01. Who we are
Gurulu (operated by Gurulu Bilişim, Istanbul, Türkiye) provides a managed SaaS analytics, identity and attribution platform under the brand name Gurulu. This Privacy Policy applies to data we collect through the Gurulu marketing website, the dashboard application, the SDKs we publish, and the support channels we operate.
For data we process on behalf of paying customers (Customer event data), Gurulu acts as a data processor — see the Data Processing Addendum for the controller / processor split.
02. Data we collect
We collect four categories of data:
1. Account data — workspace name, owner email, billing contact, OAuth identifiers (Google / GitHub) when used to sign in.
2. Authentication data — magic link tokens, session cookies, API key metadata (the key value is hashed at rest).
3. Customer event data — events ingested through the SDKs, the ingest API, server-side libraries or the agent / CLI / MCP channels. This data is customer-owned; we hold it as processor.
4. Service telemetry — error reports, performance metrics and product analytics that help us operate Gurulu itself. This is captured with consent and never linked to Customer event data.
03. How we use data
We use the data we collect to:
• Deliver the service you paid for — store, transform and query the events you send us.
• Provide support — respond to your tickets, debug issues, restore data from backup.
• Maintain security — detect abuse, throttle bad actors, log admin actions, run incident response.
• Meet legal obligations — tax reporting, audit history, lawful disclosure requests with notice when permitted.
• Improve the product — aggregate, anonymized usage of the dashboard itself.
We never use Customer event data to train third-party AI models. We never combine Customer event data across tenants without explicit opt-in. We never sell data.
04. Legal bases (GDPR Article 6)
We process personal data under the following legal bases:
• Contract — to deliver the service you signed up for.
• Legitimate interest — to keep the service secure, prevent fraud and abuse, and operate the platform sustainably.
• Consent — for marketing emails, optional analytics on the marketing site, and any feature that explicitly asks for it.
• Legal obligation — tax records, audit logs, regulator disclosure.
You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
05. Your rights (GDPR Articles 15–22 / KVKK Madde 11)
You can exercise the following rights at any time:
• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion (subject to a 30-day grace window for backups and a 7-year legal hold on audit log entries).
• Portability — receive your data in a machine-readable format. Export SLA: 7 days.
• Restriction — pause processing while a dispute is resolved.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — for any consent-based processing.
• Lodge a complaint — with your supervisory authority (KVKK Kurumu in Türkiye, your national DPA in the EU).
To exercise any of these rights, email privacy@gurulu.io. We respond within 30 days.
06. Consent model (GCM v2 aligned)
Gurulu ships with a 4-category consent model, aligned with Google Consent Mode v2 and the IAB TCF spirit:
• Necessary — service delivery, security, billing. Cannot be disabled.
• Analytics — product analytics, behavioral events, attribution.
• Marketing — advertising signals, conversion APIs, retargeting.
• Functional + Personalization — preferences, recommendations, A/B tests.
Every event we ingest carries a consent_state snapshot. Downstream destinations (CAPI, ad platforms) are gated by consent at dispatch time, not at ingestion time, so a withdrawn consent stops sharing immediately.
07. Data retention
Retention is plan-based and configurable per workspace:
• Free — 6 months for events, 90 days for session replay, 30 days for derived insights.
• Custom — configurable per workspace, up to indefinite for archival workspaces.
Backups are retained for 35 days. Audit log entries are retained for 7 years to satisfy legal hold requirements (tax, regulator disclosure).
08. Sub-processors
We use the following sub-processors, all under signed DPAs:
• Hetzner Online GmbH (DE) — compute, storage, networking. Falkenstein primary, Helsinki failover.
• Resend (NL / US sub-processor) — transactional email (magic link, password reset, billing receipts).
• Stripe (IE for EU customers) — billing and payment processing. Activates from Phase 2.
• Amazon Web Services (Bedrock Nova Lite, eu-central-1) — AI fallback only. Payloads are pseudonymized before transit.
We maintain a public sub-processor list and notify customers 30 days before adding a new sub-processor that processes Customer event data.
09. International transfers
Customer event data stays in the EU by default — Hetzner Falkenstein primary, Helsinki failover. We do not transfer Customer event data outside the EU unless you explicitly opt in.
For Bedrock Nova Lite (AI fallback), payloads are pseudonymized in-region before transit and processed in eu-central-1. Standard Contractual Clauses are in place with AWS to cover the AWS-internal control plane.
10. Children
Gurulu is built for businesses and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@gurulu.io and we will delete it.
11. Changes & contact
We may update this Privacy Policy as the product evolves. Material changes will be announced via email to workspace owners at least 30 days before they take effect. The 'Last updated' date at the top of this page reflects the most recent revision.
Questions, complaints or rights requests: privacy@gurulu.io. We respond within 30 days, usually within 3 business days.