Cookies

Last updated 30 Apr 2026

Cookie Policy

This Cookie Policy explains what cookies and similar technologies we use on korena.eu, why we use them, and how you can control them. It complements the Privacy Policy and is required by the EU ePrivacy Directive 2002/58/EC and the GDPR.

Cookie inventory verified against the storefront codebase on 2026-05-03 by static analysis. (Pre-launch: no automated scanner pass against a deployed Site has been performed yet; that re-verification is scheduled for first public launch.)


1. What cookies are

Cookies are small text files that a website places on your device when you visit. They are widely used to make websites work, to make them work more efficiently, and to provide information to the site owner. Throughout this Policy "cookies" includes other similar technologies such as localStorage, sessionStorage, web beacons, and pixel tags, where they perform a comparable function.

2. Categories of cookies we use

We classify the cookies on korena.eu into four categories:

  • Strictly necessary: required for the Site to function (authentication, cart, checkout, security). These are set without prior consent under the ePrivacy Directive "strictly necessary" exception; they are necessary either for contractual necessity, legal obligation, or documented legitimate interests. Disabling them will break the Site.
  • Preferences: remember choices you make to improve your experience (e.g., language). Set only on your explicit consent.
  • Analytics: help us understand how visitors use the Site, in aggregate. Set only on your explicit consent.
  • Marketing: used to deliver relevant advertising or measure marketing effectiveness across sites. We do not currently set any marketing cookies. This Policy will be updated before any marketing cookie is introduced.

The table below lists every cookie we expect to set as of the date at the foot of this Policy. The live list is reconciled at every release.

This list was last reconciled by static analysis of the storefront codebase on 2026-05-03. An automated cookie-scanner pass against the deployed Site (Cookiebot or equivalent) is scheduled before first public launch; any deviation will be reflected here.

3.1. Strictly necessary

CookieSet byPurposeTypeLifetime
sb-<project-ref>-auth-token (chunked: …-auth-token.0, .1, …)korena.eu (Supabase Auth via @supabase/ssr)Holds your authenticated session (combined access + refresh token, JSON). Used for both admin sign-in and customer accounts.First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production1 year (refresh-token-bearing); access token within is rotated ~hourly
cart_sessionkorena.euUUID identifying your anonymous cart so items persist between visits and reservations stay tied to you through checkout.First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production30 days
korena_pwd_recoverykorena.euShort-lived marker set when you click an account password-reset link, so the reset form will accept a new password.First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production10 minutes
korena_site_gate_unlockkorena.euHMAC-signed token issued only when the site is in coming-soon / maintenance mode and you've entered the shared access password. Absent in normal operation.First-party HTTP cookie, HttpOnly, SameSite=Lax, Secure in production30 days
korena_consentkorena.euRecords your Consent Mode v2 choices (per category) and policy version, so the banner is not re-shown on every page. Mirrored in localStorage under korena.consent.v1.First-party HTTP cookie, SameSite=Lax, Secure on HTTPS180 days
__stripe_mid, __stripe_sidStripe (set when Stripe.js loads on the payment step of checkout)Fraud prevention on payment. Stripe.js is loaded only on the payment step of the checkout flow, not site-wide.Third-party HTTP cookie set by js.stripe.com__stripe_mid 1 year, __stripe_sid 30 minutes

3.2. Preferences

CookieSet byPurposeTypeLifetime
korena_storekorena.euRemembers your selected country store (e.g. bg) so we can route you to the right currency, VAT, and shipping setup on return.First-party HTTP cookie, SameSite=Lax, Secure in production1 year
korena_languagekorena.euRemembers your chosen content language (e.g. en, bg).First-party HTTP cookie, SameSite=Lax, Secure in production1 year
korena_consent_vidkorena.euRandom visitor identifier scoped to the consent log, so we can prove which device made which consent choice if challenged.First-party HTTP cookie, SameSite=Lax, Secure on HTTPS180 days
hendylabs_store (legacy, read-only)korena.euLegacy name for korena_store from a prior brand. Read for back-compat only; the Site never writes a new value. Will be removed in a future release.First-party HTTP cookieWhatever the original cookie set
(localStorage) korena.consent.v1korena.euMirror of the korena_consent cookie used by client-side code that prefers localStorage over cookies. Same data, same expiry.Browser storage (not a cookie)Until cleared

3.3. Analytics

CookieSet byPurposeTypeLifetime
korena_vidkorena.euPseudonymous visitor identifier (UUID v7) used to deduplicate first-party analytics events across sessions. Only written when you grant analytics consent.First-party HTTP cookie, SameSite=Lax, Secure in production~13 months (395 days), refreshed on each visit
korena_sidkorena.euPseudonymous session identifier with a 30-minute sliding window. Only written when you grant analytics consent.First-party HTTP cookie, SameSite=Lax, Secure in production30 minutes (sliding)
korena_cidkorena.euCustomer identifier set after newsletter signup, checkout, account login, or order lookup so we can attribute repeat events to the same person. Only written when you grant analytics consent.First-party HTTP cookie, SameSite=Lax, Secure in production~13 months (395 days)
korena_attr_firstkorena.euFirst-touch attribution: serialised UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and click IDs (gclid, gbraid, wbraid, fbclid, ttclid, msclkid, li_fat_id, epik, ref) from the first visit that included them. Written once. Only with analytics consent.First-party HTTP cookie, SameSite=Lax, Secure in production90 days
korena_attr_lastkorena.euLast-touch attribution: same shape as korena_attr_first, overwritten on every visit that includes a recognised attribution parameter. Only with analytics consent.First-party HTTP cookie, SameSite=Lax, Secure in production90 days

We use a self-hosted, first-party analytics spine (no Google Analytics, no Plausible script, no third-party analytics SDK loaded from the browser today). Earlier drafts of this Policy mentioned Plausible Analytics; that integration has not landed in code. If we ever ship a third-party analytics tool we will list it here and re-prompt for consent.

3.4. Marketing

CookieSet byPurposeTypeLifetime
Google Funding Choices ("Privacy & Messaging") cookiesfundingchoicesmessages.google.comLoaded only for visitors in the EEA, UK, or Switzerland, only when NEXT_PUBLIC_GOOGLE_CMP_ENABLED=true and a Google publisher ID is configured. Google's CMP renders the consent message and may set cookies under its own policies. Currently disabled by default.Third-party cookies set by GooglePer Google's policy

No other marketing/advertising cookies are set today. There is no Facebook Pixel, no Google Tag Manager, no LinkedIn Insight, no TikTok Pixel, and no Google Analytics tag loaded by the storefront. Google Consent Mode v2 default-state script (gtag('consent','default',…)) is emitted server-side so that if a Google tag is added later it inherits the correct consent state. Emitting that inline script does not by itself set any cookie.

When you first visit korena.eu, the consent banner asks you to choose between:

  • Accept all: strictly necessary + preferences + analytics + (if any) marketing.
  • Reject all: strictly necessary only.
  • Customise: choose categories individually.

Reject-All is presented with the same prominence as Accept-All; we do not use cookie walls, dark patterns, or other "consent fatigue" friction. Your choice is recorded in the korena_consent cookie and respected on every subsequent visit until you change it.

We retain a timestamped record of every consent decision (timestamp, banner version, anonymised IP class, and your choices) for 12 months from the decision date. This record is retained as evidence in case of a later dispute about whether and when you gave consent.

You can change your choice at any time via the "Cookie settings" link in the footer.

5. Third-party cookies and processors

Some cookies are set by third parties when you use specific functionality on the Site. They are documented in §3 above. We have reviewed each third party and consider their use proportionate to the function they provide. Third parties that set their own cookies act as independent or joint controllers for those cookies; their privacy policies apply in addition to ours:

  • Stripe (payment processing): stripe.com/privacy. Stripe sets fraud-prevention cookies during checkout and is a data processor on our behalf for payment data.

We do not embed any other third-party scripts that set cookies (no Facebook Pixel, no Google Tag Manager, no LinkedIn Insight, no TikTok Pixel) at the date at the foot of this Policy.

6. How to manage cookies in your browser

In addition to the in-Site cookie controls, every modern browser lets you manage cookies through its settings. The exact path varies by browser; the documentation pages below are kept up to date by the respective vendors:

Blocking strictly necessary cookies will prevent the Site from working. In particular, you will not be able to sign in or check out. Where a browser sends a Global Privacy Control (GPC) signal, we treat it as a Reject-All choice for analytics and marketing categories. The deprecated Do-Not-Track (DNT) header is treated equivalently where present.

7. Changes to this Policy

We update this Policy whenever the cookie inventory changes. The cookie consent banner is re-shown to you whenever a new category is introduced or a material new third party is added.

8. Languages

This Policy is authored in English. Translations may be made available on the Site. Where required by law (notably for Bulgarian-resident visitors), the Bulgarian translation is the binding version.


This is the canonical wording for the consent banner. It is reproduced here so legal review and translation can happen alongside this Policy.

Cookies on korena.eu We use strictly necessary cookies to make this site work. With your consent, we also use a small set of preference and analytics cookies to improve the site. We don't use marketing or advertising cookies. [ Reject all ] [ Customise ] [ Accept all ] See our Cookie Policy and Privacy Policy.

Customisation panel labels

Strictly necessary: always on. Required for sign-in, cart, and checkout. Preferences: toggle. Remember your language and display choices. Analytics: toggle. Help us understand how the site is used, in aggregate, without tracking you individually. Marketing: (not used)

[ Save my choices ]


Bulgarian translation pending sworn translator. Both English and Bulgarian versions will be offered to Bulgarian-resident visitors at point of first visit, as required by Article 49 of the Bulgarian Consumer Protection Act.


Last reviewed: 2026-04-30 · Next review: 2027-04-30 (or earlier on trigger).