Compliance & Privacy

This document provides general compliance guidance. Specific requirements should be adjusted according to the laws and regulations in your region.

Scope of Application

Product and Version

Product Name: Captcha v4 (Behavioral Verification Service)
Applicable Versions: All v4 versions
Service Provider: Geelab

Deployment Forms

This compliance statement applies to all the following deployment forms:

✅ Web (web pages and H5 applications)
✅ iOS (native applications)
✅ Android (native applications)
✅ Server-side (backend verification)

Applicable Regions

Global: Supports global deployment
Data Localization: Supports data storage in three regions: Global, Europe, and North America
Compliance Framework: Complies with mainstream privacy regulations such as GDPR, CCPA, PIPL

Data Processing Overview

Types of Data Collected

Collected Device Information:

Device type (phone, tablet, computer)
Operating system version
Browser type and version
Screen resolution
Time zone settings
Language settings

This information is used to adapt the verification interface and detect abnormal devices.

Collected Behavioral Characteristics:

Mouse movement trajectory
Touch operation patterns
Keyboard input rhythm
Verification interaction time
Operation sequence

Behavioral characteristic data is encrypted and used to distinguish human users from automated programs.

Verification Result Data:

Whether verification passed
Verification type (slide, click, etc.)
Verification timestamp
Serial number (lot_number)
Risk score

Verification result data is used for statistical analysis and service optimization.

Data Usage

Purpose	Description	Data Types
Risk Assessment	Determine if requests come from real users	Device information, behavioral characteristics
Verification Challenge	Generate appropriate verification types	Device information, historical records
Abuse Detection	Identify and block malicious behavior	Behavioral characteristics, verification results
Service Optimization	Improve verification experience and accuracy	Verification results, statistical data

Personal Sensitive Information

Does Not Include Personal Sensitive Information - Captcha v4 does not collect the following information:

❌ Names, ID numbers, and other identity information
❌ Phone numbers, emails, and other contact information
❌ Geographic location (GPS coordinates)
❌ Biometric features (fingerprints, facial recognition)
❌ Financial information
❌ Health information

Collected IP addresses are only used for risk assessment, not for tracking user identity.

Data Storage and Transmission

Data Storage Location

Geelab supports multi-region data storage. You can choose the data storage region when creating a verification ID.

Region	Domain
🌏 Global	`cap-global.geelabapi.com`
🇪🇺 Europe	`cap-eu.geelabapi.com`
🇺🇸 North America	`cap-na.geelabapi.com`

Important: Please ensure that both client and server use the domain corresponding to the region you selected when registering the ID.

Data Retention Period

Data Type	Retention Period	Description
Verification Event Data	90 days	For troubleshooting and statistical analysis
Behavioral Characteristic Data	30 days	For risk model training
Statistical Summary Data	2 years	For service optimization and trend analysis

Data exceeding the retention period will be automatically deleted and cannot be recovered.

Transmission Encryption

✅ HTTPS/TLS 1.2+ - All data transmission uses HTTPS encryption
✅ End-to-End Encryption - Sensitive data is encrypted on the client before transmission
✅ Certificate Verification - Strict server certificate verification

Access Control

✅ Principle of Least Privilege - Only authorized personnel can access data
✅ Audit Logs - Record all data access operations
✅ Multi-Factor Authentication - Management console requires MFA verification

Data Deletion and Export

Data Deletion:

You can delete all data for a specific verification ID through the console
Deletion operations are irreversible, please proceed with caution

Data Export:

Supports exporting verification statistical data (CSV format)
Does not support exporting raw behavioral characteristic data (encrypted)

Compliance Requirements Checklist

Applicable Regulations

California Consumer Privacy Act (CCPA)

Captcha v4 complies with CCPA requirements:

✅ Right to Know - Users have the right to know what data is collected
✅ Right to Delete - Users can request data deletion
✅ Opt-Out - Supports disabling certain data collection
✅ Non-Discrimination - Does not discriminate against users exercising their rights

CCPA applies to California residents, but it is recommended that all global users enjoy the same rights.

Personal Information Protection Law (PIPL)

Captcha v4 complies with PIPL requirements:

✅ Informed Consent - Clearly informs data collection purposes
✅ Purpose Limitation - Only used for verification and security purposes
✅ Data Security - Takes necessary security measures
✅ Domestic Storage - Supports data storage within China

Actions Required by Integrators

Important: The following actions are your responsibility as a data controller and must be completed.

Privacy Policy Disclosure

Explain the use of verification services in your privacy policy, example text:

We use Geelab verification services to prevent automated abuse and protect account security. This service collects device information and behavioral characteristics for risk assessment. For details, please refer to Geelab Privacy Policy.
User Authorization

If required by applicable regulations, obtain user consent before first use of the verification service.
Data Processing Agreement

Sign a Data Processing Agreement (DPA) with Geelab to clarify responsibilities of both parties.
Security Assessment

Complete internal security assessment to ensure compliance with your security standards.

Audit and Log Retention

Audit Logs: Retained for 1 year
Access Logs: Retained for 90 days
Security Event Logs: Retained for 2 years

You can view verification logs and statistical data through the console.

Best Practices

Frontend Disclosure Text Recommendations

Add privacy notices near the verification interface:

<!-- Brief version -->
<p class="privacy-notice">
  This site uses verification services to protect account security.
  <a href="/privacy">Privacy Policy</a>
</p>

<!-- Detailed version -->
<p class="privacy-notice">
  To protect your account security, we use Geelab verification services.
  This service collects device information and behavioral characteristics for risk assessment.
  <a href="/privacy">Learn more</a>
</p>

Permission and Switch Configuration Recommendations

Recommended Configuration:

Enable Verification by Default - Protect all users
Provide Opt-Out Option - Allow users to disable (if required by regulations)
Record User Choices - Save user privacy preferences

Example Code:

// Check if user consents to using verification service
if (userConsent.captchaEnabled) {
  initGeetest4({
    captchaId: 'YOUR_CAPTCHA_ID'
  }, callback);
} else {
  // Use alternative verification method
  showAlternativeVerification();
}

Offline Compliance Review Material Preparation

Prepare the following materials for internal compliance review:

✅ This compliance statement document
✅ Geelab Privacy Policy
✅ Data Processing Agreement (DPA)
✅ Security certification certificates (ISO 27001, etc.)
✅ Data flow diagram
✅ Risk assessment report

To obtain these materials, please contact Geelab technical support.

FAQ

Can certain data collection be disabled?

Disabling data collection is not recommended as it will seriously affect verification accuracy.

If you must disable it, you can:

Use invisible mode (behavior analysis only, no verification interface displayed)
Adjust verification strategy (reduce verification frequency)
Use alternative verification methods