unsubbed.co

Private Captcha

Private Captcha is a Go-based application that provides privacy-first CAPTCHA service.

NOASSERTION Free privatecaptcha/privatecaptcha · 157 privatecaptcha.com Go 1 deploy option REST API

Open-source bot protection, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

  • What it is: Proof-of-Work CAPTCHA service built in the EU, self-hostable, privacy-first — solves a cryptographic challenge invisibly in the background instead of making users pick traffic lights [README][1].
  • Who it’s for: Founders and developers in the EU who need GDPR-compliant bot protection without handing user data to Google (reCAPTCHA) or Cloudflare. Also any self-hoster who’s tired of paying per-verification fees to US-based providers [1][2].
  • Cost savings: reCAPTCHA Enterprise runs $1–3 per 1,000 assessments at scale. hCaptcha and Friendly Captcha charge per request on higher tiers. Private Captcha’s paid SaaS tier starts at €9/month for 10,000 requests, and self-hosting is free [website].
  • Key strength: Invisible to the user — no puzzles, no checkbox, no “select all buses.” The PoW challenge runs in the background while the user fills a form. Multiple reviewers call setup fast and painless [1].
  • Key weakness: Proof-of-Work as a bot-stopping mechanism has real limits — a 2025 AlternativeTo reviewer explicitly argues that any modern computer can solve the challenge in under a second, meaning it stops cheap bots but won’t hold against determined adversaries with commodity hardware [1]. With 157 GitHub stars, this is also a small project.

What is Private Captcha

Private Captcha is a CAPTCHA service built on Proof-of-Work cryptography. Instead of asking a user to solve a visual puzzle — the “click all the bicycles” pattern that reCAPTCHA has trained a generation to hate — it runs a SHA-256 computational challenge invisibly in the browser while the user fills out the form. When the form is submitted, the server validates the proof. Bots fail not because they’re confused by an image, but because solving the challenge at scale gets expensive enough to not be worth it [README][1].

The project is built by Intmaker OÜ, an Estonian company. The backend is written in Go, the client widget in JavaScript (with WASM workers where the browser supports them), and the data layer splits across PostgreSQL for account/domain data and ClickHouse for operational metrics and difficulty scaling [README]. Self-hosting setup lives in a separate repository at github.com/PrivateCaptcha/self-hosting.

The pitch is direct: replace Google reCAPTCHA, hCaptcha, or Cloudflare Turnstile with something that (a) doesn’t track your users, (b) doesn’t send data to US servers, (c) complies with GDPR by design, and (d) can run on your own infrastructure [README][website][5].

As of this review it has 157 GitHub stars — small by open-source standards, but the project is active (CI/CD badges green, Go lint clean, SonarCloud showing A ratings for maintainability, reliability, and security) [README].

Why people choose it

The clearest signal from reviews is that people come to Private Captcha from one of two directions: GDPR compliance anxiety or user experience disgust with reCAPTCHA.

On the compliance side, the EU regulatory environment has put Google reCAPTCHA and hCaptcha in a gray zone. Both send browser data to US servers; several EU data protection authorities have issued informal guidance against using them without user consent. Private Captcha explicitly positions against this: EU-only infrastructure (Hetzner for servers, BunnyWay for CDN), no PII collection, no cookies, DPA agreements ready [5][website]. One reviewer’s summary: “The fact that it secures my forms without annoying users by meaningless puzzles, its focus on privacy and the fact that it is being made and hosted in the EU are important to me and I am happy to pay a small fee for that” [website testimonial].

On the UX side, the consensus across AlternativeTo reviews is consistent: no puzzle friction is genuinely appreciated. One reviewer: “Nice captcha solution, it’s easy to add onto existing projects and it’s better from a user flow perspective as the user doesn’t have to solve any tedious challenges” [1]. Another: “Works like a charm. Easy to use.” [1]. The invisible verification is the whole value proposition — it removes the step where your conversion rate drops because someone gave up on a bus-selection puzzle.

The integration story also gets positive marks. Multiple reviewers cite fast setup and good documentation. One Digisoul developer built a Statamic addon and praised both the GDPR angle and the ease of integration [website testimonial]. Dashmood’s Robin Parisi called it a “quick setup, excellent documentation, and impeccable support” [website testimonial].

However, there’s a dissenting voice worth taking seriously. An AlternativeTo reviewer with a skeptical take on PoW-based bot prevention argues: “Proof of Work requires solving a computational problem that any modern computer or phone can solve in less than 1s. For bot operators, this is at most an annoyance… to stop scraping and automation at scale you have to do real threat detection and intercept requests from residential proxies / VPNs / data centres. IP reputation, behavioural metrics, and defensive, obfuscated code that identify bot signals are all needed to even stand a chance at stopping bots” [1]. This is a real critique. Private Captcha’s own comparison table acknowledges that difficulty scaling exists, but doesn’t claim to solve the residential proxy problem [README]. If you’re being targeted by a determined adversary using residential proxies, PoW alone won’t save you.

For the realistic threat model — spam form submissions, scraper bots, low-effort signup abuse — PoW works. For high-value targets getting professionally targeted: you need more than any CAPTCHA.

Features

Core verification:

  • Proof-of-Work cryptographic challenge runs in the background via JavaScript and WASM workers [README]
  • Adaptive difficulty scaling — the system adjusts challenge hardness in real time based on traffic patterns [README][website]
  • “Invisible” widget mode — zero visible UI, the challenge completes before the user finishes the form [website]
  • Visible widget option for use cases that require explicit user acknowledgment [website]
  • Widget customization: multiple visual themes, 10+ localizations, popup/hidden modes [website]

Integration:

  • Drop-in HTML widget with data-sitekey attribute — four lines of code to add to any form [website]
  • Ready integrations for WordPress, React, PHP, and other common stacks [website]
  • OpenAPI spec provided — REST API for validation and platform management [README]
  • Stable, backward-compatible API — explicit vendor promise: “your integrations won’t break” [website]

Privacy and compliance:

  • No cookies on end-user devices [5]
  • No PII collection — IP addresses are anonymized/aggregated when stored [5]
  • EU-only subprocessors: Hetzner (infra) + BunnyWay (CDN) [5]
  • Data Processing Agreement available for enterprise customers [website]
  • Full source code public for privacy claim verification [website]

Operations and management:

  • Usage statistics at domain and account level [website]
  • Audit logs included in all tiers [website]
  • Platform API for programmatic management of orgs and domains [website]
  • Multi-org and multi-domain support [website]
  • ClickHouse backend for operational data and difficulty analytics [README]

Self-hosting:

  • Docker deployment via separate self-hosting repository [README]
  • Go backend with Postgres + ClickHouse data layer [README]
  • SonarCloud-verified code quality (A ratings on maintainability, reliability, security) [README]

Pricing: SaaS vs self-hosted math

Private Captcha Cloud:

  • Free trial: 14 days, no credit card required [website]
  • Paid tier: €9/month (billed monthly) or €108/year (~€7.56/month, 30% cheaper) for 10,000 requests/month, 50 domains, 10 organizations [website]
  • All tiers include: smart difficulty scaling, EU-only endpoints, ready integrations, audit logs, platform API, usage statistics, widget customization, invisible challenge [website]
  • Higher tiers / enterprise: not listed on the public pricing page — the €9 plan appears to be the only self-service tier

Self-hosted:

  • Software: free (source-available, license is NOASSERTION — see the license caveat below)
  • Infrastructure: a small VPS running Go + Postgres + ClickHouse
  • ClickHouse’s minimum recommended RAM is typically 2–4 GB, so you’ll want at least a 4 GB VPS (~$8–12/month on Hetzner or Contabo)

Comparison to alternatives:

  • Google reCAPTCHA v3: free up to 1 million assessments/month, $1–3 per 1,000 after that — cheap at low volume, but carries the Google data-collection cost [2]
  • Cloudflare Turnstile: free, but you’re routing through Cloudflare’s infrastructure and depending on a US company [2][4]
  • hCaptcha: free tier exists, paid tiers are custom pricing — opaque [4]
  • Friendly Captcha: freemium, EU-based, proprietary — pricing not published for comparison; their “Enterprise and call-us tiers” is what Private Captcha claims to undercut [website]
  • ALTCHA: MIT-licensed, self-hostable, free — the closest open-source equivalent [2][4]

The honest pricing math: if you’re in the EU and need a managed service with a DPA and EU-only data handling, €9/month for up to 10,000 verifications/month is a clean, low-stakes price. For comparison, that’s one Zapier plan for a week. Self-hosting costs you the VPS plus setup time, but no ongoing fees.

License note: The merged profile lists the license as “NOASSERTION” — the README doesn’t specify a standard open-source license, and the AlternativeTo listing calls it “Free Personal Proprietary” [2]. This means self-hosting rights exist but may not be commercial-use free. Verify with the project’s self-hosting repository before building a product dependency on it.

Deployment reality check

The README is sparse on self-hosting instructions beyond pointing to the self-hosting repository and official docs. For local development, make run-docker spins up a Docker environment [README]. Production deployment uses Docker and is documented at docs.privatecaptcha.com.

What you’ll need for self-hosting:

  • Docker and Docker Compose
  • PostgreSQL (for accounts, properties, domains)
  • ClickHouse (for operational metrics and difficulty scaling) — this is the non-obvious dependency; ClickHouse has higher RAM requirements than a typical Postgres-only stack
  • A Linux VPS with at least 4 GB RAM to run all three services comfortably
  • A domain and reverse proxy (Caddy or nginx) for HTTPS
  • The self-hosting repository configuration

What can go sideways:

  • ClickHouse is operationally heavier than most small-project databases. If you’ve never run it before, budget time to understand its configuration
  • The license ambiguity (NOASSERTION) means you should read the self-hosting repository’s license terms before relying on it in production
  • 157 GitHub stars is a small project. If the company (Intmaker OÜ) shuts down, the cloud SaaS goes with it; if the self-hosted codebase goes stale, you’re maintaining a fork
  • No information in the reviews about upgrade paths or migration complexity as the project evolves

For the managed SaaS path, setup is genuinely quick — copy-paste four lines of HTML, get your API key, done [website]. Multiple reviewers confirm this [1][website testimonials].

Pros and cons

Pros

  • Invisible to users. No puzzles, no checkboxes, no degraded conversion rates. The PoW challenge runs while the user fills the form [README][1].
  • GDPR-native. No cookies, no PII, EU-only infrastructure, DPA available [5][website]. This is structurally cleaner than reCAPTCHA or Cloudflare Turnstile for EU deployments.
  • All features at one price. The €9/month tier includes audit logs, platform API, and difficulty scaling — features competitors put behind enterprise tiers [website].
  • Self-hostable. Full source code available; Docker-based deployment [README].
  • Good code quality signals. SonarCloud A ratings, active CI, Go lint clean [README].
  • Backward-compatible API promise. The vendor commits to not breaking integrations — useful for set-and-forget use cases [website].
  • Fast integration. Multiple reviewers confirm plug-and-play setup in minutes [1][website testimonials].
  • Real human support. They explicitly say no AI chatbots and 24-hour response target [website].

Cons

  • PoW doesn’t stop determined bots. A legitimate AlternativeTo reviewer makes the point clearly: any modern device solves the challenge in under a second. Against residential proxy networks with behavioral intelligence, PoW is an annoyance, not a barrier [1]. The honest scope is: stops casual spam bots, not sophisticated adversaries.
  • Small project. 157 GitHub stars means a small community, limited ecosystem of forum help, and real single-vendor risk [README].
  • License ambiguity. “NOASSERTION” in the license field + “Free Personal Proprietary” on AlternativeTo means self-hosting commercial rights are unclear [2]. Read the terms before production use.
  • ClickHouse dependency adds operational complexity. Self-hosters need to run and maintain three separate data systems [README].
  • Only one public pricing tier. The €9 plan or self-hosting are your only options without contacting sales — limited flexibility for mid-size use cases that outgrow 10,000 requests/month.
  • Pricing page transparency gap. No published pricing above the base tier; volume pricing is unknown.
  • No offline/air-gap option mentioned. For high-security on-prem deployments that can’t phone home, no documentation confirms fully isolated operation.

Who should use this / who shouldn’t

Use Private Captcha if:

  • You operate in the EU and need GDPR-compliant bot protection without a legal gray area around user data transfers to US servers.
  • You’re protecting contact forms, signup pages, or comment fields from spam bots — the core threat model PoW handles well.
  • You want invisible UX and are willing to pay €9/month for a managed service with a clean DPA.
  • You have Docker experience and want to self-host to keep all data on-premises.
  • You’re already evaluating Friendly Captcha and want a cheaper alternative with self-hosting as an option.

Skip it (use ALTCHA instead) if:

  • You want a fully open-source (MIT-licensed), free, self-hostable PoW CAPTCHA with no commercial strings. ALTCHA is the MIT-licensed equivalent and has been around longer [2][4].

Skip it (use Cloudflare Turnstile) if:

  • You’re outside the EU, you don’t have GDPR constraints, and you want free bot protection without managing any infrastructure.

Skip it (use reCAPTCHA Enterprise) if:

  • You’re defending a high-value target against professional bot operators and need behavioral signals, device fingerprinting, and IP reputation — PoW won’t give you that level of defense [1].

Skip it entirely if:

  • Your threat model involves sophisticated adversaries with residential proxies. CAPTCHA alone won’t help you; you need WAF-level protection with behavioral analytics.

Alternatives worth considering

  • ALTCHA — MIT-licensed, self-hostable, free, Czech EU origin. Closest open-source equivalent to Private Captcha without the license ambiguity [2][4]. Strong first choice if you want zero cost and a permissive license.
  • Friendly Captcha — German, EU-based, PoW-based, proprietary SaaS with a freemium model. More established company, no self-hosting except on enterprise plans. Comparable privacy story [2][4].
  • Cap Captcha — Lightweight, open-source (appears fully free), SHA-256 PoW, Portugal/EU origin. Very similar technical approach, 25 likes on AlternativeTo vs Private Captcha’s 16 — smaller but worth comparing [2][4].
  • Cloudflare Turnstile — Free, invisible, strong bot detection with behavioral signals. The trade-off: you’re routing through US infrastructure and depending on Cloudflare [4]. Not GDPR-transparent.
  • Google reCAPTCHA v3 — Invisible, free at low volume, strong ML-backed scoring. Trade-off: Google gets your users’ behavior data, GDPR complications in the EU [2].
  • hCaptcha — Privacy-forward CAPTCHA, available as a managed service, no EU-only infrastructure guarantee [4].
  • mosparo — Open-source (MIT), self-hostable, spam filtering by form data pattern-matching rather than PoW. Different approach, Swiss origin [4].

For EU founders who want managed SaaS with a clean DPA: the realistic shortlist is Private Captcha vs Friendly Captcha. Private Captcha wins on price transparency and self-hosting option; Friendly Captcha wins on company size and track record.

For EU founders who want to self-host for free: ALTCHA is the direct comparison with a cleaner license.

Bottom line

Private Captcha solves a specific, real problem: GDPR-compliant bot protection that doesn’t make your users angry. The invisible PoW approach works for the vast majority of spam and bot threats that small-to-mid-size web properties face. The EU-only infrastructure and no-PII-collection policy are genuinely useful for anyone operating under GDPR, not just marketing language. At €9/month for a managed tier that includes audit logs and a DPA, the price is fair relative to what Friendly Captcha charges for equivalent features.

The limits are real too: PoW isn’t sophisticated enough for high-value targets, the project is small, and the license terms for self-hosting need verification before production use. If your threat model is “stop the spam bots hitting my contact form,” this is a clean, honest tool that delivers what it says. If your threat model is “defend against adversarial automation,” you need something more than any CAPTCHA can provide.

Sources

  1. AlternativeTo — Private Captcha reviews and user comments (multiple reviewer quotes, 7 months ago through recent). https://alternativeto.net/software/private-captcha/about/
  2. AlternativeTo — reCAPTCHA Alternatives from the EU (listing Private Captcha, ALTCHA, Friendly Captcha, Cap Captcha with metadata). https://alternativeto.net/software/recaptcha/?origin=eu
  3. AlternativeTo — IconCaptcha listing (referenced as alternative context for self-hosted CAPTCHA category). https://alternativeto.net/software/iconcaptcha/about/
  4. AlternativeTo — reCAPTCHA Alternatives (global list) (full competitive landscape listing). https://alternativeto.net/software/recaptcha/
  5. Private Captcha — Privacy Policy for End-Users (Intmaker OÜ, legal documentation on data handling, subprocessors, GDPR compliance). https://privatecaptcha.com/legal/privacy-end-user/

Primary sources:

Features

Integrations & APIs

  • REST API

Security & Privacy

  • Privacy-Focused

Category

Security & Authentication (159) Privacy & Encryption (48) Cybersecurity Tools (45)

Replaces

cloudflare-turnstile
Cloudflare Turnstile
4 tools
Firebase
66 tools
hcaptcha
hCaptcha
4 tools
recaptcha
reCAPTCHA
4 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0