Website: https://notabot.srcabc.com/
Service name: Notabot
Operator: Kenyeres László, Hungarian individual entrepreneur
Document version: 1.1 — filled operator-data draft
Last updated: 26 April 2026
Language: English
Governing law: Hungary, unless mandatory consumer or data-protection law provides otherwise
The Notabot service is operated by:
Kenyeres László
Hungarian individual entrepreneur
Registered office: 1107 Budapest, Szárnyas utca 10/C, Hungary
Hungarian tax number: 57473804-1-42
Individual entrepreneur registration number: 56102710
Contact email: [email protected]
In this document, "Operator", "we", "us", or "our" means Kenyeres László, individual entrepreneur, operating Notabot.
These Terms of Service ("Terms") govern access to and use of Notabot, a behavioral CAPTCHA and bot-detection service available at https://notabot.srcabc.com/ and related dashboards, APIs, widgets, scripts, documentation, site keys, API keys, support channels, and other related services (together, the "Service").
By creating an account, using the dashboard, integrating the widget or API, using the Service on a Customer Site, or paying for the Service, you agree to these Terms.
If you use the Service on behalf of a company, organization, sole trader, or other legal entity, you confirm that you have authority to bind that entity to these Terms.
If you do not agree to these Terms, you must not use the Service.
Notabot provides a behavioral verification and bot-detection service designed to help distinguish likely human interactions from likely automated, abusive, or bot-like interactions.
The Service may include:
Notabot is not a security guarantee. It is one layer in a defense-in-depth strategy and should be combined with rate limiting, server-side validation, authentication controls, abuse monitoring, fraud checks, and other appropriate security measures.
Unless expressly stated otherwise, Notabot is primarily intended for business, professional, developer, and website-operator use. If the Service is made available to consumers, mandatory consumer-protection rights continue to apply.
You must not use Notabot for unlawful surveillance, employee monitoring unrelated to security, discriminatory profiling, or any purpose incompatible with bot detection, abuse prevention, fraud prevention, service security, and integrity protection.
To register for Notabot, you must provide at least a valid email address. We may also require a password, authentication token, organization name, billing information, domain information, and other information reasonably necessary to provide the Service.
You are responsible for:
We may refuse registration, suspend accounts, or require additional verification if we reasonably believe that an account is fraudulent, abusive, unlawful, high-risk, or violates these Terms.
The Service may provide site keys, secret keys, API keys, tokens, signing secrets, or similar credentials.
You must:
We may revoke, rotate, disable, or limit credentials if required for security, abuse prevention, payment issues, suspected compromise, or legal compliance.
You are responsible for your Customer Sites and how you integrate Notabot.
You must ensure that:
You remain responsible for your own legal notices, cookie notices, consent flows, accessibility compliance, and End User support.
You must not use the Service to:
We may throttle, suspend, block, or terminate access if we reasonably believe your use violates this section.
Paid plans, usage-based fees, overage fees, and subscription terms are displayed in the dashboard, checkout flow, order form, or a written agreement.
Payments are processed through Stripe or another payment provider we may designate. You may be required to accept Stripe's terms or provide information required by Stripe to process payments, prevent fraud, comply with financial regulations, manage subscriptions, issue invoices, and handle billing support.
Unless otherwise stated:
We do not intentionally store full payment card numbers on our servers. Payment card details are handled by Stripe or the relevant payment provider.
If you are a consumer under applicable law, mandatory consumer rights may apply. If the Service is supplied as digital content or a digital service, statutory withdrawal or cancellation rights may depend on your jurisdiction, the timing of access, and whether you consent to immediate performance.
Operational note:
The exact refund and cancellation policy must match the Stripe subscription configuration and the public pricing/checkout pages.
We may offer free plans, trial access, preview features, or beta features. These may be limited, changed, suspended, or discontinued at any time.
Beta or experimental features are provided "as is", may be incomplete or unstable, and should not be used for high-risk production workloads unless we expressly agree otherwise.
We aim to provide a reliable Service, but we do not guarantee uninterrupted or error-free availability unless a separate written SLA applies.
We may modify, improve, suspend, or discontinue parts of the Service, including APIs, widgets, models, scoring thresholds, dashboards, documentation, or technical requirements. Where changes materially affect paid Customers, we will use reasonable efforts to provide advance notice.
We may perform emergency maintenance without advance notice where necessary for security, stability, legal compliance, or abuse prevention.
We use reasonable technical and organizational measures designed to protect the Service and personal data processed through it. Measures may include encryption in transit, access controls, logging, monitoring, key management, payload validation, rate limiting, proof-of-work, model validation, deployment controls, and security review processes.
No system is completely secure. You are responsible for securing your own systems, API keys, endpoints, DNS, scripts, and integrations.
You must promptly report suspected vulnerabilities or security incidents to [email protected].
Our Privacy Policy explains how we process personal data.
Where we process Customer End User personal data on behalf of a Customer for the purpose of providing bot-detection and verification services, we generally act as a processor and the Customer acts as the controller, unless a different role is required by law or agreed in writing.
Where we process account, billing, abuse-prevention, security, analytics, compliance, and operational data for our own business purposes, we generally act as a controller.
If the Customer is subject to the GDPR or similar data protection laws and Notabot processes End User personal data on behalf of the Customer, the Data Processing Addendum in Part III applies unless a separate signed DPA is in place.
Customers must provide all notices and obtain all rights, permissions, consents, or lawful bases required for the use of Notabot on Customer Sites.
At minimum, Customers should disclose that their website or application uses a bot-detection and CAPTCHA service that may process technical and interaction data such as device/browser information, IP address, user-agent, session identifiers, timestamps, challenge events, and mouse/touch interaction signals.
Customers should not describe Notabot as anonymous if IP addresses, identifiers, or behavioral signals can be linked to an individual or session.
We and our licensors retain all rights, title, and interest in the Service, including software, source code, APIs, widgets, models, documentation, designs, trademarks, trade names, algorithms, scoring logic, and other intellectual property.
Subject to these Terms, we grant you a limited, revocable, non-exclusive, non-transferable right to access and use the Service for your internal business purposes and to integrate Notabot into authorized Customer Sites.
You retain ownership of your Customer content and Customer Site data. You grant us the rights necessary to provide, secure, maintain, improve, and support the Service.
If you provide suggestions, ideas, improvements, bug reports, or other feedback, you grant us a non-exclusive, worldwide, royalty-free right to use that feedback to improve or develop the Service without restriction or compensation, unless otherwise agreed in writing.
Non-public technical, security, pricing, model, integration, and business information disclosed through the Service may be confidential. You must not disclose such information except as necessary to use the Service or as required by law.
This section does not restrict information that is public, independently developed, lawfully received from a third party, or required to be disclosed by law.
We may suspend or terminate access if:
You may stop using the Service at any time. Termination does not relieve you of payment obligations incurred before termination.
After termination, we may delete or retain data according to our Privacy Policy, DPA, legal obligations, backup cycles, and legitimate security needs.
To the maximum extent permitted by law, the Service is provided "as is" and "as available". We do not warrant that the Service will be uninterrupted, error-free, immune from attack, or able to detect all bots or abusive behavior.
No automated security or bot-detection system is perfect. Customers remain responsible for final decisions, fallback mechanisms, fraud controls, user communications, and compliance with applicable laws.
To the maximum extent permitted by law, we are not liable for indirect, incidental, special, consequential, punitive, or exemplary damages, including lost profits, lost revenue, loss of goodwill, loss of data, or business interruption.
Unless prohibited by mandatory law, our total aggregate liability arising out of or relating to the Service is limited to the amounts paid by you to us for the Service during the three months before the event giving rise to the claim, or EUR 100 if no paid subscription exists.
This limitation does not exclude liability where exclusion is prohibited by law, including intentional misconduct or mandatory consumer rights.
To the extent permitted by law, you agree to indemnify and hold us harmless from claims, damages, losses, liabilities, costs, and expenses arising from:
We may update these Terms from time to time. The updated version will be posted on the Website or dashboard with a new "Last updated" date.
If changes materially affect paid Customers, we will use reasonable efforts to provide notice. Continued use of the Service after the effective date means you accept the updated Terms.
These Terms are governed by the laws of Hungary, unless mandatory law provides otherwise.
If you are acting as a business or professional customer, disputes will be submitted to the competent courts of Hungary, unless a written agreement provides otherwise.
If you are a consumer, you may have mandatory rights to bring claims before courts or authorities in your place of residence or under applicable consumer-protection law.
The former EU Online Dispute Resolution platform has been discontinued and should not be linked as an active complaint platform. Consumers may still use applicable national consumer-redress channels, including the competent consumer-protection authority or conciliation bodies where available.
For contractual, billing, support, privacy, or security matters, contact:
Operator: Kenyeres László, individual entrepreneur
Registered office: 1107 Budapest, Szárnyas utca 10/C, Hungary
Tax number: 57473804-1-42
EV registration number: 56102710
Contact: [email protected]
This Privacy Policy explains how the Operator processes personal data in connection with Notabot, including:
This Privacy Policy should be read together with the Terms and, where applicable, the DPA.
For Account Data, website usage, billing, support, security, and business operations, the controller is:
Kenyeres László
Hungarian individual entrepreneur / egyéni vállalkozó
Registered office: 1107 Budapest, Szárnyas utca 10/C, Hungary
Tax number: 57473804-1-42
EV registration number: 56102710
For End User Verification Data processed on behalf of a Customer, the Customer is generally the controller and Notabot is generally the processor.
We may process:
Payments are processed through Stripe. We may process:
We do not intentionally store full card numbers or full payment authentication data on our servers.
When Notabot is integrated into a Customer Site, we may process Verification Data such as:
Customers must not intentionally send form contents, passwords, payment card data, health data, children's data, or other sensitive data to Notabot unless expressly agreed in writing.
The Service may use cookies, local storage, session storage, or similar technologies for:
We process personal data for the following purposes:
| Purpose | Typical data | Legal basis under GDPR |
|---|---|---|
| Account creation and login | email, credentials, login logs | contract performance; legitimate interests |
| Providing the Service | account data, site keys, configuration, verification data | contract performance; legitimate interests; processor instructions for End User data |
| Bot detection and security | verification data, IP, user-agent, interaction signals, risk scores | legitimate interests; processor instructions; security obligations |
| Billing and payments | billing data, Stripe identifiers, invoice data | contract performance; legal obligation; legitimate interests |
| Fraud, abuse, and incident prevention | logs, security signals, IP, account events | legitimate interests; legal obligations |
| Support and communications | email, messages, diagnostics | contract performance; legitimate interests |
| Legal compliance | accounting, tax, authority requests | legal obligation |
| Service improvement and model-quality review | aggregated statistics, logs, derived features | legitimate interests; where required, consent or anonymization/pseudonymization |
Where we act as a processor for Customer End User data, we process such data on documented Customer instructions, as further described in the DPA.
The Service is hosted using Contabo, with hosting location indicated by the Operator as Germany. Contabo acts as an infrastructure provider and, where it processes personal data on behalf of the Operator, as a processor/subprocessor.
The Operator should maintain an active Data Processing Agreement with Contabo and keep a copy for accountability records.
Stripe is used for payment processing, subscription management, invoices, fraud prevention, and payment-related compliance. Depending on the activity, Stripe may act as an independent controller, processor, or separate regulated payment service provider under its own legal terms and privacy documents.
Customers may be redirected to Stripe-hosted pages or Stripe-managed payment forms. Stripe may process payment data, billing information, transaction information, fraud-prevention signals, and compliance data.
We may share or make personal data available to:
A current subprocessor list is included in Part III, Annex III.
The core hosting location is indicated as Germany. Some providers, especially payment, security, support, or infrastructure providers, may process data outside Hungary, Germany, or the European Economic Area.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, Data Privacy Framework participation where applicable, or other lawful transfer mechanisms.
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.
Recommended default retention framework:
| Data category | Default retention approach |
|---|---|
| Account data | for the life of the account, then deleted or archived after a reasonable closure period |
| Billing, invoices, tax records | retained for statutory tax/accounting periods applicable under Hungarian law |
| Support communications | retained while needed for support, audit, and dispute handling |
| Security logs | retained for a limited security period, unless needed for incident investigation |
| Verification logs and derived risk results | retained for operational, abuse-prevention, debugging, audit, and model-quality purposes for a limited period |
| Raw interaction event streams | should be minimized; if retained, use a short defined period and document it |
| Backups | deleted according to backup rotation schedules |
| Aggregated/anonymized statistics | may be retained longer if individuals are no longer identifiable |
We use reasonable technical and organizational measures, which may include:
Security measures are continuously improved as the Service evolves.
Depending on your role and applicable law, you may have the right to:
For Account Data, contact us at [email protected].
For End User data processed on behalf of a Customer, End Users should generally contact the Customer operating the relevant Customer Site. We will assist Customers in responding to valid data-subject requests as required by the DPA.
The competent Hungarian data protection supervisory authority is:
Hungarian National Authority for Data Protection and Freedom of Information
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: H-1055 Budapest, Falk Miksa utca 9-11, Hungary
Website: https://www.naih.hu/
Users may contact NAIH or use the official channels described on the authority's website if they believe their data-protection rights have been infringed.
The Service is not intended for use by children. Customers must not knowingly send children's personal data to Notabot unless they have a lawful basis and have obtained all required permissions and agreements.
Notabot produces automated bot-detection, risk, or verification outputs. These outputs are intended to help Customers protect their systems from abuse. Customers remain responsible for deciding how to use Notabot outputs and for providing any legally required fallback, review, support, or appeal mechanisms.
Where required by law, Customers must ensure that End Users are not subject to unlawful solely automated decisions without appropriate safeguards.
We may update this Privacy Policy from time to time. The updated version will be posted on the Website or dashboard with a new "Last updated" date.
This Data Processing Addendum ("DPA") applies where Notabot processes Customer End User personal data on behalf of a Customer in connection with the Service and the Customer is subject to the GDPR or similar data protection law.
If the parties have signed a separate DPA, that signed DPA prevails.
For Customer End User Verification Data:
For Account Data, billing data, security operations, and business administration, Notabot generally acts as a controller.
The Customer instructs Notabot to process Customer End User personal data only as necessary to:
Notabot will not process Customer End User personal data for unrelated purposes unless required by law or authorized by the Customer.
The subject matter of processing is the provision of Notabot behavioral CAPTCHA, bot-detection, and related security services.
The duration of processing is the term of the Customer's use of the Service plus the retention periods necessary for security, audit, backup, legal, and deletion processes.
Processing may include collection, transmission, validation, encryption/decryption where applicable, storage, analysis, model inference, scoring, logging, retrieval, deletion, and support operations.
The purpose is to provide bot detection, CAPTCHA verification, abuse prevention, fraud prevention, security monitoring, operational diagnostics, service improvement, and customer support.
Data subjects may include:
Personal data may include:
Customers must not intentionally send special category data, payment card data, passwords, form contents, government IDs, health data, or children's data unless expressly agreed in writing.
Notabot will:
The Customer will:
The Customer authorizes Notabot to use subprocessors necessary to provide the Service.
Current subprocessors and relevant providers include:
| Provider | Role | Location / notes | Purpose |
|---|---|---|---|
| Contabo GmbH | hosting / infrastructure provider | Germany indicated by Operator | hosting, server infrastructure, storage, networking |
| Stripe | payment provider | may process data in multiple jurisdictions under Stripe terms | payment processing, subscription management, invoices, fraud prevention |
Notabot will update this list when subprocessors materially change. Customers may object to a new subprocessor on reasonable data-protection grounds. If no commercially reasonable alternative is available, either party may terminate the affected Service.
Where processing involves transfers outside the EEA, Notabot will use appropriate safeguards required by applicable law, such as adequacy decisions, Standard Contractual Clauses, Data Privacy Framework mechanisms where applicable, or equivalent safeguards.
Security measures may include:
Notabot will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer End User personal data processed by Notabot as processor.
The notification will include available information reasonably required for the Customer to meet its own breach-notification obligations.
Upon reasonable request, Notabot will provide information necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, non-disruptive, and subject to confidentiality and security restrictions.
Upon termination of the Service, Notabot will delete or return Customer End User personal data according to the Service configuration, retention policy, legal obligations, backup cycles, and security needs.
Backups may persist for a limited period until overwritten or deleted in ordinary backup rotation.
Customers may adapt the following language for their own privacy notices:
We use Notabot, a behavioral CAPTCHA and bot-detection service, to protect our website and forms against spam, abuse, automated attacks, and fraudulent activity. Notabot may process technical and interaction data such as IP address, user-agent, timestamps, session identifiers, challenge events, proof-of-work data, and mouse/touch interaction signals. The purpose is security, bot detection, abuse prevention, and service integrity. Notabot is operated by Kenyeres László, individual entrepreneur, Hungary. For more information, see Notabot's privacy documentation at https://notabot.srcabc.com/.
Customers must adapt this text to their own lawful basis, privacy notice structure, cookie notice, retention practices, and jurisdiction.
Notabot may use strictly necessary cookies, local storage, session storage, or similar technologies to provide account login, dashboard sessions, CAPTCHA challenge state, proof-of-work, fraud prevention, security, and service integrity.
Strictly necessary technologies are required for the Service to work and are not used for advertising.
If Notabot later uses analytics, advertising, tracking pixels, heatmaps, or non-essential third-party scripts, the Operator must publish a more detailed cookie notice and implement consent where required.
This section is for operational accountability and may be kept internal or published as a transparency appendix.
References for legal/operational review: