Privacy policy
stopbot is built to protect forms without profiling the people who fill them in. This policy explains exactly what we process, why, and where it lives.
Last updated: 1 July 2026
Summary
- We use cryptographic proof-of-work, not cookies, tracking pixels, or device fingerprinting.
- The script never reads your visitors' form fields. It only adds a proof token.
- The only end-visitor personal data we process is the IP address, used solely to score bot risk.
- Every server and sub-processor is in the EU. No data is transferred outside the EU.
Data we process
From your visitors (when our customers embed stopbot)
- Proof-of-work token. A cryptographic value computed in the browser. It contains no personal data and identifies no one.
- IP address. Received when the browser loads our script and when our customer's server verifies a token. We use it only to score bot risk and to derive an approximate country. We do not build cross-site profiles from it.
- Email domain (optional). If our customer chooses to enable disposable-email checks, they may send the domain part of an email address (for example
example.com). We never receive or store the full email address.
From our customers (account holders)
- Account details. Name, email address, and authentication data needed to run your account.
- Billing details. Processed by our payment provider for subscription billing.
- Usage data. Verification counts and dashboard activity needed to operate and bill the service.
Lawful basis
We process end-visitor data (the IP address and optional email domain) on the basis of legitimate interest under Article 6(1)(f) GDPR: preventing fraud and automated abuse. Recital 47 of the GDPR names fraud prevention as a legitimate interest. We process account and billing data to perform our contract with you under Article 6(1)(b).
Data residency
All stopbot servers and databases are hosted in the EU. Our verification API, where IP addresses and risk scoring are processed, runs on EU origin servers. Our CDN is an EU company with EU edge locations. No personal data is transferred outside the EU, so no Standard Contractual Clauses or adequacy decision is required.
Sub-processors
We use a small set of EU-based providers to run the service. Each is bound by a data processing agreement.
| Provider | Purpose | Location |
|---|---|---|
| BunnyWay d.o.o. (Bunny.net) | Content delivery for the stopbot.js script and static assets | Slovenia (EU) |
| Paddle.com Market Ltd | Subscription billing and payments (merchant of record) | United Kingdom (UK adequacy) |
Retention
We keep personal data only as long as it serves the purpose it was collected for.
- Visitor IP and risk data. Retained only briefly to score and act on a verification, then deleted or aggregated into non-identifying statistics. [Confirm exact period, for example 30 days.]
- Email domain. Used at verification time for the disposable-email check and not retained against an individual.
- Account and billing data. Retained for the life of your account and for any period required by law (for example tax and accounting obligations) after it closes.
Controller and processor
For your account data, you are our customer and we act as the data controller. For the visitor data we process on behalf of our customers (proof tokens, IP risk scoring, optional email-domain checks), our customers determine the purpose and we act in support of their bot-protection needs. We make a data processing agreement available to every customer. Where we use the IP signal to maintain shared threat-intelligence across the service, we act as an independent controller for that limited purpose.
Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and object to the processing of your personal data, and the right to data portability. To exercise any of these rights, contact us using the details below. You also have the right to lodge a complaint with your local data protection authority.
Contact
For privacy questions or to exercise your rights, email privacy@stopbot.io.
Data controller: Techinate Aktiebolag, Sweden, [registered address]. [Data Protection Officer contact, if appointed.]