Privacy Policy
Last updated: April 2026
1. Introduction
Gurulu ("we", "us", "our") is a web analytics, error tracking, and customer data platform operated by Monafy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal data. This policy applies to all users of the Gurulu platform, including our website (gurulu.io), dashboard, APIs, SDKs, and CLI tools. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK, Law No. 6698).
2. Data We Collect
**Account data:** When you sign up, we collect your email address and workspace name. If you authenticate via Google OAuth, we receive your name and email from Google. **Analytics data (processed on your behalf):** When you install Gurulu on your website or app, we collect events, page views, sessions, referrers, UTM parameters, device type, browser, OS, country, and language from your end users. This data is collected and processed on your behalf as a data processor. **Error data:** JavaScript errors, stack traces, browser information, device info, and breadcrumbs leading to the error. This data is collected from your end users' browsers. **Usage data:** How you interact with the Gurulu dashboard, including pages visited, features used, and session duration. This helps us improve the product.
3. How We Use Data
We use your data to: (a) provide and maintain the Service, including analytics dashboards, error tracking, and CRM features; (b) improve and develop new product features based on aggregated usage patterns; (c) send transactional notifications such as alerts, weekly reports, and account-related emails; (d) ensure security and prevent abuse of the platform; (e) comply with legal obligations.
4. Legal Basis for Processing
Under GDPR, we process your data on the following legal bases: **Contract performance** (Article 6(1)(b)) for account data and service delivery; **Legitimate interest** (Article 6(1)(f)) for analytics data processing, product improvement, and security; **Consent** (Article 6(1)(a)) for optional marketing communications, which you can withdraw at any time. Under KVKK, we process your data based on explicit consent and contractual necessity as defined in Article 5 of the law.
5. Data Processing & Storage
All data is processed and stored on servers located in the European Union. Our primary infrastructure is hosted by Hetzner Online GmbH in Falkenstein, Germany. The data center is ISO 27001 certified. We use PostgreSQL for account data and ClickHouse for analytics event data, both running on EU-based servers.
6. Sub-processors
We use the following sub-processors to deliver the Service: • **Hetzner Online GmbH** — Infrastructure hosting, Falkenstein, Germany. Stores all primary data. • **Cloudflare Inc** — CDN, DNS, and DDoS protection. Global edge network with EU data processing agreements in place. • **Resend Inc** — Transactional email delivery, United States. Data Processing Agreement (DPA) in place. Only receives email addresses for delivery. • **Minimax** — AI processing for natural language queries and insights. API calls only; no customer data is stored by Minimax.
7. Data Retention
Analytics event data is retained based on your site configuration, with a default retention period of 1 year. You can configure shorter or longer retention periods per site in your dashboard settings. Account data is retained for as long as your account is active. Upon account deletion, all associated data is permanently removed within 30 days. Backups containing deleted data are purged within 7 days of the backup rotation cycle.
8. Your Rights Under GDPR
If you are in the European Economic Area, you have the following rights: **Right of access** — request a copy of your personal data; **Right to rectification** — correct inaccurate personal data; **Right to erasure** — request deletion of your personal data; **Right to data portability** — receive your data in a structured, machine-readable format; **Right to restriction** — request limited processing of your data; **Right to object** — object to processing based on legitimate interest. To exercise any of these rights, contact us at privacy@gurulu.io. We will respond within 30 days.
9. Your Rights Under KVKK
Under the Turkish Personal Data Protection Law (KVKK), you have the right to: learn whether your personal data is processed; request information about processing; learn the purpose of processing and whether data is used accordingly; know the third parties to whom your data is transferred; request correction of incomplete or inaccurate data; request deletion or destruction of your data under Article 7; object to automated decision-making; and claim compensation for damages arising from unlawful processing. You may withdraw your explicit consent at any time. To exercise your KVKK rights, contact us at privacy@gurulu.io.
10. International Data Transfers
Your data is primarily stored in the EU (Germany). Where data is transferred outside the EU/EEA (e.g., to Resend for email delivery), we ensure adequate protection through Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms. For transfers from Turkey, we comply with the requirements of the KVKK and the Personal Data Protection Board.
11. Cookies
Gurulu.io (our marketing site and dashboard) uses only essential cookies required for authentication and session management. We do not use any tracking cookies, advertising cookies, or third-party analytics on our own website. The Gurulu analytics script installed on your websites is cookieless by default and does not set any cookies on your end users' browsers.
12. Children
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@gurulu.io and we will take steps to delete such data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes via the email address associated with your account. The "Last updated" date at the top of this page indicates when this policy was last revised.
14. Data Processing Agreement
A Data Processing Agreement (DPA) is available upon request for customers who require one for GDPR compliance. Contact us at privacy@gurulu.io to request a signed DPA.
15. Contact
For any questions about this Privacy Policy or your personal data, contact us at privacy@gurulu.io.