Cookies
Last updated 30 Apr 2026
Cookie Policy
This Cookie Policy explains what cookies and similar technologies we use on korena.eu, why we use them, and how you can control them. It complements the Privacy Policy and is required by the EU ePrivacy Directive 2002/58/EC and the GDPR.
Cookie inventory verified against the storefront codebase on 2026-05-03 by static analysis. (Pre-launch: no automated scanner pass against a deployed Site has been performed yet; that re-verification is scheduled for first public launch.)
1. What cookies are
Cookies are small text files that a website places on your device when you visit. They are widely used to make websites work, to make them work more efficiently, and to provide information to the site owner. Throughout this Policy "cookies" includes other similar technologies such as localStorage, sessionStorage, web beacons, and pixel tags, where they perform a comparable function.
2. Categories of cookies we use
We classify the cookies on korena.eu into four categories:
- Strictly necessary: required for the Site to function (authentication, cart, checkout, security). These are set without prior consent under the ePrivacy Directive "strictly necessary" exception; they are necessary either for contractual necessity, legal obligation, or documented legitimate interests. Disabling them will break the Site.
- Preferences: remember choices you make to improve your experience (e.g., language). Set only on your explicit consent.
- Analytics: help us understand how visitors use the Site, in aggregate. Set only on your explicit consent.
- Marketing: used to deliver relevant advertising or measure marketing effectiveness across sites. We do not currently set any marketing cookies. This Policy will be updated before any marketing cookie is introduced.
3. Cookie inventory
The table below lists every cookie we expect to set as of the date at the foot of this Policy. The live list is reconciled at every release.
This list was last reconciled by static analysis of the storefront codebase on 2026-05-03. An automated cookie-scanner pass against the deployed Site (Cookiebot or equivalent) is scheduled before first public launch; any deviation will be reflected here.
3.1. Strictly necessary
| Cookie | Set by | Purpose | Type | Lifetime |
|---|---|---|---|---|
sb-<project-ref>-auth-token (chunked: …-auth-token.0, .1, …) | korena.eu (Supabase Auth via @supabase/ssr) | Holds your authenticated session (combined access + refresh token, JSON). Used for both admin sign-in and customer accounts. | First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production | 1 year (refresh-token-bearing); access token within is rotated ~hourly |
cart_session | korena.eu | UUID identifying your anonymous cart so items persist between visits and reservations stay tied to you through checkout. | First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production | 30 days |
korena_pwd_recovery | korena.eu | Short-lived marker set when you click an account password-reset link, so the reset form will accept a new password. | First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production | 10 minutes |
korena_site_gate_unlock | korena.eu | HMAC-signed token issued only when the site is in coming-soon / maintenance mode and you've entered the shared access password. Absent in normal operation. | First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production | 30 days |
korena_consent | korena.eu | Records your Consent Mode v2 choices (per category) and policy version, so the banner is not re-shown on every page. Mirrored in localStorage under korena.consent.v1. | First-party HTTP cookie, SameSite=Lax, Secure on HTTPS | 180 days |
__stripe_mid, __stripe_sid | Stripe (set when Stripe.js loads on the payment step of checkout) | Fraud prevention on payment. Stripe.js is loaded only on the payment step of the checkout flow, not site-wide. | Third-party HTTP cookie set by js.stripe.com | __stripe_mid 1 year, __stripe_sid 30 minutes |
3.2. Preferences
| Cookie | Set by | Purpose | Type | Lifetime |
|---|---|---|---|---|
korena_store | korena.eu | Remembers your selected country store (e.g. bg) so we can route you to the right currency, VAT, and shipping setup on return. | First-party HTTP cookie, SameSite=Lax, Secure in production | 1 year |
korena_language | korena.eu | Remembers your chosen content language (e.g. en, bg). | First-party HTTP cookie, SameSite=Lax, Secure in production | 1 year |
korena_consent_vid | korena.eu | Random visitor identifier scoped to the consent log, so we can prove which device made which consent choice if challenged. | First-party HTTP cookie, SameSite=Lax, Secure on HTTPS | 180 days |
hendylabs_store (legacy, read-only) | korena.eu | Legacy name for korena_store from a prior brand. Read for back-compat only; the Site never writes a new value. Will be removed in a future release. | First-party HTTP cookie | Whatever the original cookie set |
(localStorage) korena.consent.v1 | korena.eu | Mirror of the korena_consent cookie used by client-side code that prefers localStorage over cookies. Same data, same expiry. | Browser storage (not a cookie) | Until cleared |
3.3. Analytics
| Cookie | Set by | Purpose | Type | Lifetime |
|---|---|---|---|---|
korena_vid | korena.eu | Pseudonymous visitor identifier (UUID v7) used to deduplicate first-party analytics events across sessions. Only written when you grant analytics consent. | First-party HTTP cookie, SameSite=Lax, Secure in production | ~13 months (395 days), refreshed on each visit |
korena_sid | korena.eu | Pseudonymous session identifier with a 30-minute sliding window. Only written when you grant analytics consent. | First-party HTTP cookie, SameSite=Lax, Secure in production | 30 minutes (sliding) |
korena_cid | korena.eu | Customer identifier set after newsletter signup, checkout, account login, or order lookup so we can attribute repeat events to the same person. Only written when you grant analytics consent. | First-party HTTP cookie, SameSite=Lax, Secure in production | ~13 months (395 days) |
korena_attr_first | korena.eu | First-touch attribution: serialised UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and click IDs (gclid, gbraid, wbraid, fbclid, ttclid, msclkid, li_fat_id, epik, ref) from the first visit that included them. Written once. Only with analytics consent. | First-party HTTP cookie, SameSite=Lax, Secure in production | 90 days |
korena_attr_last | korena.eu | Last-touch attribution: same shape as korena_attr_first, overwritten on every visit that includes a recognised attribution parameter. Only with analytics consent. | First-party HTTP cookie, SameSite=Lax, Secure in production | 90 days |
We use a self-hosted, first-party analytics spine (no Google Analytics, no Plausible script, no third-party analytics SDK loaded from the browser today). Earlier drafts of this Policy mentioned Plausible Analytics; that integration has not landed in code. If we ever ship a third-party analytics tool we will list it here and re-prompt for consent.
3.4. Marketing
| Cookie | Set by | Purpose | Type | Lifetime |
|---|---|---|---|---|
| Google Funding Choices ("Privacy & Messaging") cookies | fundingchoicesmessages.google.com | Loaded only for visitors in the EEA, UK, or Switzerland, only when NEXT_PUBLIC_GOOGLE_CMP_ENABLED=true and a Google publisher ID is configured. Google's CMP renders the consent message and may set cookies under its own policies. Currently disabled by default. | Third-party cookies set by Google | Per Google's policy |
No other marketing/advertising cookies are set today. There is no Facebook Pixel, no Google Tag Manager, no LinkedIn Insight, no TikTok Pixel, and no Google Analytics tag loaded by the storefront. Google Consent Mode v2 default-state script (gtag('consent','default',…)) is emitted server-side so that if a Google tag is added later it inherits the correct consent state. Emitting that inline script does not by itself set any cookie.
4. Consent
When you first visit korena.eu, the consent banner asks you to choose between:
- Accept all: strictly necessary + preferences + analytics + (if any) marketing.
- Reject all: strictly necessary only.
- Customise: choose categories individually.
Reject-All is presented with the same prominence as Accept-All; we do not use cookie walls, dark patterns, or other "consent fatigue" friction. Your choice is recorded in the korena_consent cookie and respected on every subsequent visit until you change it.
We retain a timestamped record of every consent decision (timestamp, banner version, anonymised IP class, and your choices) for 12 months from the decision date. This record is retained as evidence in case of a later dispute about whether and when you gave consent.
You can change your choice at any time via the "Cookie settings" link in the footer.
5. Third-party cookies and processors
Some cookies are set by third parties when you use specific functionality on the Site. They are documented in §3 above. We have reviewed each third party and consider their use proportionate to the function they provide. Third parties that set their own cookies act as independent or joint controllers for those cookies; their privacy policies apply in addition to ours:
- Stripe (payment processing): stripe.com/privacy. Stripe sets fraud-prevention cookies during checkout and is a data processor on our behalf for payment data.
We do not embed any other third-party scripts that set cookies (no Facebook Pixel, no Google Tag Manager, no LinkedIn Insight, no TikTok Pixel) at the date at the foot of this Policy.
6. How to manage cookies in your browser
In addition to the in-Site cookie controls, every modern browser lets you manage cookies through its settings. The exact path varies by browser; the documentation pages below are kept up to date by the respective vendors:
- Chrome: support.google.com/chrome/answer/95647
- Safari: support.apple.com/guide/safari/manage-cookies-sfri11471
- Firefox: support.mozilla.org/kb/cookies
- Edge: support.microsoft.com/microsoft-edge
Blocking strictly necessary cookies will prevent the Site from working. In particular, you will not be able to sign in or check out. Where a browser sends a Global Privacy Control (GPC) signal, we treat it as a Reject-All choice for analytics and marketing categories. The deprecated Do-Not-Track (DNT) header is treated equivalently where present.
7. Changes to this Policy
We update this Policy whenever the cookie inventory changes. The cookie consent banner is re-shown to you whenever a new category is introduced or a material new third party is added.
8. Languages
This Policy is authored in English. Translations may be made available on the Site. Where required by law (notably for Bulgarian-resident visitors), the Bulgarian translation is the binding version.
Appendix A: Consent banner copy (English)
This is the canonical wording for the consent banner. It is reproduced here so legal review and translation can happen alongside this Policy.
Banner
Cookies on korena.eu We use strictly necessary cookies to make this site work. With your consent, we also use a small set of preference and analytics cookies to improve the site. We don't use marketing or advertising cookies. [ Reject all ] [ Customise ] [ Accept all ] See our Cookie Policy and Privacy Policy.
Customisation panel labels
Strictly necessary: always on. Required for sign-in, cart, and checkout. Preferences: toggle. Remember your language and display choices. Analytics: toggle. Help us understand how the site is used, in aggregate, without tracking you individually. Marketing: (not used)
[ Save my choices ]
Appendix B: Consent banner copy (Bulgarian)
Bulgarian translation pending sworn translator. Both English and Bulgarian versions will be offered to Bulgarian-resident visitors at point of first visit, as required by Article 49 of the Bulgarian Consumer Protection Act.
Last reviewed: 2026-04-30 · Next review: 2027-04-30 (or earlier on trigger).