CAPTCHA GDPR Compliance Documentation

Overview

This document describes the GDPR compliance mapping for the Google reCAPTCHA v2 integration used in the email verification resend flow of Conformo.

Implementation Details

  • Provider: Google reCAPTCHA v2
  • Integration Point: Email verification link resend form
  • Purpose: Prevent automated abuse and ensure security compliance

GDPR Compliance Mapping

1. Lawful Basis (Art. 6 GDPR)

Primary Basis: Legitimate Interest (Art. 6(1)(f) GDPR)

  • Interest: Protection of the Conformo platform from automated abuse, spam, and bot attacks
  • Necessity: CAPTCHA is necessary to verify human users and prevent system abuse
  • Balancing Test: The interest in platform security outweighs minimal privacy impact of CAPTCHA verification

Alternative Basis: Contract Performance (Art. 6(1)(b) GDPR)

  • CAPTCHA verification is necessary to provide secure user registration and email verification services

2. Data Processing Details

Data Collected by Google reCAPTCHA

According to Google’s documentation, reCAPTCHA v2 may collect:

  • IP address
  • Cookies
  • Browser and device information
  • User interaction data (mouse movements, clicks, typing patterns)
  • Timestamp of the challenge

Data Controller

  • Primary Controller: Conformo (your organization)
  • Joint Controller/Processor: Google LLC

3. Subprocessor Information

Name: Google LLC
Service: Google reCAPTCHA v2
Location: United States (with global data centers)
Privacy Policy: https://policies.google.com/privacy
Purpose: Automated abuse prevention and bot detection

Data Protection Agreement: Google Cloud Platform Data Processing Terms
Standard Contractual Clauses: Yes (for EU-US transfers)
Adequacy Decision: N/A (relies on SCCs post-Schrems II)

4. Data Retention

  • CAPTCHA Challenge Data: Google retains interaction data for analysis purposes
  • Retention Period: As per Google’s privacy policy (varies by data type)
  • Conformo Logs: CAPTCHA verification attempts are logged in auth_logs table
    • Retention: 90 days (as per authentication log retention policy)
    • Logged data: Success/failure status, timestamp, associated email (if authenticated)

5. International Data Transfers

  • Transfer Mechanism: Standard Contractual Clauses (SCCs)
  • Destination: United States and other Google data center locations
  • Safeguards: SCCs + Google’s data protection measures
  • User Notice: Mentioned in Privacy Policy

6. User Rights (GDPR Chapter III)

Users have the following rights regarding CAPTCHA data:

  • Right to Information (Art. 13-14): Disclosed in Privacy Policy
  • Right of Access (Art. 15): Users can request CAPTCHA log data from Conformo; Google data accessible via Google Account
  • Right to Rectification (Art. 16): Limited applicability (technical data)
  • Right to Erasure (Art. 17): Can be requested; subject to legitimate interest balancing
  • Right to Restriction (Art. 18): Available upon request
  • Right to Data Portability (Art. 20): Limited applicability (technical data)
  • Right to Object (Art. 21): Available; may impact service availability

7. Privacy by Design & Default (Art. 25)

  • Minimization: Only essential CAPTCHA data collected
  • Purpose Limitation: CAPTCHA only used for security verification
  • Storage Limitation: Logs deleted after 90 days
  • Security: CAPTCHA keys stored as environment variables, not in code
  • Transparency: CAPTCHA purpose explained to users

8. Transparency & User Information

Privacy Policy Disclosures

The following must be included in the Privacy Policy:

**CAPTCHA Verification**
We use Google reCAPTCHA v2 to prevent automated abuse and ensure platform security. 
When you request a new email verification link, Google reCAPTCHA collects and processes 
information about your device and browser to verify you are a human user.

Data collected may include: IP address, cookies, browser information, and user interaction 
patterns. This data is processed by Google LLC in accordance with their Privacy Policy: 
https://policies.google.com/privacy

Legal basis: Legitimate interest in platform security (GDPR Art. 6(1)(f)) and contract 
performance (GDPR Art. 6(1)(b)).

Data retention: CAPTCHA verification logs are retained for 90 days. Google's retention 
policies apply to data they collect.

Your rights: You can object to CAPTCHA processing, though this may limit your ability to 
use certain features. You can also request access to or deletion of your CAPTCHA-related 
data by contacting us at [privacy@conformo.ai].

User-Facing Notice

The resend form includes:

  • Visible CAPTCHA widget with clear purpose
  • Accessible ARIA labels in Italian and English
  • Error messages explaining CAPTCHA requirement

9. Security Measures

  • Key Management: CAPTCHA keys stored in environment variables
  • HTTPS: All CAPTCHA communications over HTTPS
  • Validation: Server-side CAPTCHA token verification
  • Rate Limiting: Additional rate limiting protects against brute force
  • Logging: CAPTCHA failures logged for security monitoring

10. Accessibility Compliance

Google reCAPTCHA v2 includes:

  • Audio challenges for visually impaired users
  • Keyboard navigation support
  • Screen reader compatibility
  • High contrast mode
  • Multiple language support (Italian/English configured)

Additional accessibility measures:

  • ARIA labels and regions
  • Semantic HTML structure
  • Error messages in accessible format
  • Keyboard-only navigation support

11. Data Protection Impact Assessment (DPIA)

Required: No (low-risk processing) Reasoning:

  • CAPTCHA is widely used and low-risk
  • Minimal personal data collected
  • Strong security measures in place
  • Clear legitimate interest
  • No high-risk profiling or automated decision-making

Recommendation: Document this compliance mapping as evidence of due diligence

12. Vendor Due Diligence

Google LLC Assessment:

  • ISO 27001 certified
  • SOC 2/3 compliant
  • GDPR-compliant data processing terms
  • Transparent privacy practices
  • Established data protection program
  • Regular security audits

13. Compliance Checklist

  • Lawful basis identified and documented
  • Privacy Policy updated with CAPTCHA disclosure
  • User consent/notice mechanism in place (legitimate interest)
  • Subprocessor documented and assessed
  • Data retention policy defined
  • International transfer safeguards identified (SCCs)
  • User rights procedures updated
  • Security measures implemented
  • Accessibility requirements met
  • DPIA consideration documented
  • Technical implementation reviewed

14. Monitoring & Review

  • Review Frequency: Annually or when Google updates their terms
  • Monitoring: Track CAPTCHA failure rates and user complaints
  • Updates: Update documentation when Google reCAPTCHA terms change
  • Alternatives: Periodically evaluate alternative CAPTCHA solutions

15. Contact Information

For CAPTCHA-related privacy inquiries:

  • Email: privacy@conformo.ai
  • Data Protection Officer: [If appointed]
  • Google Privacy: https://support.google.com/policies/contact/general_privacy_form

Revision History

  • Version 1.0 (2025-10-21): Initial CAPTCHA GDPR compliance documentation

References

  • GDPR: Regulation (EU) 2016/679
  • Google reCAPTCHA Terms: https://policies.google.com/terms
  • Google Privacy Policy: https://policies.google.com/privacy
  • Google Cloud Data Processing Terms: https://cloud.google.com/terms/data-processing-addendum
  • EDPB Guidelines on Legitimate Interest: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-6_en