Privacy Policy

Learn what we collect, how we use it, and how we keep reForge Captcha GDPR-friendly.

Overview

Last updated: 1 April 2026

This Privacy Policy explains how reForge Captcha (“we”, “us”, “our”) collects and uses information when you create and manage an account, integrate our widgets and verification API on your sites, or use our website and dashboard. We design reForge Captcha to be privacy-respecting and GDPR-friendly.

We do not use long-term tracking cookies for visitors who encounter our CAPTCHA widgets. We only process the data needed to run the service, detect automated abuse, and give you short-term logs and statistics.

Who is responsible for your data

For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller for the reForge Captcha service is:

Quantix Foundation
Email: hello@quantixfoundation.com

When you integrate reForge Captcha into your own site or application, you act as the controller for your visitors’ data and we act primarily as your processor for verification data.

Data we collect

Account and authentication data

When you create and use a reForge Captcha account we process:

  • Username and email address.
  • Password (stored only as a salted, one-way hash).
  • Optional security settings such as two-factor authentication secrets and passkey public keys and metadata.
  • Account status and timestamps (account creation date, last login, whether the account is active or marked for deletion).
  • Optional company or project name where you provide it.

We use this data to create and secure your account, let you sign in, and communicate with you about the Service (for example security notices or important changes).

Password reset data

When you request a password reset we generate a one-time reset link and store:

  • A unique reset token linked to your account.
  • The time the reset request was created.
  • The time the reset link expires (normally after about 1 hour).
  • Whether the reset link has been used.

Expired or used reset tokens are no longer valid and are deleted or securely anonymised after a short period.

Site and integration data

When you register sites or applications that use reForge Captcha we process:

  • Site name and domain.
  • Site keys and secret keys used to integrate the widget and verification API.
  • Widget configuration such as widget type, theme, language, size, badge position, and custom messages or styling.
  • Per-site security and usage settings, including activation status, subdomain allowance, risk score thresholds, monthly limits and how many verifications have been used in the current period.

We use this information to provide, secure, and configure the Service for your sites.

API keys and access logs

If you create API keys we process:

  • API key name and permissions.
  • The key value itself (stored securely).
  • Whether each key is active or disabled.
  • When a key was created and when it was last used.

This allows you to manage and audit how your integrations access the Service.

Verification and risk data

When a visitor encounters a reForge Captcha widget and a verification request is made, we process the data required to decide whether the interaction is likely human or automated, for example:

  • The site and account the verification belongs to.
  • A short-lived token for the verification request.
  • IP address and network information at the time of verification.
  • Browser or device information (such as user-agent) that helps detect automated tools.
  • The outcome of the verification (passed, failed, suspicious, or blocked by rate limiting) and the assigned risk score.
  • Context such as hostname, challenge type (checkbox, invisible, managed, image), and optional action labels you define.
  • A timestamp for when the verification took place.

We do not use this data to build long-term behavioural profiles of individual visitors. It is used only to detect and block automated abuse and suspicious traffic and to provide short-term logs and aggregated statistics.

Daily statistics

For each of your sites we generate daily summaries of verification activity, including:

  • Total number of verifications for that day.
  • Number that passed, failed, or were marked as suspicious.

These are per-site aggregates and do not contain full per-visitor details. They exist to let you see trends (for example spikes in failed or suspicious traffic) over a short rolling period.

How long we keep data

We keep data only as long as necessary for the purposes described above or as required by law.

  • Verification logs and recent activity: Your dashboard shows only a limited window of the most recent verification entries per site. As new verifications come in, older ones roll out of the interface. Under the hood, verification records are retained only for a short rolling period (for example up to 14 days) to support abuse analysis and per-site statistics, after which they are permanently deleted or fully anonymised.
  • Daily per-site statistics: Aggregated daily counts (total, passed, failed, suspicious) are kept for a short historical window, typically up to 14 days. This allows you to view trends per site or across your sites for approximately the last two weeks. Older daily entries are then removed.
  • Password reset data: Reset tokens are valid for a limited time (normally around 1 hour). After expiry or successful use, reset tokens are deleted or securely invalidated after a short grace period.
  • Account and site configuration data: We keep account, site, and configuration data for as long as your account is active. If you request deletion of your account, we will remove or irreversibly anonymise personal data that is no longer needed, subject to limited retention required for security, anti-abuse, or legal reasons.

Cookies and similar technologies

The reForge Captcha widgets and API are designed to operate without placing long-term tracking cookies on your visitors solely for verification purposes. We may use strictly necessary technologies that help us ensure that repeated requests from the same browser during a short window are treated consistently and to protect the Service from automated abuse and rate-limiting bypass.

Where our own website or dashboard uses cookies for preferences, sessions, or analytics, these will be described in a separate cookie notice or banner.

How we share data

We do not sell your personal data. We may share limited data in the following situations:

  • Service providers: With trusted infrastructure and email providers who help us run the Service (for example hosting, email delivery, monitoring). These providers only process data on our behalf and under appropriate data protection agreements.
  • Legal and safety: Where required to comply with a legal obligation, court order, or lawful request from authorities, or where necessary to protect our rights, property, or safety, or that of our users or the public.
  • Business transfers: If we are involved in a merger, acquisition, or similar transaction, data may be transferred as part of that process. We will take steps to ensure that any receiving party continues to protect your data consistent with this Policy.

We do not use verification data to build advertising profiles or to track individuals across unrelated sites.

International transfers

Our infrastructure may be located in or involve transfers to countries outside your own jurisdiction. Where GDPR applies and data is transferred outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or other mechanisms that ensure an adequate level of protection.

Your rights

If you are in the EEA, UK, or another region with similar data protection laws, you may have the following rights, subject to limitations under applicable law:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data in certain circumstances.
  • Restriction: request that we temporarily limit how we process your data.
  • Objection: object to processing based on legitimate interests where you believe your rights override our interests.
  • Data portability: request a copy of certain data in a structured, commonly used, machine-readable format.

To exercise any of these rights, contact us at hello@quantixfoundation.com. We may need to verify your identity before responding. You also have the right to lodge a complaint with your local data protection authority if you believe our processing does not comply with applicable law.

Your visitors’ data

When you use reForge Captcha on your own site, you act as the primary controller for your visitors’ data. We process verification-related data on your instructions and under this Privacy Policy and our Terms.

You are responsible for informing your visitors that you use a third-party CAPTCHA service, for providing any required notices or consents, and for ensuring that your use of reForge Captcha complies with applicable laws and your own privacy commitments.

Security

We take reasonable technical and organizational measures to protect the data we process, including encrypted connections, hardened infrastructure, and access controls for internal systems. We also provide security features such as two-factor authentication and passkeys to help you protect your account.

No online service is completely risk-free. If you believe you have found a security issue in or affecting reForge Captcha, please contact us at security@quantixfoundation.com.

Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top. Where changes are material, we will provide a notice in the dashboard and/or by email where appropriate.

If you continue using the Service after the updated Policy takes effect, you are deemed to have accepted it.

Privacy-first by design

GDPR-friendly abuse protection, free for most projects.

Create Free Account