Do I need to disclose hCaptcha in my privacy policy?

Yes. hCaptcha processes user data on your behalf, making Intuition Machines Inc a data processor under GDPR and CCPA. You must disclose its use, the data it collects, and your lawful basis for processing (typically legitimate interest in security). Failure to disclose third-party processors violates privacy regulations and transparency obligations.

What specific data does hCaptcha collect?

hCaptcha collects challenge responses (user interactions with the CAPTCHA puzzle), IP addresses, and browser information (user agent, headers). This data is used to train AI models and improve bot detection accuracy. Unlike some competitors, hCaptcha does not set persistent cookies or use tracking pixels by default.

Does hCaptcha require a cookie consent banner?

No dedicated cookie consent is required because hCaptcha does not set cookies. However, your general privacy notice must disclose that hCaptcha collects IP and browser data when users complete challenges. If your website uses cookies for other purposes, your existing consent banner should cover all third-party processing activities.

Who processes my data when I complete an hCaptcha challenge?

Intuition Machines Inc, a United States-based company, processes hCaptcha data as your data processor. Data may be transferred to or stored in the US. If you are in the EU, you should have Standard Contractual Clauses or equivalent safeguards in place with Intuition Machines to comply with GDPR cross-border transfer requirements.

Security

Privacy policy clauses for hCaptcha

hCaptcha is a bot detection service that verifies you are human by presenting challenges. Websites use it to prevent spam, abuse, and unauthorized access while minimizing personal data collection compared to traditional CAPTCHA providers.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data hCaptcha collects

Your privacy policy must disclose each of the following data types when you use hCaptcha.

Challenge responses

IP address

Browser info

When does hCaptcha trigger privacy obligations?

Installation triggers immediate data collection

The moment hCaptcha's JavaScript loads on your site or app, Intuition Machines Inc (US-based) begins collecting:

–IP addresses from every visitor attempting to solve a challenge
–Browser fingerprinting data (user agent, screen resolution, device identifiers)
–Challenge interaction logs (how users interact with the CAPTCHA UI)

No user action is required for IP and browser data to flow to hCaptcha's servers.

Jurisdictional obligations

Common compliance pitfalls

Pitfall 1: No privacy policy update = non-compliance

The mistake: Deploying hCaptcha without updating your privacy policy to disclose Intuition Machines as a data processor or explaining what IP/browser data is collected.

Why it happens: Developers treat hCaptcha as "just a security widget" and forget it's a third-party data processor. hCaptcha's website emphasizes privacy-friendliness, which can lull operators into skipping disclosure.

Consequence: GDPR enforcement action (data subjects have no transparency), CCPA liability for undisclosed collection, and reputational damage if users discover an undisclosed third party received their IP. Regulators (e.g., UK ICO, California AG) specifically flag missing processor disclosures during audits.

Pitfall 2: Missing or unsigned Data Processing Agreement (DPA)

The mistake: Using hCaptcha without a signed DPA or processor agreement with Intuition Machines, treating it as a "service" rather than a data processor.

Why it happens: Small teams assume hCaptcha is a "service" like Stripe and don't seek a formal DPA. hCaptcha does not loudly advertise DPA requirements.

Consequence: Direct GDPR Article 28 violation; the Austrian DPA and similar bodies have penalized companies for missing processor agreements. Without a DPA, you cannot demonstrate "appropriate safeguards" under GDPR Article 32, and liability falls entirely on you if hCaptcha mishandles data.

Pitfall 3: Misaligned consent categories in consent banners

The mistake: Bucketing hCaptcha under "Marketing" or "Analytics" instead of "Functional" or "Security" in your cookie/consent tool, or failing to auto-load hCaptcha on pages that do not require it.

Why it happens: Consent banner tools default to broad categories; operators do not review whether hCaptcha should fire before consent is given.

Consequence: If hCaptcha is miscategorized, you may load it without valid consent. GDPR recital 32 permits security measures without consent, but only if strictly necessary; misconfiguration looks like intentional consent-dodging. Regional DPAs (France CNIL, Germany BfDI) routinely flag this in audits.

Privacy policy clauses for hCaptcha

What data hCaptcha collects

When does hCaptcha trigger privacy obligations?

Installation triggers immediate data collection

Jurisdictional obligations

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: No privacy policy update = non-compliance

Pitfall 2: Missing or unsigned Data Processing Agreement (DPA)

Pitfall 3: Misaligned consent categories in consent banners

Legal note

Sample privacy policy clause

What regulators look for

Primary audit focus: DPA and processor documentation

Secondary focus: Consent and transparency

Tertiary focus: Necessity and retention

Practical signal

Frequently asked questions

Do I need to disclose hCaptcha in my privacy policy?

What specific data does hCaptcha collect?

Does hCaptcha require a cookie consent banner?

Who processes my data when I complete an hCaptcha challenge?

Don't ship without Bandit.