Data and privacy

Last updated 30 Apr 2026

Privacy Policy

This Privacy Policy explains how "Martial Labs" Ltd. trading as KORENA processes your personal data when you visit korena.eu, place an Order, contact us, or otherwise interact with our services. It is written to satisfy the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the ePrivacy Directive 2002/58/EC, and the Bulgarian Personal Data Protection Act.


1. Who is the controller

The controller of your personal data is:

"Martial Labs" Ltd. ( Маршъл Лабс ЕООД )
UIC/ЕИК 207453941 · VAT BG207453941
8A Yordan Badev Str., 1700 Sofia, Bulgaria
Manager: Pavel Danielov Nikolov
Data Protection Contact: office@korena.eu

All privacy-related requests and data-subject rights should be directed to office@korena.eu.

For full identification of the entity behind KORENA see the Legal Notice / Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer (DPO) because our processing does not meet any of the mandatory triggers in GDPR Article 37(1):

  • We are not a public authority;
  • Our core activities do not consist of regular and systematic monitoring of data subjects on a large scale;
  • We do not process special-category data (Art. 9) or criminal-conviction data (Art. 10) on a large scale.

Our DPO assessment (dated 2026-04-30, next review 2027-04-30 or earlier on trigger) considers the scale of data subjects, the systematic and large-scale nature of processing, special-category and criminal-conviction data, and our role as an independent controller. The assessment concludes that no DPO is required. We maintain a named Data Privacy Coordinator at office@korena.eu for ongoing oversight and can make this assessment available to supervisory authorities on request.

We will revisit this assessment whenever the scale or nature of our processing materially changes (notably if we launch the EUDR compliance SaaS product or any large-scale analytics or scoring feature).

For all privacy questions and requests, contact office@korena.eu.

2.1. KORENA Capture iOS App (Internal Operator Tool)

KORENA Capture is a metrology app used internally by KORENA staff and Partner Yard operators to measure and photograph hardwood slabs for marketplace listings. The app operates on the operator's device and does not collect, store, or transmit personal data from website visitors or buyers. The app is not published on the Apple App Store and is not used for any purpose other than internal slab measurement and documentation. No end-user identifiers or tracking data are processed by the app. For more detail on how slab photos and measurement data are processed, see §3.6 (Capture Bundles) below and the separate Wood Provenance Policy.

This section maps every category of personal data we process to its purpose, lawful basis under GDPR Art. 6, and retention period.

3.1. Site visitors (no account, no order)

What we collectPurposeLegal basisRetention
IP address, user agent, referrer, pages viewed (server access logs)Site security, abuse detection, basic operational diagnosticsArt. 6(1)(f): legitimate interest in keeping the Site secure and operational (documented legitimate-interest assessment available on request)90 days, then deleted or anonymised
Approximate location (country and coarse coordinates) derived from your IP address, and the page you are currently viewingA real-time internal operations view of Site activity; this data is not stored against your identity and is not shared with third partiesArt. 6(1)(f): legitimate interest in monitoring and operating the SiteNot stored: held transiently in memory and discarded within seconds
Cookies and similar technologies, where you have consented (analytics, preferences)Performance measurement, language preferenceArt. 6(1)(a): consent (collected via the consent banner) and ePrivacy DirectiveAs stated in the Cookie Policy
Strictly necessary cookies (session, cart, CSRF)To make the Site workNo consent required (ePrivacy "strictly necessary" exception); not stored as personal data beyond the session unless you sign inSession duration

3.2. Account holders

What we collectPurposeLegal basisRetention
Name, email, password hashAccount creation, authenticationArt. 6(1)(b): performance of the user terms / contractWhile account is active + 12 months after closure
Contact phone (optional)Order updates, delivery coordinationArt. 6(1)(b): performance of the contractAs above
Saved addressesFaster checkoutArt. 6(1)(b): performance of the contractAs above
User-visible order history within the accountAccount function, support, returnsArt. 6(1)(b): performance of the contractWhile account is active + 12 months after closure
Underlying invoice and order recordsLegal obligation for invoicing, accounting, VAT complianceArt. 6(1)(c): legal obligation for invoicing / tax records10 years from end of year of issue (Bulgarian accounting law)

3.3. Order data (account holders and guest checkout)

What we collectPurposeLegal basisRetention
Billing name and address, delivery name and address, email, phone, VAT ID (Business Buyers)Order fulfilment, invoicing, delivery, returns, fraud preventionArt. 6(1)(b): performance of the contract; Art. 6(1)(c): legal obligation (VAT, invoicing)10 years from the end of the year of issue, per Bulgarian accounting law
Payment method type, last four digits of card, payment outcome (we do not store full card numbers; Stripe holds these as a separate controller)Order processing, refunds, dispute resolutionArt. 6(1)(b): performance of the contract10 years (financial records)
Order line items, dimensions of slabs purchased, processing add-onsOrder fulfilment, after-sale support, returnsArt. 6(1)(b): performance of the contract10 years
Shipping carrier tracking numberDelivery, dispute resolutionArt. 6(1)(b): performance of the contract24 months

3.4. Customer support and communications

What we collectPurposeLegal basisRetention
Support emails, attachments, photos sent by you (e.g., a damage-claim photo)Handling your enquiry, dispute resolutionArt. 6(1)(b): performance of the contract; Art. 6(1)(f): legitimate interest in improving service24 months from last contact, longer if linked to a financial record
WhatsApp / chat conversations linked to an OrderOrder coordinationArt. 6(1)(b): performance of the contractAs above
Live chat on the Site: your messages, email address (if you provide one for a transcript), IP address, approximate location (city and country), browser and device information, and the pages you visit during the conversationAnswering your enquiry, abuse and spam prevention, support qualityArt. 6(1)(b): performance of the contract (pre-contractual enquiries); Art. 6(1)(f): legitimate interest in preventing abuseIP address, location, and device information: 90 days. Conversation content: 24 months from last contact, or until you request deletion

3.5. Marketing

What we collectPurposeLegal basisRetention
Email address with explicit opt-in to the newsletterSending the newsletterArt. 6(1)(a): consentUntil you unsubscribe
Email address of an existing customer for similar-product announcementsSoft opt-in marketing under ePrivacy Directive Art. 13(2) and Bulgarian Electronic Commerce Act Art. 6Art. 6(1)(f): legitimate interest, with an opt-out offered at the time the email address is collected (checkout) and a clear unsubscribe in every emailUntil you unsubscribe
Engagement data from email campaigns (open, click)Measuring campaign effectiveness, not used for individual profiling, interest inference or eligibility decisionsArt. 6(1)(f): legitimate interest6 months after campaign end (max 12 months)

3.6. Partner-yard staff and B2B contact data

What we collectPurposeLegal basisRetention
Names, business email and phone of contact persons at Partner Yards and B2B BuyersPerformance of the consignment / commercial contractArt. 6(1)(b): performance of the contract; Art. 6(1)(f): legitimate interest in maintaining a business relationshipDuration of the relationship + 24 months

3.7. AI/ML and Text and Data Mining (TDM)

User personal data is NOT used to train AI/ML models. KORENA does not use your personal data (name, email, addresses, order history, engagement metrics) for training artificial intelligence, machine-learning systems, or for text and data mining purposes. Where we use AI/ML technology (e.g., the KORENA Capture app's SAM segmentation for slab image analysis), it operates only on operator-side image data and does not process buyer or end-user personal data. You have the right to object to any TDM use of your data under DSM Directive Art. 4. Contact office@korena.eu to exercise this right.

3.8. Fraud prevention and security

What we collectPurposeLegal basisRetention
Order patterns, IP, device data, Stripe risk signalsDetecting and preventing fraud, chargeback abuse, and account takeoverArt. 6(1)(f): legitimate interest in preventing fraud, balanced against the limited and targeted nature of the processing24 months from the linked Order

We do not carry out solely-automated decision-making producing legal or similarly significant effects (GDPR Art. 22) other than what the Stripe Radar fraud system performs as part of payment authorisation. Stripe Radar uses automated decision-making to assess payment risk. If a payment is declined:

  • (a) You will see a clear message at the decline point;
  • (b) You have the right, free of charge, to human review and explanation. Contact office@korena.eu with your order details and we will escalate to Stripe and provide an explanation of the risk factors assessed and any measures you can take (e.g., use a different payment method or contact your card issuer);
  • (c) We will respond within one calendar month.

Processing under Art. 22 is necessary for the performance of the sales contract under GDPR Art. 22(2)(a). Without it we cannot reasonably accept payment online.

4. Sources of data

Almost all data we process is collected directly from you. Two exceptions:

  • Stripe sends us payment-outcome data, the last four digits of the card, and risk signals when you pay. We do not see the full card number.
  • Speedy and Econt (and other carriers) send us tracking events on shipments.

5. Who we share data with

We share personal data with the following categories of recipient. Each recipient processes data only to perform the function described and is bound by appropriate contractual safeguards.

RecipientWhat they getRoleWhere they processSafeguard
Stripe Payments Europe Ltd. (and Stripe Inc., US)Cardholder data, billing address, IP, amountProcessor for KORENA's payment records; separate independent controller for fraud monitoring (Stripe Radar)Ireland + United StatesStripe's Data Processing Addendum (stripe.com/legal/dpa); Stripe Inc.'s active EU–US Data Privacy Framework certification, including the UK Extension and the Swiss–US DPF (verified 2026-05-03 at dataprivacyframework.gov, participant ID 6436); EU SCCs as fallback
Speedy ADRecipient name, address, phone, parcel dataSeparate independent controller for delivery logistics; processor for parcel-management metadataBulgaria, EUSpeedy's carrier terms and privacy notice; EU-internal processing
Econt Express ADRecipient name, address, phone, parcel and pallet dataSeparate independent controller for delivery logistics; processor for shipment-management metadataBulgaria, EUEcont's carrier terms and privacy notice; EU-internal processing
EU pallet freight forwarder (TBC at launch)Recipient name, address, phone, freight dataProcessor for cross-border freightEUStandard freight-forwarder contract; EU-internal processing
Resend, Inc.Email address, email content (transactional and marketing)Processor for email deliveryUnited StatesResend's DPA; Resend, Inc.'s active EU–US Data Privacy Framework certification, including the UK Extension to the EU–US DPF (verified 2026-05-03 at dataprivacyframework.gov against the active participants list); EU SCCs as fallback
Supabase, Inc.Account, order, support data (database and authentication)Processor for hosted database and authenticationEU region (Frankfurt) where supported, otherwise USSupabase DPA; SCCs for any non-EU processing
Hosting / CDN provider (Vercel or equivalent, confirm at launch)All site data in transitProcessor for hosting and deliveryEU edge nodes; some control-plane in the USDPA + SCCs
Bulgarian accountantInvoices, VAT recordsProcessor for accounting and tax complianceBulgariaWritten contract; legal obligation
Tax and competent authoritiesInvoices, VAT and tax recordsIndependent controller(s)Bulgaria, EULegal obligation under Art. 6(1)(c)
Legal advisers, where engagedOnly the data necessary for the matterProcessor (or independent controller, depending on engagement)EUProfessional confidentiality + written contract

We do not sell your personal data and we do not share it with advertising networks for cross-site behavioural advertising.

The list above will be updated whenever a subprocessor is added, changed, or removed. Material changes will be notified on the Site at least thirty (30) days in advance for newsletter subscribers and account holders.

6. International transfers

Some recipients process data outside the European Economic Area (EEA), notably Stripe (US elements) and Resend (US). For each such transfer we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where required; and/or
  • Adequacy decisions where applicable (e.g., the EU–US Data Privacy Framework, where the recipient is certified).

If you would like a copy of the safeguards in place for a specific transfer, contact office@korena.eu.

6.1. Transfer Impact Assessments

Where a processor relies on EU SCCs or other safeguards for transfers to non-adequate countries, we maintain or hold a Transfer Impact Assessment (TIA) per GDPR Art. 46 and EDPB guidance (01/2020). These assessments are available to supervisory authorities on request. For transfers supported by Data Privacy Framework certification, we will re-verify certification status at each publish cycle and update §5 (Who we share data with) accordingly.

7. Your rights

Under the GDPR you have the following rights, which you can exercise free of charge by writing to office@korena.eu:

  • Access (Art. 15): confirmation of whether we process data about you, and a copy of that data in a structured, commonly-used, machine-readable format (CSV or JSON). We provide this free of charge. If your request is manifestly unfounded or excessive, we may charge a reasonable administrative fee. Delivery is by secure email or encrypted download link.

  • Rectification (Art. 16): correction of inaccurate data.

  • Erasure (Art. 17): deletion of data, subject to our legal obligations to retain. Legal exceptions include: (a) invoices and VAT records, retained for 10 years per Bulgarian accounting law; (b) support emails and dispute photos, retained until dispute resolved plus 2 years; (c) account data retained for 12 months after closure unless linked to an outstanding matter; (d) IP addresses and access logs retained for 90 days unless linked to a security incident.

  • Restriction (Art. 18): restriction of processing in defined circumstances.

  • Portability (Art. 20): receipt of personal data you provided to us (name, email, addresses, payment method type) in a structured, commonly-used, machine-readable format. This right applies to data processed under contract (Art. 6(1)(b)) or consent (Art. 6(1)(a)). It does not include derived data (engagement metrics, slab measurements computed by us) or data processed under legal obligation (invoices).

  • Objection (Art. 21): to processing based on legitimate interest, including direct marketing (where the right to object is absolute).

  • Withdrawal of consent (Art. 7(3)): at any time, without affecting the lawfulness of processing before withdrawal.

  • Right not to be subject to automated decision-making (Art. 22): see §3.8 above (Stripe Radar; right to human review).

We will respond within one calendar month of receiving a request, extendable by two further months for complex or numerous requests (with notice). If we cannot identify you on the basis of the data we hold, we may ask for additional information to verify identity before acting on the request.

You may also lodge a complaint with the supervisory authority:

Commission for Personal Data Protection (Комисия за защита на личните данни) Tsvetan Lazarov Blvd. 2, Sofia 1592, Bulgaria cpdp.bg · kzld@cpdp.bg

If you are habitually resident in another EU member state, you may also lodge a complaint with that country's data protection authority.

8. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest in our database, access controls, audit logs, separation of duties, and the principle of least privilege. Stripe holds full payment-card data outside our systems and is PCI-DSS certified. Despite reasonable measures, no system is perfectly secure.

In the event of a personal-data breach we will:

  • (i) Notify the Commission for Personal Data Protection (CPDP) without undue delay and within 72 hours of discovery, where required by GDPR Art. 33;
  • (ii) Notify you directly without undue delay (typically within 7 days of discovery) where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34);
  • (iii) In direct notification, include: the nature and likely consequences of the breach, the measures taken or proposed, and our contact point (office@korena.eu) for further information.

9. Children

The Site is not directed at children under 14 and we do not knowingly process personal data of children under 14 without parental consent or guardianship. KORENA is a premium hardwood marketplace intended for professional and adult hobbyist users; it is not intended or marketed to minors. If you believe a child under 14 has provided us personal data, contact office@korena.eu and we will delete the data.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email to account holders and newsletter subscribers, and posted on the Site at least thirty (30) days before they take effect, except where the change is required by law to take effect sooner.

The version date at the foot of this Policy is the version currently in force.

11. Languages

This Policy is authored in English, which is the working source of truth. Translations may be made available on the Site. Where required by law (notably for Bulgarian-resident data subjects), the Bulgarian translation is the binding version.


Last reviewed: 2026-04-30 · Next review: 2027-04-30 (or earlier on trigger).