Privacy Policy

GuruMood ("GuruMood", "we", "our") is the data controller for personal data we collect through this website, our marketing communications, and our services directed to visitors and prospective customers. When we process personal data on behalf of our customers to deliver contracted services (for example, end-user data flowing through AI agents that a customer deploys), we act as a data processor and those activities are governed by our Data Processing Addendum (DPA).

Contact: privacy@gurumood.com. If you reside in the EEA or UK and require a local representative, we will provide details on reasoned request.

This Privacy Policy explains how we collect, use, share, and protect personal data when you (a) visit gurumood.com; (b) request information, demos, or services; (c) subscribe to communications; (d) interact with our team by email, WhatsApp, voice, or forms; (e) use any free public tools offered on the site.

When our customers deploy agents, automations, or integrations using our services, the customer is the data controller of their own end-users' data. The customer's privacy policy applies to that data; we act as a processor under the DPA.

We collect and process the following categories of personal data:

• Identification and contact data: name, email, phone, job title, company, country.
• Account data: credentials, preferences, language, timezone, activity logs.
• Billing data: legal name, tax address, tax ID, payment method (processed by PCI DSS payment providers on our behalf).
• Communication data: content of emails, WhatsApp messages, voice calls, chats, and form submissions, including metadata and attachments you send us.
• Technical and usage data: IP address, device identifiers, browser type, operating system, URLs visited, referrer, timestamps, interaction events.
• Cookie and similar-technology data: see our Cookie Policy.
• Third-party data: information we receive from integrated platforms such as Meta (Facebook, Instagram, WhatsApp), Google (Workspace, Ads, Analytics, Search Console, Business Profile), LinkedIn, and others when you or your organization authorize those integrations.
• End-user data processed on behalf of customers: when we operate agents, chatbots, campaigns, or automations for a customer, we may process end-user data that the customer controls (for example, conversations, customer profiles, and events).

We do not ask for special category data (racial origin, health, sexual orientation, biometric data, etc.). If you send it to us voluntarily, we delete it unless there is a clear legal basis to retain it.

• Directly from you: forms, contracts, emails, calls, demos, and use of our tools.
• Automatically: when you use the website and services, via cookies, pixels, and server logs.
• From authorized third parties: platforms connected via official APIs (Meta, Google, etc.), B2B enrichment providers operating under valid legal bases, and referrals.

We only process personal data when a legal basis applies:

• Performance of a contract (Art. 6(1)(b)): providing services, managing your account, billing, responding to requests.
• Legitimate interests (Art. 6(1)(f)): improving and securing the service, fraud prevention, network and information security, aggregated analytics, and direct marketing to existing customers (subject to the right to object).
• Consent (Art. 6(1)(a)): non-essential cookies, newsletters, marketing communications to prospects, optional integrations, and any processing that legally requires consent. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): accounting, tax, responding to lawful requests, regulatory compliance.
• Vital interests or public interest: only in exceptional circumstances.

• Provide, operate, and maintain the site, services, and AI agents.
• Manage customers: contracts, support, billing, renewals.
• Communicate with you: service notices, security updates, responses to enquiries, legal notifications.
• Marketing and analytics (with the appropriate legal basis): usage measurement, product improvement, re-engagement of existing customers, consented newsletters.
• Compliance, fraud prevention and security: abuse detection, audits, access logs, incident management.
• Fulfill contractual obligations with third-party platforms (Meta, Google, etc.) and enforce our own policies.

When our services integrate with Meta products — including the WhatsApp Business Cloud API, Facebook/Instagram Graph API, and Meta Marketing API — we act in accordance with the Meta Platform Terms, Meta Developer Policies, and the WhatsApp Business Messaging Policy.

• We access only the data strictly necessary to deliver the service requested by the customer, and only through official, approved APIs.
• We do not sell, license, or transfer data obtained from Meta platforms to third parties for our own marketing purposes.
• We do not use Meta user data to build or enrich profiles for unauthorized purposes, or for decisions that affect individuals' rights without a valid legal basis.
• We respect WhatsApp's 24-hour customer service window and only send pre-approved template messages when applicable, always following a verifiable end-user opt-in.
• We delete Meta platform data when it is no longer needed, when the customer requests it, or when Meta requires it.
• We implement appropriate technical and organizational measures to protect data received from Meta, including encryption in transit and at rest, role-based access control, and audit logging.

When our services access Google user data through APIs (for example, Google Workspace, Gmail, Drive, Calendar, Google Ads, Google Analytics, Search Console, Google Business Profile), we comply with the Google API Services Terms of Service and the Google API Services User Data Policy, including the Limited Use requirements for restricted and sensitive scopes.

• Limited Use: GuruMood's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Minimum scopes: we only request the minimum OAuth scopes needed for the functionality the user authorizes.
• No unauthorized transfer: we do not transfer Google user data to third parties except (i) to provide or improve user-facing features that are prominent in the application, (ii) for security purposes, (iii) to comply with applicable law, or (iv) with the user's explicit consent.
• No advertising: we do not use data obtained from restricted Google scopes to serve advertising, nor to train generalized AI models.
• No human access: we do not allow humans to read Google user data except (i) with the user's explicit consent, (ii) for security, (iii) to comply with applicable law, or (iv) when the data is anonymized and aggregated for internal operations.
• Revocation: users can revoke access at any time via their Google account; once revoked, we delete associated tokens and data according to our retention policy.

We share personal data only in the following circumstances:

• Sub-processors: cloud infrastructure providers, AI model providers, communications providers (WhatsApp/SMS/voice), analytics, support, and payments, all bound by written agreements with data protection clauses. The current public list is at /en/legal/sub-processors.
• Platforms you integrate: Meta, Google, or others, according to the authorizations you grant.
• Authorities and advisors: where required by law or to defend legal rights.
• Corporate transactions: in the event of a merger, acquisition, or asset sale, with prior notice where required.
• With your consent: when you expressly request or authorize it.

We use industry-leading cloud infrastructure providers such as AWS and DigitalOcean to ensure the highest level of data security and encryption.

We do not sell personal data in the sense of the CCPA/CPRA. We do not use customer data to train foundation models.

We operate globally and may transfer personal data outside the EEA, UK, or Switzerland. When we do, we apply appropriate safeguards: (i) European Commission adequacy decisions; (ii) EU Standard Contractual Clauses (SCCs) 2021/914; (iii) the UK International Data Transfer Addendum; (iv) the Swiss Addendum; and (v) supplementary measures where needed, including encryption, pseudonymization, and strict access controls.

We retain personal data only for as long as necessary for the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce our agreements. See our Data Retention Policy for category-level retention periods.

Depending on your jurisdiction, you may have the following rights:

• Access: obtain confirmation of processing and a copy of your data.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): deletion where legally required.
• Restriction of processing: pause processing in certain circumstances.
• Object: object to processing based on legitimate interest or to direct marketing.
• Portability: receive your data in a structured, commonly used format.
• Withdraw consent at any time without affecting the lawfulness of prior processing.
• Lodge a complaint with your data protection authority (list of EU DPAs at edpb.europa.eu).
• Not be subject to solely automated decisions with significant effects (GDPR Art. 22), with a right to human intervention.
• California residents (CCPA/CPRA): right to know, delete, correct, opt out of sale/sharing, limit the use of sensitive personal information, and non-discrimination for exercising these rights.

To exercise your rights, write to privacy@gurumood.com. We will respond within the legal deadlines (typically 30 days). We may require reasonable identity verification.

We apply technical and organizational measures proportionate to the risk, including: TLS encryption in transit and AES-256 at rest, role-based access control with least-privilege, multi-factor authentication for personnel, centralized logging, security monitoring, periodic penetration testing, vulnerability management, a secure development lifecycle, staff training, and a documented incident response plan. Additional detail in our Trust Center.

In the event of a personal data breach, we will notify competent authorities and/or affected individuals within the timelines required by applicable law (e.g., 72 hours of awareness under the GDPR) and consistent with our contractual obligations to customers as a processor.

Our site and services are not directed to individuals under 16 (or the minimum applicable age in your jurisdiction). We do not knowingly collect data from minors without valid parental consent. If you believe we have collected data from a minor, contact us and we will delete it.

We use cookies and similar technologies as described in our Cookie Policy. You can manage your preferences through the consent banner or your browser controls.

Our site may contain links to third-party sites or services. We are not responsible for their privacy practices. We recommend reviewing their policies before providing them with data.

We may update this policy from time to time. We will post the updated version on this page with a new "last updated" date. For material changes, we will notify you through reasonable means (email or site notice).

For any privacy enquiry, write to privacy@gurumood.com. For formal requests under GDPR or similar laws, please include "Rights Request" in the subject line.