Privacy Policy

Last updated: 24.10.2023

Welcome to GoRules’ Privacy Policy!

Please note that this Privacy Policy applies to personal data that is collected and processed in the course of providing a Product (as defined in Terms of Service) by GoRules Technologies d.o.o. Čačak, with registered seat at Trg narodnog ustanka 2, 32000 Čačak, Republic of Serbia, CIN: 21925713, TIN: 113787086, (hereinafter: “GoRules”, or “we”).

GoRules, as a Data Controller or Data Processor, (collects and) processes personal data relating to interactions on the Platform (as defined in the Definition Section of this Privacy Policy). This Privacy Policy describes how GoRules uses and protects any information that you share with us in relation to our Platform.

We believe in full transparency, which is why we keep our Privacy Policy simple and easy to understand.

We strongly urge you to read this Privacy Policy and make sure that you fully understand and agree with it. If you do not agree to this Privacy Policy, please do not access, or otherwise use GoRules Platform. In case there is anything that you would like to ask us regarding this Privacy Policy, please send your inquiry to [email protected].

Along with the Terms of Service, this Privacy Policy represents a contract between you and GoRules. Thus, any capitalized but undefined term in this Privacy Policy shall have the meaning given to it in the definitions section of the Terms of Service.



1. Definitions

AccountThe account assigned to the Client or User, whose purpose is to enable the Client or User to access and use the Product and manage the User/Client Content.
ClientA company (legal entity) or an independent developer (natural person) represented by User(s) registered on its behalf, who enters into the Agreement with GoRules.
ConsentYour explicit consent on the processing of personal data. Persons who are 16 years of age or older may give free consent to the processing of their personal data.
CookiesCookies and other similar technologies (e.g. web beacons, LocalStorage, etc.) are small pieces of data stored on your device (computer or mobile device). This information is used to track your use of the Platform and to compile statistical reports on Platform activity.
Data ControllerAn entity that alone or jointly with others determines the purposes and means of the processing of personal data.
Data ProcessorAny natural or legal person who processes the data on behalf of the controller.
Data Protection Lawa) Law on Personal Data Protection (“Official Gazette of the RS” no. 87/2018)and / or b) General Data Protection Regulation 2016/679.
Data Subject, or youAny natural person that shares personal data with us via Platform, or in relation to Platform (e.g. via email).
Platform or ProductGoRules software platform made available through any of GoRules’ self-hosted subscription packages or though cloud-based subscription package, as well as related products and services that we provide, individually and collectively. It is important to note that this definition does not encompass any open-source software developed by GoRules.
Personal data or dataAny information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, either directly or indirectly. Therefore, data about a company or any legal entity is not considered to be personal data but registering on behalf of a legal entity may include sharing personal data. For example, information about one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of professional activity, such as the employees of a company or organization, and business e-mail addresses like “[email protected]”. This Privacy Policy does not apply to information from which no individual can reasonably be identified (anonymized information).
ProcessingAny operation or set of operations that is performed on personal data or sets of personal data. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
UserAn individual engaged by the Client, including but not limited to Client’s employees, developers, consultants and contractors, and registered on the Platform by the Client.


In relation to your personal data processed via the Platform, GoRules may be either a Data Controller or Data Processor.

When GoRules acts in the capacity of a Data Controller, GoRules determines the purposes and means of the processing of personal data. The purpose of data processing is the reason why we process your personal data. The table in Section 3.1 of the Privacy Policy presents the purposes and legal basis for data processing. In those cases, GoRules is responsible for your personal data.

Apart from Section 3.2, this Privacy Policy primarily contains information on processing your data in the capacity of a Data Controller. Should you have any inquiries, or you wish to exercise any of the rights of a Data Subject stipulated in Section 9, please contact us:

Given that GoRules strongly supports fair personal data processing, despite being only a Data Processor in the below-listed cases, we made an additional effort to explain such personal data processing via Platform - in Section 3.2 of this Privacy Policy.

The information contained therein outlines how personal data processing via GoRules’ Platform functions in general. But if you wish to send an inquiry, or exercise any of the rights which you may have under the applicable data protection law as the Data Subject, please contact the Client directly, as they hold the position of Data Controller.

Since GoRules is a company operating under the laws of the Republic of Serbia and falls under the scope of application of the Data Protection Law, GoRules as a Data Processor is obliged to sign the Data Protection Addendum to the Terms of Service ("DPA"), with the Client as a Data Controller. The DPA reflects the agreement between the Client and GoRules regarding the terms which govern the processing of personal data under GoRules' Terms of Service. Signing the DPA will be considered as an amendment to the Agreement (within the meaning of the Definitions Section of Terms of Service) and will be considered to form a part of the Agreement.


We may collect and receive information about you in various ways:

Personal data we may collect automatically

Each time you use Platform we may automatically collect the following information:

Please read our Cookie Policy in order to find out more about these technologies.


GoRules will primarily have the role of Data Processor in relation to the collection and processing of your personal data via the Platform. However, for the purpose of complete transparency, we list possible occasions in which GoRules can find itself in the role of Data Controller.

Client’s organization name, first and last name, business email address, Client’s website, size of the Client’s company.Creating and maintaining Client’s Account at the Platform according to the Terms of Service.Processing is necessary for the performance of the Agreement.Until the Account is deleted in accordance with the Terms of Service.

Payment information

Card holder name, Card number, Expiration date, Security code Billing Information: First name, Last name, Company, VAT ID, Contact Email, Address, Country, State, City, ZIP code
When subscribing to any of the Platform’s paid subscription packages or when changing any Platform’s paid subscription packages in accordance with the Terms of Service, this information is being collected by GoRules directly or a third-party processor.Processing is necessary for the performance of the Contract (as defined in Section 1 of this Privacy Policy).We keep only the last four digits of the credit card number under subscription billing info until such Contract is terminated and for the period necessary to comply with the applicable financial and tax accounting and other statutory obligations in accordance with the applicable law (Section 13 of the Terms of Service).

Additional Data

i.e., data you decide to share with us by contacting us.
If you send us an inquiry or otherwise request support, we will collect the data you decide to share with us.Processing of personal data is either necessary to provide a Product or part thereof or the processing is based on your consent.If the processing is based on your consent, we keep the information until you withdraw your consent or for one year, whichever date comes first.
Information necessary for identification, time and date of data subject’s requestTo allow Data Subjects to exercise their rights in accordance with this Privacy Policy, as defined in Section 9.Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.We keep this information for a period of one year.
Other personal dataFor the prevention and detection of fraud, money laundering or other crimes or to respond to a binding request from a public authority or court.The processing is necessary to comply with legal and regulatory obligations.In accordance with the applicable statutory deadlines.


As previously stated, concerning some of your personal data processed on the Platform, GoRules is a Data Processor, and the Client is the Data Controller. GoRules processes personal data following instructions from the Data Controller under the Terms of Service, and DPA (if any).

The purpose of such personal data processing includes but is not limited to: inviting Clients and Users to the Platform, creating Accounts for Clients and Users, adding mandatory and optional data to the Accounts, adding system user roles, adding permissions to the Accounts, sending relevant notification in relation to the usage of the Platform. GoRules processes these data when the Platform is being used in the form of a Cloud-based Product, as well as when Users are registering on the Portal in order to use the Self-hosted Product. Besides that, GoRules might process data that is required for support reasons, in accordance with the Agreement or with Clients/Users explicit permission. Also, GoRules collects telemetry necessary for the validation of the license for the use of the Self-hosted version of the Platform.

As a processor, GoRules is permitted to collect, use, disclose and/or otherwise process your personal data only in accordance with its contracts with the Client.

3.2.1 Processing prior to using the Product

a) User's data

3.2.2 Processing during the usage of the Platform

User's data

Cloud-based Product

If you decide to accept the invitation sent to your email to use the GoRules’ Platform, you will be required to confirm your registration. To finalize the registration and create the account, you will need to enter an SSO pop-up or a confirmation code and confirm your email address.

Optional data, that the Client or the User may add within the Platform are:

Self-hosted Product

If you decide to accept the invitation sent to your email via Portal, you will be required to confirm your registration. To finalize the registration and create the account, you will need to enter an SSO pop-up or a confirmation code and confirm your email address. You will aslo be required to add your company’s name (name of the Client who added you) and its website, if it exists. After registration, you will be able to acquire a software license key to access the Self-hosted Product. In regards to Self-hosted Product, GoRules is only processing personal data needed to register on the Portal and it is not processing personal data Users upload on the Self-hosted Product while using the Product.

If you have any questions regarding the legal basis for such personal data processing, please contact the Client who added you to the Platform.


GoRules will never:


We take administrative, technical, organizational, and other measures to ensure the appropriate level of security of personal data we process. Upon assessing whether a measure is adequate and which level of security is appropriate, we consider the nature of the personal data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing activities, the costs of the implementation of security measures and other relevant matters in the particular circumstances.

Some of the measures we apply include access authorization control, protection of integrity and confidentiality, data backup, firewalls, data encryption and other appropriate measures. We equip our staff with the appropriate knowledge and understanding of the importance and confidentiality of your personal data security.

Whenever we save your personal information, it’s stored on servers and in facilities that only selected personnel and our contractors have access to. We encrypt all data that you submit through Platform during transmission using SSL in order to prevent unauthorized parties from viewing such information. Remember – all information you submit to us by email is not secure, so please do not send sensitive information in any email to GoRules. We never request that you submit sensitive or personal information over email, so please report any such requests to us by sending an email to [email protected].

We protect personal information you provide online in connection with registering an account via GoRules’ Platform. Access to your own personal information is available through an Account created by you.. To protect the security of your personal information, never share your credentials with anyone. Please notify us immediately if you believe your Account has been compromised.


GoRules utilizes external processors and sub-processors for certain processing activities. We conduct information audits to identify, categorize and record all personal data that is processed outside our company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. The list of our sub-processors is approved by the Client.

We have strict due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate, and effective for the task we are employing them for.

We audit their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that oblige them to confirm compliance.

This is the list of processors and sub-processors with whom we share your personal data:

AMAZON WEB SERVICESCloud service providerUnited States of America
DIGITAL OCEANCloud service providerThe Netherlands
MICROSOFT AZURECloud service providerUnited States of America

We may also share your personal data with our outside accountants, legal counsels, and auditors.

Moreover, we may disclose your personal information to third parties:

Please note that personal information may be disclosed or transferred as part of, or during negotiations of, a merger, consolidation, sale of our assets, as well as equity financing, acquisition, strategic alliance or in any other situation where personal information may be transferred as one of the business assets of GoRules.

We do not have a list of all third parties we share your data with. However, if you would like further information about who we have shared your data with, you can request this by contacting us at [email protected].


We may transfer your personal data to countries other than the one you reside in. In that case, we will also apply appropriate technical and organizational measures to ensure an adequate level of security in respect of all personal data we process. If the Data Protection Law applies to you, we make sure that such transfer is made:

  1. to the countries within the EEA;
  2. to the countries which ensure an adequate level of protection;
  3. to the countries which do not belong to those specified under item 1. and 2, but only by applying the appropriate safeguard measures (such as Standard Contractual Clauses adopted by the European Commission)

If you would like to obtain more information about these protective measures, please contact us at [email protected].

When using Cloud Product Your personal data is stored on servers located in the Netherlands (Digital Ocean, Microsoft Azure) and North Virginia, United States of America (Amazon Web Services). When using Self-hosted Product, your personal data is stored on Client’s servers.


The period for which we store your personal data depends on a particular purpose for the processing of personal data, as explained in detail in Section 3. We retain personal data for as long as we reasonably require it for legal or business purposes. In determining data retention periods, we take into consideration the applicable law (see Terms of Service), contractual obligations, and the expectations and requirements of our Clients. When we no longer need personal information, or when you legitimately request us to delete your information, we will securely delete or destroy it.

However, as an exception to the retention periods in Section 3 the data may be processed to determine, pursue, or defend claims and counterclaims.


Given that fairness and transparency are our cornerstone principles, we wanted to remind you of the rights that you have as a Data Subject. These rights may be exercised by Data Subject when GoRules operates as a Data Controller.

If your inquiry or exercise of any of the Data Subject's rights relates to the data processed by the Client as a Data Controller as explained in Section 3.2 of the Privacy Policy, please contact the Client (that you have linked your Account with).

In the event GoRules receives a request for exercising any of these rights directly from a Data Subject, we are obliged to notify the Client before responding to such a request.

Right of Access

You can send us a request for a copy of the personal data we hold about you.

We have ensured that appropriate measures have been taken to provide such in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Such information is provided in writing free of charge. It may be provided by other means when authorized by the Data Subject and with prior verification as to the subject's identity.

Information is provided to the Data Subject at the earliest convenience, but at a maximum of 30 days from the date the request was received. Where the provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary.

Right to Object to Processing

You have the right to object to the processing of your personal data where that processing is being undertaken based on the Data Controller’s legitimate interest. In such a case the Data Controller is required to cease processing your data unless they can demonstrate adequate grounds that override your objection.

Right to Correction of Your Personal Data

If your personal data processed by the Data Controller is incorrect, you have the right to request that we correct those data. Where notified of inaccurate data by the Data Subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them.

Right to Erasure

You have the right to request that your personal data is deleted in certain circumstances, such as:

However, this right does not apply where, for example, the processing is necessary:

Each User can deactivate its User Account. Please note that some data will be kept for our internal business purposes, legal, financial, and accounting purposes.

Right to Restriction of Processing

You can exercise your right to the restriction of processing in the following situations:

Right to Data Portability

Where you have provided personal data to us, you have the right to receive such personal data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party without hindrance, but in each case only where:

Right to Withdraw the Consent

If you have provided your consent to the collection, processing, and transfer of your personal data, you have the right to fully or partly withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.

Right to Lodge a Complaint

If you have any concerns or requests in relation to your personal data, please contact us at [email protected] and we will respond as soon as possible but not later than 30 days.

If you are unsatisfied with our response, you may also contact the competent supervisory authority at your country of residency or Commissioner for information of public importance and personal data protection, , Bulevar kralja Aleksandra 15, 11120 Belgrade, telephone number: (+381) - 11 - 3408 900,


Any changes we may make to our Privacy Policy will be posted on this page and where appropriate may be notified to you by email or advised to you on the next login to the Platform. If you continue with the use of the Platform after the changes were implemented, that will signify that you agree to any such changes.