Cookies
This page outlines how GUURU uses cookies and local storage in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the ePrivacy Directive. It is intended to support accurate classification of cookies and to clarify when end-user consent is legally required.
Loading the Script and Displaying the Widget: No Consent Required
The GUURU script and chat button can be loaded and displayed on a website without triggering any cookies or local storage, and without processing personal data. At this stage:
- No information is stored on or accessed from the user’s device
- No data is collected, and no communication is initiated with GUURU services
- The widget remains entirely passive until the user interacts
According to Article 5(3) of the ePrivacy Directive, storing or accessing information on a user’s terminal device requires prior consent, except where the operation is strictly necessary for the provision of a service explicitly requested by the user. As no such operation occurs during initial script load and display, user consent is not required.
This interpretation is confirmed by the European Data Protection Board (EDPB) in its Guidelines 2/2023, which state:
“Scripts or other code that do not result in storing or accessing information on the terminal equipment of the end-user do not fall within the scope of Article 5(3).”
As a result, the GUURU script and button may be safely loaded on all pages, regardless of the user’s cookie consent choices.
Optional Features and Cookie Consent
Under the General Data Protection Regulation (GDPR), cookie consent is required when cookies or similar technologies are used to collect, process, or share personal data, except where the storage is strictly necessary to provide a service explicitly requested by the user.
The GUURU Widget includes a set of optional features that may rely on cookies or local storage. These include:
- Analytics
- Chat Conversions
- Chat Leads
- Proactive Chat
By default, all optional features are enabled when the Widget is initialized. However, if end users do not consent to non-essential cookies, these features should be disabled to ensure compliance with GDPR Article 6(1)(a) and Article 5(3) of the ePrivacy Directive.
To control which features are active, the widget provides a configuration option called
loadFeatures, allowing each feature to be selectively enabled or disabled at runtime.
For a full list of configurable features and usage instructions, see the official documentation
here.
Chat Activation and Interaction: Use of Essential Cookies Only
When a user clicks the GUURU chat button, the chat interface is loaded within an iframe. At this point:
- No cookies or local storage are set
- No personal data is stored or transmitted
The interface includes a clear message:
“To use this service, you must agree to GUURU’s Terms of Service and Privacy Policy.”
Only when the user submits a message is any storage initiated. This submission is considered a clear affirmative action and signifies the user's acceptance of the terms.
At that point, GUURU sets one essential storage item:
chatId– used to preserve the context of the conversation
This identifier is strictly necessary to fulfill the user’s request, specifically, to provide a continuous and functional chat experience. Without it, the system would not be able to associate follow-up responses with the original question.
No tracking, profiling, or non-essential cookies are set at this stage. The use of this essential identifier is compliant with:
- ePrivacy Directive Article 5(3) – storage that is strictly necessary for a service explicitly requested by the user
- GDPR Article 6(1)(b) – processing necessary for the performance of a service contract initiated by the data subject
Classification of the Core Chat Functionality
The basic chat function allows users to ask questions and receive advice. To provide this service in a coherent and continuous manner, it is necessary to retain minimal session-related data.
As the service is triggered by the user and relies on minimal technical storage necessary to fulfill the request, it falls under the exemption from consent under Article 5(3) of the ePrivacy Directive.
Accordingly, the core GUURU chat functionality should be classified as an essential service and does not require consent.
What Local Storage or Cookies Are Used and Under What Conditions?
The GUURU Widget supports a set of optional features such as Analytics, Chat
Conversions, Leads, and Proactive Chat, which may rely on cookies or local storage to
function. These features are not essential to provide the core chat service and are
enabled by default, unless explicitly disabled via the loadFeatures configuration option.
Storage associated with these features is only created if the corresponding feature is enabled during widget initialization. If a feature is disabled or not permitted due to the user's consent preferences, no related cookies or local storage items are set.
All values stored in local storage by the GUURU Widget are kept under a single key,
guuru-state. This key may hold internal state required to support optional functionality, such as:
- Maintaining the chat open across multiple pages
- Preventing repeated display of proactive messages
- Storing interaction history with auto messages
- Keeping the current session context during the conversation
The data within guuru-state is used exclusively for functionality requested by the user, is
not shared with third parties, and does not involve tracking or profiling.
| Name | Feature / Purpose | Storage Type | Duration |
|---|---|---|---|
guuruGa_gid | Analytics: Google Analytics tracking | First-party persistent cookie | 24 hours |
guuruGa | Analytics: Google Analytics tracking | First-party persistent cookie | 1 year |
guuruGa_ga_<container-id> | Analytics: Google Analytics tracking | First-party persistent cookie | 1 year |
guuru-state | Stores internal state for optional features such as proactive chat and session continuity. Includes chat ID, UI preferences, and auto message data. | LocalStorage Key | Persistent data |
Legal Basis:
- GDPR Article 6(1)(a) – for consent-based optional features
- GDPR Article 6(1)(b) – for user-initiated chat
- ePrivacy Directive Article 5(3) – where applicable
- Retention: persistent until cleared or expired manually
For implementation details on how to enable or disable these features via configuration, refer to the developer documentation.
Consent Layer Information for CMP Integration
Below is the full metadata required for integrating the GUURU chat widget and related services into Consent Management Platforms (CMPs) like OneTrust, Usercentrics, Cookiebot, or TrustArc.
Service: GUURU Chat Widget
| Field | Value |
|---|---|
| Service name | GUURU Chat |
| Provider / Processing company | GUURU Solutions AG |
| Company address | Rothusstrasse 21, 6331 Hünenberg, Switzerland |
| Privacy policy URL | https://www.guuru.com/en/privacy-policy/ |
| Data protection officer | dataprotection@guuru.com (Available upon request) |
| Domain(s) | chat.guuru.com, static.guuru.com |
| Script URL(s) | https://static.guuru.com/loader/v1.0/chat.min.js |
| Cookie / localStorage name(s) | - guuru-state (localStorage, used to manage chat state and session context)Optional (only if GA enabled): - guuruGa (optional, analytics cookie – stores session interaction data, 1 year) - guuruGa_gid (optional, analytics cookie – stores session group ID, 24 hours) - guuruGa_ga_<container-id> (optional, Google Analytics cookie – tracks usage events, 1 year) |
| Storage type | localStorage |
| Storage duration | Data stored in localStorage (e.g. guuru-state) is persistent and remains in the user’s browser until manually deleted by the user or automatically overwritten during future chat interactions. |
| Used technologies | JavaScript, iframe, localStorage, WebSockets |
| Categories of processed data | - Chat session ID (pseudonymous) - Submitted chat content - IP address - Optional: Name and Email (if pre-chat form is enabled) |
| Purposes of data processing | Enabling real-time chat between website visitors and experienced product users (brand community experts). Ensuring session continuity and message delivery during the conversation |
| Legal basis | Art. 6(1)(b) GDPR – performance of a contract This legal basis applies as the data subject initiates the chat interaction, and the processing is required to fulfill the service they explicitly request |
| Place of processing | Germany |
| Retention period | Up to 2.5 years (contractual obligations); up to 10 years (statutory/legal obligations) |
| Third country | United States (only for some subprocessors) |
| Transfer safeguards | Standard Contractual Clauses (SCCs), EU-U.S. and Swiss-U.S. Data Privacy Framework |
| Data recipients | - Authorized GUURU personnel - Client admins (with dashboard access) - Subprocessors listed below |
| Opt-in required? | No (for core chat); Yes (for analytics) |
| Opt-in required? | - No opt-in is required. The core chat functionality, including optional AI-based features such as routing or classification, is considered essential for delivering the requested service and falls under Art. 6(1)(b) GDPR. - Optional analytics, if enabled, require separate opt-in. |
| Consent type | Not required for core chat and AI-based support features. Explicit consent required for optional analytics (if enabled). |
| CMP category | - Essential / Functional : Core chat including AI-powered routing. - Performance / Statistics : A separate CMP entry under is required only if analytics features are enabled |
| Subprocessors / Third-party services | See list below |
Subprocessors and Third-Party Services
| Service | Purpose | Location | Safeguards | Data Involved |
|---|---|---|---|---|
| Google Cloud Platform (GCP) | Hosting, infrastructure, backend and DB hosting | EU (primary) | SCCs, ISO 27001, SOC 2 | Chat data, user metadata |
| Cloudflare | CDN, DDoS protection, firewall, edge routing | Global (configured for EU compliance) | EU-U.S. Data Privacy Framework, SCCs | IP address, routing headers |
| SendGrid (Twilio) | Email delivery for transactional messages (e.g. chat transcripts, notifications) | USA | SCCs, ISO 27001, SOC 2 | Email address, message content |
| HubSpot | CRM and support ticketing (used by GUURU staff for client support interactions) | USA (EU data hosting available) | SCCs, ISO 27001 | Contact details, email content, possible chat refs |
| Sentry | Application error logging and performance monitoring | EU (where available) | SCCs, EU-hosted data | Error traces, session ID, anonymized metadata |
| ipdata | IP geolocation, fraud detection | USA | SCCs, Privacy Framework | IP address |
| OpenAI API | Optional AI features (e.g. summarization, routing, classification) | USA | SCCs, Privacy Framework | Anonymized chat segments (if enabled) |
| Google Analytics | Website analytics (on guuru.com only, not embedded in client pages unless integrated by client) | USA / Global | IP anonymization, SCCs, Privacy Framework | Page views, interactions, truncated IPs |
Notes
- Personal data is only shared with subprocessors as necessary for service delivery and support.
- OpenAI and other AI-related subprocessors are only active when specific features are enabled per client configuration.
- All transfers outside of Switzerland or the EEA are covered by legally required safeguards (e.g., SCCs or adequacy decisions).
Additional Information
For a detailed breakdown of which features rely on which cookies or storage mechanisms, please contact support@guuru.com .