CaptchaFox

What Is CaptchaFox?

The CAPTCHA market has a structural problem: the dominant provider is Google, and Google's product — reCAPTCHA — works by tracking users across the web to distinguish humans from bots. That tracking is precisely what makes it effective, and precisely what makes it a GDPR liability. European businesses that embed reCAPTCHA are creating a data-sharing relationship with a US company without a lawful basis for most of the data collected.

CaptchaFox exists as the answer to that problem from within the EU. The service is operated by Scoria Labs GmbH, registered at Amtsgericht München under HRB 283108, and founded in Munich in 2023. It is independently owned with no outside investors. Verification events are processed within the EU, no cookies are set, and no personal data is collected — not as a policy promise but as a technical fact, because the system is not built to collect it.

The product uses proof-of-work computation and risk signal analysis to determine whether a form submission is human. When a visit looks clean, nothing visible happens. When it looks suspicious, a visible challenge appears — this Smart Protection Mode reduces friction for legitimate users compared to classic image-puzzle CAPTCHAs that appear for everyone. The API shape is compatible with reCAPTCHA v2 and v3, so existing WordPress, React, Vue, and Angular integrations migrate with a sitekey change rather than a rewrite.

Key Features

Smart Protection Mode

Standard CAPTCHAs create friction for every user: solve this traffic light grid, click all the bicycles, prove you are human. CaptchaFox's Smart Protection Mode reserves visible challenges for sessions that the risk analysis has flagged. A real user on a known browser completing a form normally will typically see nothing — the CAPTCHA runs invisibly in the background.

This matters commercially. Conversion rate experiments consistently show that adding a visible image CAPTCHA to a form reduces completion rates by several percentage points. For a lead generation form or registration flow, that drop is measurable revenue. Smart mode preserves security without paying that conversion tax on every clean session.

Proof-of-Work Bot Detection

When CaptchaFox determines a challenge is warranted, it uses proof-of-work computation — the browser performs a calculation that is trivial for a modern computer but expensive to run at bot scale. This avoids the pattern matching and fingerprinting approaches that create privacy exposure: no cross-site data is needed to run a proof-of-work check.

The verification is fully server-side validated. A bot that submits a fabricated CAPTCHA token fails on the server even if it bypasses the client-side widget, which is the architecture that matters for real security.

reCAPTCHA-Compatible API

The compatibility layer is the key to commercial viability. Most European businesses that want to replace reCAPTCHA are deterred by the migration cost: updating every form, every plugin, every third-party integration. CaptchaFox's API accepts the same parameters as reCAPTCHA v2 and v3 — the switch is a sitekey replacement rather than a code rewrite.

Official SDKs exist for React (@captchafox/react), Vue (@captchafox/vue), Angular (@captchafox/angular), Solid.js (@captchafox/solid), and Node.js for server-side verification. A WordPress plugin handles CMS sites without any custom development.

Multi-Site Management and Analytics

The dashboard supports multiple websites under a single account, with per-site analytics showing verification volume, challenge rates, and blocked bot traffic. For agencies managing CAPTCHA across client sites, this centralises visibility. The Starter and Team plans support multiple websites; the free tier covers a single domain.

Flat-Rate Pricing Model

CaptchaFox charges a flat monthly fee rather than per-request pricing, which eliminates bill shock on traffic spikes. If a marketing campaign drives ten times the normal form traffic for a week, the price stays the same. The company documents that it will not terminate accounts for exceeding plan limits mid-month — instead, customers receive a notification to upgrade.

Pricing

The free tier includes 1,000 verifications per month for one website. For a contact form on a small site, this covers production use. For any site with meaningful form traffic — say, a SaaS signup form receiving 100+ submissions per day — the free tier runs out quickly and the Starter plan at €18 per month becomes the practical entry point.

Starter at €18 per month raises the verification quota, adds multi-site support, and includes Smart Protection Mode and priority email support. The Team plan at €85 per month adds multiple user accounts, higher verification limits, webhook access, and a dedicated support channel. Enterprise pricing is custom and includes SLA guarantees, custom contract terms, and invoice billing.

All prices are in EUR without VAT. There is a 7-day free trial — shorter than Friendly Captcha's evaluation window but sufficient to test the integration.

For context: hCaptcha's commercial pricing starts at a similar range, while Cloudflare Turnstile is free but routes all data through a US company. Among purely EU-hosted CAPTCHA services, CaptchaFox sits between the free-tier generosity of Altcha (open-source, self-hostable) and the enterprise track record of Friendly Captcha.

EU Compliance & Privacy

CaptchaFox's compliance posture is the most straightforward in the European CAPTCHA market: the product does not collect personal data, so it does not create GDPR compliance obligations for the personal data it does not have.

Scoria Labs GmbH is incorporated in Germany under EU law. Data processing occurs within EU infrastructure. No cookies are set on end users. No cross-site tracking or user profile building takes place. The Data Processing Agreement is available for customers who need one for audit purposes.

The absence of SOC 2 or ISO 27001 certification is worth noting — the company is three years old with fewer than 10 employees, and the investment in third-party audits has not yet happened. For enterprise procurement teams requiring certified documentation of security controls, Friendly Captcha holds relevant certifications. For most SMB and mid-market use cases, the architectural privacy-by-design is the more meaningful assurance than a certificate.

Who It's Best For

If you run a European website and currently use reCAPTCHA, the migration path is as simple as any tool in the captchas category — change the sitekey, test in staging, deploy. The privacy upgrade is immediate.

If your site processes fewer than 1,000 form interactions per month, the free tier covers production use indefinitely with no ongoing cost.

If you are an agency managing multiple client sites and need centralised CAPTCHA oversight with predictable flat-rate billing per client, the Starter and Team plans match that model.

If you need a self-hosted option for air-gapped or regulated environments, CaptchaFox is not the right tool — it is a hosted SaaS with no on-premises deployment. Altcha is the correct choice in that scenario.

If you require SOC 2 or ISO 27001 certified documentation of security controls — common in enterprise procurement — CaptchaFox is too young to provide them. Friendly Captcha is the more mature choice.

The Verdict

CaptchaFox solves a real and specific problem: replacing Google reCAPTCHA with a GDPR-compliant alternative that requires minimal migration effort and no cookies. For European websites that have been running reCAPTCHA on the basis of legitimate interest and hoping nobody notices, this is the cleanest off-ramp available.

The trade-offs are honest. The company is very young, with all the limitations that implies: no third-party security certifications yet, a small team, and a free tier that covers only 1,000 verifications per month. The flat-rate pricing is more predictable than usage-based competitors but does mean the Starter plan is the realistic entry point for any site with real traffic. Against Friendly Captcha (older, more certified) and Altcha (open-source, self-hostable), CaptchaFox occupies the middle ground: hosted convenience with genuine privacy-by-design architecture and the simplest migration path from reCAPTCHA in the market.

Frequently Asked Questions

Where is CaptchaFox based and who operates it?

CaptchaFox is operated by Scoria Labs GmbH, registered at Amtsgericht München under HRB 283108. The company is headquartered in Munich, Germany, independently owned with no external investors. Data is processed and hosted within the EU, with no US parent or subsidiary involved.

How does CaptchaFox differ from Google reCAPTCHA on privacy?

Google reCAPTCHA sets third-party cookies and collects behavioural data to build cross-site user profiles — practices that conflict with GDPR's data minimisation and purpose limitation requirements. CaptchaFox sets no cookies and collects no personal data; verification uses proof-of-work and risk signals processed server-side without identifying the end user. The API shapes are compatible, so migrating from reCAPTCHA requires only swapping the sitekey.

How many verifications does the free plan include?

The free tier allows 1,000 verifications per month for one website. For sites with more than minimal traffic — a contact form receiving more than 30 submissions per day will exceed this — the Starter plan at €18 per month provides a higher quota and multi-site support. CaptchaFox does not terminate accounts that exceed their limit mid-month; instead they contact customers to upgrade.

Does CaptchaFox work with WordPress and JavaScript frameworks?

Yes. CaptchaFox provides a WordPress plugin in the official repository and official npm packages for React, Vue, Angular, and Solid.js. A Node.js package handles server-side verification. The reCAPTCHA API-compatible mode means many existing form plugins that accept reCAPTCHA keys also accept CaptchaFox keys without additional code changes.

Is there a self-hosted option for air-gapped environments?

CaptchaFox is a hosted SaaS service with no self-hosted deployment option. Organisations requiring on-premises CAPTCHA validation — for regulatory, air-gap, or data sovereignty reasons — should evaluate Altcha, which publishes its server component under MIT licence and can run entirely within a private network.