Features Integration Pricing Docs Blog Status
Console Get Started

Data Processing Agreement

Last updated: April 15, 2026

1. Scope

This Data Processing Agreement ("DPA") supplements the BotFlush Terms of Service and applies where BotFlush processes personal data on behalf of a site operator ("Controller") in connection with the CAPTCHA verification service.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (EU Regulation 2016/679).

3. Data Processed

BotFlush processes the following categories of personal data on behalf of the Controller:

  1. IP addresses — processed transiently for rate limiting
  2. User-Agent strings — for device compatibility assessment
  3. Challenge interaction data — click/tap coordinates and timing

No special categories of personal data are processed. Data subjects are the Controller's website visitors.

4. Processing Purpose & Instructions

BotFlush processes personal data solely to provide the CAPTCHA verification service as instructed by the Controller through the Console configuration. We do not process data for any other purpose.

5. Security Measures

BotFlush implements appropriate technical and organizational measures, including: encrypted transit (TLS), access controls, minimal data collection by design, and automatic data purging after verification.

6. Sub-processors

BotFlush uses infrastructure providers to host the verification service. A current list of sub-processors is available upon request. We will notify Controllers before engaging new sub-processors.

7. Data Subject Rights

BotFlush will assist the Controller in responding to data subject requests (access, rectification, erasure) to the extent technically feasible given our minimal data retention.

8. Data Breach Notification

In the event of a personal data breach, BotFlush will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.

9. Data Retention & Deletion

Challenge interaction data is deleted immediately after verification. Aggregated statistics are retained for up to 90 days. Upon termination of the service, all Controller data is deleted within 30 days.

10. Contact

DPA inquiries: admin@botflush.com