Note before publishing: Fill in EIC, registered address and DPO contact (if applicable) in places marked [□]. Verify whether Supabase (or any cloud storage provider) provides adequate safeguards for third-country transfers (e.g. standard contractual clauses), and if so, specify this in section 5.
1. Who is the data controller
The data controller is КОРЕНИ [□ full legal name], EIC [□], address: [□], email: koreniteam@gmail.com.
We process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act of the Republic of Bulgaria.
2. What data we collect and on what legal basis
2.1. Registration and order data
Name, email address and phone number — collected for the conclusion and performance of the contract (Art. 6(1)(b) GDPR). Delivery address — for shipping the finished product (same basis).
2.2. Voice recordings
Audio recordings of narratives voluntarily provided by the client — processed on the basis of explicit consent (Art. 6(1)(a) GDPR) and for performance of the contract. Recordings may contain information about the health, religious beliefs or political opinions of the narrator and/or third parties, and may therefore fall within the special categories of data under Art. 9 GDPR. Processing is carried out solely on the basis of the data subject's explicit consent (Art. 9(2)(a)).
2.3. Photos
Images uploaded by the client — processed on the basis of consent (Art. 6(1)(a) GDPR). Photos may contain the faces of third parties; the client declares that they hold the necessary consents.
2.4. Technical data
IP address, browser type and session metadata — processed on the basis of legitimate interest (Art. 6(1)(f) GDPR) for system security purposes.
2.5. Contact form messages
Message content and voluntarily provided contact details — processed on the basis of consent and legitimate interest (responding to client enquiries).
3. Special categories of personal data (Art. 9 GDPR)
Voice recordings may inadvertently contain data about the health, religion, political beliefs, ethnic origin or sexual orientation of the narrator or persons mentioned. We:
- Do not actively seek this data;
- Process it solely for the purposes of transcription and book layout;
- Do not analyse, profile or store it separately;
- Ensure access only for persons directly engaged in the production process.
4. Recipients of data
Your data may be shared only with:
- Cloud storage providers (e.g. Supabase) — for file storage, bound by contractual data protection clauses;
- Transcription services (e.g. OpenAI Whisper) — for automatic transcription of voice recordings, subject to contractual confidentiality;
- Printing house — receives only the formatted file without personal information beyond the book's content;
- Courier service — receives name and delivery address;
- Accounting and tax advisers — where necessary and only within legal requirements.
Your data is not sold or shared for advertising or marketing purposes.
5. International data transfers
Some of our technology providers (cloud storage, transcription services) may store or process data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards under Art. 46 GDPR — EU standard contractual clauses or another approved transfer mechanism. [□ Confirm specific mechanisms with your chosen providers.]
6. Retention periods
- Voice recordings and transcriptions: 12 months after delivery of the finished product, after which they are permanently deleted, unless the client has requested earlier deletion.
- Photos: up to 12 months after delivery.
- Order data: 5 years in accordance with Bulgarian tax and accounting legislation.
- Contact form messages: 2 years or until withdrawal of consent, whichever comes first.
- Technical data (logs): 90 days.
7. Your rights
Under GDPR you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | Right to receive a copy of the data we process about you. |
| Rectification (Art. 16) | Right to request correction of inaccurate data. |
| Erasure (Art. 17) | Right to request deletion of your data when it is no longer needed for the purposes for which it was collected. |
| Restriction (Art. 18) | Right to restrict processing of your data under certain conditions. |
| Portability (Art. 20) | Right to receive your data in a machine-readable format or to transfer it to another controller. |
| Objection (Art. 21) | Right to object to processing based on legitimate interest. |
| Withdrawal of consent | Right to withdraw your consent at any time without affecting the lawfulness of processing before withdrawal. |
| Automated decisions (Art. 22) | Right not to be subject to solely automated decisions with legal effects. Koreni does not make such decisions. |
To exercise these rights, send a request to: koreniteam@gmail.com. We will respond within 30 days.
8. Right to lodge a complaint with a supervisory authority
If you believe we are processing your data in breach of GDPR, you have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP):
Address: 2 Prof. Tsvetan Lazarov Blvd, 1592 Sofia, Bulgaria
Website: www.cpdp.bg
Phone: +359 2 91 53 555
9. Cookies
The site uses only strictly necessary cookies:
- koreni-lang — saves language preference (BG/EN); expires after 1 year;
- koreni-order-id — saves the last order number for status display; expires after 1 year;
- Session cookies for authentication (Supabase auth) — expire on browser close.
We do not use tracking, advertising or third-party analytics cookies. Consent banners are not required for the above strictly necessary cookies under Art. 5(3) of Directive 2002/58/EC (ePrivacy).
10. Changes to this policy
For material changes, we will publish an updated version of this page and notify registered users by email. The date of the last update is shown in the header.