BotShield

Privacy Policy

Last updated: March 10, 2026

What we collect

We believe in collecting only what we need. Here is the full list:

  • Account info — your email address and a bcrypt-hashed password. We never store your password in plain text.
  • Temporary request IP handling — raw IP addresses are used only in memory during challenge and solve processing for rate limiting, adaptive difficulty, and abuse detection. They are not persisted in our usage logs.
  • Anonymized network prefixes — we store only coarse network prefixes in usage logs: `203.0.113.0/24` for IPv4 and `2001:db8:abcd:1200::/56` for IPv6.
  • Network metadata — optional ASN/datacenter classification derived from IP using an offline database on our own infrastructure. We do not send IPs to third-party enrichment APIs.
  • Usage counts — the number of challenges issued and solves completed per project, with timestamps. This powers your dashboard analytics.

What we don't collect

  • No cookies on end-user browsers (the widget is stateless)
  • No fingerprinting, canvas hashing, or device profiling
  • No tracking pixels or third-party analytics
  • No personal data from your end users beyond transient network request data needed to protect your site

How the captcha works

BotShield uses proof-of-work — the visitor's browser computes a hash puzzle. No behavioral tracking, mouse movement analysis, or browser fingerprinting is involved. We issue a signed challenge, the browser solves it, and your server verifies the solution. The entire process is stateless on our end.

Data storage

All data is stored in a SQLite database on our server. We do not use any third-party data processors, cloud storage, or external databases. Your data never leaves our infrastructure.

Data retention

  • Usage logs — kept indefinitely to power your analytics dashboard. These logs store anonymized network prefixes, not raw IP addresses.
  • Sessions — expire automatically and are cleaned up.
  • Account data — kept until you delete your account.

Third parties

We do not sell, share, or transfer your data to any third party. There are no analytics scripts, ad networks, or external services embedded in BotShield. The SDK loaded on your users' pages communicates only with your BotShield instance.

Your rights

You can export or delete your data at any time. Deleting a project removes all associated usage logs. Deleting your account removes everything. No questions asked.