GDPR Article 28 + KVKK compliant. Customer is the controller. Gurulu is the processor. Accepted by reference when you sign up; signed copy available on the Pay-as-you-go plan.
Last updated · 19 May 2026
By creating a Gurulu workspace and ingesting Customer event data, you accept this Data Processing Addendum on behalf of your organization. No signature is required for the Free plan — the DPA is incorporated by reference into the Terms of Service. Custom customers can request a counter-signed copy on a Gurulu paper template or negotiate amendments. Email legal@gurulu.io.
This Addendum is between the Customer (the entity that signed up for Gurulu, acting as data controller) and Gurulu Bilişim (acting as data processor). Where the Customer is itself a processor for an upstream controller, this Addendum extends to that arrangement as a sub-processing chain.
Subject matter: the processing of Customer event data and related personal data by Gurulu for the purpose of delivering the analytics, identity, attribution and notification services described in the Terms. Duration: the term of the underlying subscription, plus a 30-day post-termination export window. After that, Customer event data is deleted on the next scheduled erasure run subject to the backup retention (35 days) and the audit log retention (7 years).
Gurulu processes the following categories of personal data on behalf of the Customer: • Identifiers — anonymous_id, person_id, hashed email, hashed phone, device fingerprint. • Behavioral — event stream (page views, clicks, custom events), session metadata, funnel positions. • Technical — IP address (truncated to a coarse region after processing), user-agent, referrer, screen size. • Consent state — per-event 4-category consent snapshot (Necessary / Analytics / Marketing / Functional). Gurulu does not require sensitive categories of personal data (GDPR Art. 9). Customers should not send special category data without first contacting privacy@gurulu.io to configure appropriate safeguards.
The data subjects are the Customer's end-users — typically visitors, registered users, customers, prospects and any natural person who interacts with the Customer's website, mobile app, server-side workflow or backend webhook.
Gurulu commits to: • Process Customer event data only on documented instructions from the Customer. • Ensure that personnel authorized to process Customer event data are bound by confidentiality. • Implement appropriate technical and organizational measures — TLS 1.3 in transit, AES-256 at rest, Postgres RLS, RBAC, default-on audit log, regional isolation. • Assist the Customer in responding to data subject requests within reasonable timelines. • Notify the Customer of a personal data breach without undue delay and in any event within 72 hours of becoming aware. • Delete or return Customer event data at the end of the contract, subject to the retention windows above. • Make available all information necessary to demonstrate compliance and allow audits no more than once per year (or more frequently when reasonably required by law or by a supervisory authority).
Gurulu uses the sub-processors listed in the Privacy Policy (Hetzner, Resend, Stripe from Phase 2, AWS Bedrock for AI fallback). The Customer hereby grants general authorization for these sub-processors. Gurulu will notify the Customer at least 30 days before adding or replacing a sub-processor that processes Customer event data. The Customer may object on legitimate data-protection grounds. If the parties cannot agree, the Customer may terminate the affected service with a pro-rata refund for the unused portion of the subscription.
Customer event data is processed within the European Union (Hetzner Falkenstein primary, Helsinki failover). Where a sub-processor processes data outside the EEA — limited today to AWS Bedrock in eu-central-1 (which is within the EU) for AI fallback only — Standard Contractual Clauses are in place to cover the AWS-internal control plane. Gurulu does not transfer Customer event data to the United States, China or any other third country without (a) an adequacy decision, (b) Standard Contractual Clauses plus a transfer impact assessment, or (c) explicit Customer instruction.
Detailed security measures are described on the /security page and are incorporated by reference. In summary: EU residency, tenant isolation (Postgres RLS + ClickHouse per-tenant prefix), encryption (TLS 1.3 + AES-256), magic link + RBAC + scoped API keys, privacy zoning on sensitive routes, default-on audit log with 7-year retention, and a 72-hour breach notification commitment.
Liability under this Addendum is governed by and capped per the limitation of liability clause in the underlying Terms of Service, subject to the mandatory caps under GDPR Art. 82 / KVKK Madde 11 that cannot be excluded by contract.
For the Free plan this Addendum is accepted by reference at the time of workspace creation — no manual signature is required. Pay-as-you-go customers may request a counter-signed PDF on a Gurulu paper template; we can also review reasonable customer paper provided it does not contradict our security or sub-processor architecture. For signed-copy or paper-form requests, email legal@gurulu.io. Standard turnaround is 5 business days.