For counsel & compliance teams
How we prove consent
This page documents exactly what CapchaCloud captures at the moment of consent, how each record is made tamper-evident, and how long it is retained. It's written so your legal and compliance teams can evaluate our evidence on its merits.
1. What we capture
At the moment a consumer consents, each record binds together:
- The exact disclosure the consumer saw — a snapshot of the request/wording in the same form and format it was presented (the TSR's core requirement).
- Identity fields — name, email, phone as submitted.
- Context — page URL, campaign/form identifiers, and user agent.
- Origin forensics — the visitor's IP and full Cloudflare edge geolocation (country, region, city, postal code, latitude/longitude, EU flag, ASN), observed server-side at the edge so it cannot be spoofed by the client.
- A precise timestamp from server time, with clock-skew handling.
- Bot-screen result — a dual human screen recorded as a verified verdict: the Cloudflare Turnstile result and an invisible proof-of-work (Cap/Altcha) the browser solves at capture, so the record reflects a screened human, not an automated submission.
- Optional — watermarked video and rendered proof images of the interaction.
2. How we make it tamper-evident
- Content hashing. The captured payload is hashed; the certificate references that hash, so any later alteration is detectable.
- Hash chain. Records are linked so a record can't be silently inserted, removed, or reordered after the fact.
- Trusted timestamps. Records are folded into the append-only CapchaChain ledger, whose block hashes carry an RFC-3161 timestamp-authority token, independently establishing the time of capture.
- Anchored to Bitcoin. Each CapchaChain block hash is also stamped into the Bitcoin blockchain via OpenTimestamps — a standard, downloadable
.otsproof anyone can verify against Bitcoin with no need to trust us. (Bitcoin confirmation matures within a few hours of capture.) - Verification endpoint. A certificate can be re-verified against its stored hash at any time; share links are revocable. Live anchor status: /api/v1/transparency.
3. How long we keep it
Every consent record is retained for a 5-year hard floor — meeting the FTC Telemarketing Sales Rule's recordkeeping requirement and outlasting the TCPA's 4-year statute of limitations. Retention cannot be shortened or deleted early, even by the account owner. Records are billing-independent: lapsed billing never deletes evidence. Legal holds can extend retention indefinitely.
WORM (write-once-read-many) storage. Evidence objects are held in immutable object storage protected by retention locks: once written, a record cannot be modified, overwritten, or deleted before its retention period elapses — the protection is enforced by the storage layer itself, not just by application logic, so it holds even against a compromised operator. All objects are encrypted at rest with AES-256.
4. Inspect a sample certificate
A representative certificate (with synthetic data) shows the full evidence record and verification result. Request a live sample for evaluation via support, or generate one in your own tenant from the dashboard.
Note: CapchaCloud provides recordkeeping infrastructure designed to support TCPA/TSR compliance. It is not legal advice; consult counsel regarding your specific obligations.