used to generate a score and then discarded — they are not stored, profiled, or transferred.

This architecture means no cookie consent banner is needed specifically for Captcha.eu. More significantly, it means no GDPR Article 28 data processing agreement is required — there is no personal data to process. Legal teams evaluating CAPTCHA suppliers typically need weeks to review DPAs and conduct transfer impact assessments for US-based services. Captcha.eu takes that requirement off the table.

EU-Only Data Processing

All Captcha.eu infrastructure is hosted in Austria. Verification requests hit Austrian servers. No data transits outside the EU. For organisations whose data governance policies prohibit or restrict transatlantic data flows — increasingly common in healthcare, finance, and public sector contexts — Captcha.eu's single-jurisdiction architecture eliminates the compliance problem at source.

This is structurally different from claiming "we are GDPR compliant" while routing data through US-based CDN nodes. Captcha.eu's EU-only processing is a technical property of the infrastructure, not a contractual assertion.

Drop-In Integration

Captcha.eu's integration is a JavaScript snippet and a server-side verification call. For WordPress sites, a plugin handles the entire integration without custom code. For Contact Form 7 and Gravity Forms, dedicated plugins exist. For custom implementations, the JavaScript API follows standard patterns that developers familiar with reCAPTCHA will recognise immediately.

The verification response is a simple pass/fail with a confidence score that your backend can act on. Form submissions with low-confidence scores can be queued for manual review rather than rejected outright — useful for forms where blocking genuine users carries a high cost.

Analytics Dashboard

Captcha.eu provides a basic analytics dashboard showing verification volume, pass rates, and blocked request counts over time. This data stays within the EU and is aggregated — it does not include user-level data. For operations teams monitoring bot attack trends, the dashboard provides enough visibility to track whether protection is working.

Pricing

Captcha.eu prices by verification volume with four tiers. The Starter plan at EUR 7/month covers 10,000 verifications monthly on a single domain. Business at EUR 19/month extends to 50,000 verifications across five domains. Professional at EUR 49/month covers 200,000 verifications with unlimited domains.

There is no free tier. This is the most significant commercial limitation compared to alternatives. ALTCHA offers a free self-hosted option and a free cloud tier up to 1,000 verifications. hCaptcha has a free tier for lower-traffic sites. Captcha.eu requires payment from the first use, which rules it out for hobbyist projects and low-budget deployments.

The per-verification economics are reasonable for commercial deployments. EUR 7/month for 10,000 verifications works out to EUR 0.0007 per verification — less than a tenth of a cent. At higher volumes, the Professional plan's 200,000 verifications for EUR 49/month represents comparable efficiency. For sites with millions of monthly form interactions, Enterprise pricing applies.

Annual billing discounts exist but are not prominently advertised. The billing model is monthly subscription with no long-term commitment required.

EU Compliance & Privacy

Captcha.eu's compliance position is simple to explain and verify. Austrian company. EU data centres. No personal data collected. No cookies set. No international transfers.

This means standard GDPR compliance obligations that attach to personal data processing — lawful basis, data subject rights, retention limits, transfer mechanisms — do not apply to Captcha.eu's processing because there is no personal data involved. The practical effect is a CAPTCHA integration that legal teams can approve in a single conversation rather than a multi-week review cycle.

Austria is an EU member state with a strong data protection culture. The Austrian Data Protection Authority (Datenschutzbehörde) is Captcha.eu's supervisory authority. For EU-based organisations, this is a straightforwardly familiar regulatory environment.

Captcha.eu is relatively new and lacks the independent audit certifications (ISO 27001, SOC 2) that larger enterprise buyers often require from vendors. This is a genuine gap for compliance-heavy procurement environments. The company's size and age mean audit investments are still ahead of it rather than behind it.

Who It's Best For

E-commerce and SaaS businesses serving EU customers where GDPR compliance is a genuine operational constraint and CAPTCHA friction affects conversion rates. The invisible verification preserves user experience while satisfying legal.

Healthcare and financial services organisations whose data governance policies prohibit third-country data transfers. Captcha.eu's Austrian infrastructure eliminates the transfer question completely.

Marketing and lead generation teams protecting high-value forms — contact forms, demo requests, newsletter signups — where CAPTCHA abandonment is a measurable revenue problem. Invisible verification removes the friction.

Public sector and regulated entities that need EU-only supply chain for all web services, including bot protection infrastructure.

The Verdict

Captcha.eu is the right tool when GDPR compliance drives the CAPTCHA decision and user experience is a close second. The invisible verification eliminates form friction, the EU-only architecture eliminates data transfer paperwork, and the no-cookies approach eliminates consent banner complexity. What it cannot offer is ML-based threat intelligence depth — reCAPTCHA v3's risk scoring benefits from Google's global fraud signal network, which Captcha.eu cannot match. For organisations where that trade-off is acceptable (most commercial forms), Captcha.eu solves the real problem cleanly. The absence of a free tier is the main barrier to adoption for smaller operations.

Frequently Asked Questions

Does Captcha.eu set any cookies?

No. Captcha.eu collects no cookies and no personal data. The verification process analyses behavioural signals during form interaction without storing identifiers or transmitting data that could identify individual users. No cookie consent banner is required for Captcha.eu specifically.

Is Captcha.eu GDPR compliant?

Yes. Captcha.eu is operated from Austria, an EU member state, and processes all data exclusively in EU data centres. No personal data is collected, no cookies are set, and no data is transferred to third countries. No GDPR data processing agreement is required because no personal data is processed.

How does Captcha.eu compare to reCAPTCHA v3?

Both are invisible CAPTCHAs that score user behaviour without showing a challenge. reCAPTCHA v3 sends data to Google's US servers, which requires GDPR documentation for transatlantic transfers. Captcha.eu processes everything in Austria with no personal data collection. Google's risk scoring is more battle-tested and benefits from global threat intelligence that Captcha.eu cannot match at this stage of its development.

Is there a free trial or free plan?

Captcha.eu does not offer a permanent free tier. Some plans include a trial period. For a free GDPR-compliant alternative, consider ALTCHA, which offers free self-hosting and a free cloud tier up to 1,000 verifications per month.

What happens when Captcha.eu cannot determine if a visitor is human?

Captcha.eu assigns a confidence score to each verification. If the score falls below your configured threshold, the submission is flagged. Depending on your implementation, low-confidence submissions can be rejected or held for manual review. There is no image-selection fallback, so low-confidence cases must be handled in your application logic.