Privacy Policy

Last updated: March 1, 2026

1. Overview

Crovly is a privacy-first captcha service. We are fundamentally designed to verify that a visitor is human without collecting, storing, or processing personal information. This policy explains exactly what data we handle and how.

2. Data We Do Not Collect

  • No cookies are set by the Crovly widget
  • No personal data (name, email, browsing history) is collected during verification
  • No cross-site tracking or profiling occurs
  • No data is sold, shared with, or transmitted to third parties

3. Data Processed During Verification

When a visitor completes a Crovly challenge, the following data is processed:

  • Browser fingerprint hash: A SHA-256 hash of browser signals (canvas, WebGL, audio, screen, timezone, etc.). The raw signals never leave the browser — only the irreversible hash is transmitted.
  • IP address: Used for Proof of Work difficulty calibration and token binding. Stored temporarily in Redis (TTL: 60 seconds for nonce cache, up to 24 hours for rate limiting).
  • Proof of Work result: The nonce and counter proving computational work. This is not personal data.
  • Environment signals: Boolean flags indicating headless browser detection results. No personal data.

4. Data Retention

  • Verification logs: Retained for 24 hours, then permanently deleted. Logs contain: site ID, IP address, score, difficulty, solve time, and fingerprint hash.
  • Aggregated statistics: Hourly aggregates (total requests, pass rate, average score) are retained permanently but contain no personal data.
  • Redis cache: Nonce entries expire after 60 seconds. Rate limit counters expire after 5 minutes.

5. Dashboard Account Data

If you create a Crovly dashboard account, we store your email address, hashed password, and site configuration. This data is necessary to provide the service and is not used for any other purpose.

6. GDPR Compliance

Crovly is designed to be fully GDPR compliant. The fingerprint hash is a one-way transformation — it cannot be reversed to identify an individual. IP addresses are processed for legitimate interest (bot protection) and retained for the minimum necessary period.

Under GDPR, you have the right to access, rectify, or delete your account data. Contact us at [email protected].

7. Sub-processors

Crovly infrastructure runs on dedicated servers (Hetzner, Germany). We do not use third-party analytics, advertising, or tracking services. Cloudflare R2 is used for CDN delivery of the widget script only.

8. Changes

We may update this policy to reflect changes in our practices. Significant changes will be communicated via the dashboard or email.

9. Contact

For privacy inquiries, contact [email protected].