Privacy Policy & Data Processing Agreement

MB "Unicorn Lab", legal entity code 303020071, Birbynių 15, LT-02121 Vilnius, Lithuania

Contact: labas@korta.app

Last updated: 2026-02-19

This document has two parts:

• Part A – Privacy Policy: applies to all visitors of korta.app
• Part B – Data Processing Agreement: applies to KORTA clients (businesses using the Services)

PART A – PRIVACY POLICY

1. GENERAL INFORMATION
   1. MB "Unicorn Lab" (hereinafter "we", "Provider", or "Data Controller") is responsible for personal data collected through the website korta.app ("Website"). This Privacy Policy explains what data we collect, how we use it, and what rights you have.
   2. By visiting our Website, you agree to the terms of this Privacy Policy. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Lithuanian law.
   3. Persons under the age of 16 may not provide personal data through our Website without parental or guardian consent.
2. WHAT DATA WE COLLECT
   1. We may collect the following personal data:
      • Contact information you provide directly: name, company name, phone number, email address.
      • Technical data collected automatically: IP address, browser type, device type, pages visited, time of visit.
      • Cookie data as described in Section 5.
3. HOW WE USE YOUR DATA
   1. We use collected data for the following purposes:
      • To provide and maintain our Services;
      • To register and manage your account;
      • To process payments through external payment providers;
      • To send service-related communications;
      • To analyse Website usage and improve our services;
      • For direct marketing, where you have given consent (you may withdraw consent at any time by contacting us at labas@korta.app).
4. YOUR RIGHTS
   1. Under GDPR, you have the right to:
      • Access your personal data and how it is processed;
      • Rectify inaccurate or incomplete data;
      • Erase your data ("right to be forgotten");
      • Restrict processing in certain circumstances;
      • Data portability — receive your data in a structured, machine-readable format;
      • Object to processing for direct marketing purposes at any time.
   2. To exercise any of these rights, contact us at labas@korta.app. We will respond within one month of receiving your request.
   3. If you are not satisfied with our response, you have the right to lodge a complaint with the State Data Protection Inspectorate (Lithuania) or another supervisory authority in your country.
5. COOKIES
   1. We use cookies to improve your experience on our Website. Cookies are small text files stored on your device when you visit a website.
   2. Types of cookies we use:
      • Necessary cookies — required for the Website to function properly.
      • Analytics cookies — help us understand how visitors use our Website (Google Analytics).
   3. Cookies currently in use:

      Name	Provider	Purpose	Expiry	Type
      token	.korta.app	Maintains user session	Session	HTTP
      _ga	.korta.app	Google Analytics – visitor statistics	2 years	HTTP
      _gid	.korta.app	Google Analytics – visitor statistics	Session	HTTP
      _gat	.korta.app	Google Analytics – throttle request rate	Session	HTTP

   4. You can manage or delete cookies through your browser settings. Note that disabling certain cookies may affect Website functionality. For more information, visit allaboutcookies.org.
6. THIRD PARTIES
   1. We do not sell your personal data to third parties.
   2. We may share data with trusted service providers who help us operate the Website and Services (see Part B, Section 4 for the full sub-processor list). These providers are contractually required to protect your data and process it only according to our instructions.
   3. Our Website may use third-party tools such as Google Analytics. These third parties operate under their own privacy policies.
7. DATA RETENTION
   1. Personal data is stored for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Session cookies are deleted when you close your browser. Persistent cookies expire as described in Section 5.
8. CONTACT
   For any questions about this Privacy Policy or your personal data:
   MB "Unicorn Lab"
   Birbynių 15, LT-02121 Vilnius, Lithuania
   Email: labas@korta.app

PART B – DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement applies to KORTA clients — businesses ("Client", "Data Controller") that use the KORTA Services. By accepting the KORTA Terms of Service, the Client also accepts this DPA.

1. ROLES AND SCOPE
   1. When the Client uses the KORTA Services to sell Gift Vouchers, the Provider processes personal data of Gift Voucher buyers on behalf of the Client. In this context:
      • The Client acts as the Data Controller — they determine the purpose of data collection (selling gift vouchers to their customers).
      • The Provider (MB "Unicorn Lab") acts as the Data Processor — it processes personal data solely to provide the Services.
2. DATA PROCESSED
   1. The Provider processes the following personal data on behalf of the Client:

      Category	Data
      Gift Voucher buyer	Name, email address, phone number
      Gift Voucher recipient	Name, email address
      Payment data	Payment method, amount, payment reference

   2. Data subjects: Gift Voucher buyers and their designated recipients.
   3. Purpose: Processing is performed solely to provide the KORTA Services under the Terms of Service (payment intermediation, voucher delivery, administration system access).
3. PROVIDER'S OBLIGATIONS AS DATA PROCESSOR
   1. The Provider undertakes to:
      • Process personal data only on documented instructions from the Client, in accordance with this DPA and applicable law;
      • Ensure that persons authorised to process personal data are bound by confidentiality obligations;
      • Implement appropriate technical and organisational measures to ensure data security;
      • Assist the Client in fulfilling obligations under GDPR Articles 32–36 (security, breach notification, impact assessments);
      • Upon termination of the Agreement, delete or return all personal data to the Client, unless retention is required by law;
      • Notify the Client without undue delay and within 48 hours of becoming aware of a personal data breach, providing all relevant information.
4. SUB-PROCESSORS
   1. The Provider currently uses the following sub-processors:

      Sub-processor	Purpose	Location
      Digital Ocean	Cloud infrastructure and database hosting	EU (EEA)
      Stripe Payments Europe, Ltd.	Payment processing	Ireland (EEA)
      Mailgun	Transactional email delivery (voucher PDF)	EU (EEA)

   2. All sub-processors are located within the EEA. No personal data is transferred outside the EEA in connection with the Services.
   3. The Provider will inform the Client of any planned changes to this sub-processor list, giving the Client the opportunity to object before changes take effect.
5. CLIENT'S OBLIGATIONS AS DATA CONTROLLER
   1. The Client undertakes to:
      • Ensure that Gift Voucher buyers are informed about how their personal data will be processed (e.g., via the Client's own privacy policy);
      • Ensure there is a valid legal basis for collecting and transferring personal data to the Provider;
      • Comply with all applicable data protection laws in their own activities.
6. LIABILITY
   1. Each Party is responsible for losses caused to the other Party by failure to fulfil obligations under this DPA or applicable data protection law.
   2. The Provider's total liability under this DPA is limited to the total fees paid by the Client during the 6 months preceding the event giving rise to the claim.
7. DURATION
   1. This DPA enters into force when the Client accepts the KORTA Terms of Service and remains in force for the duration of the Agreement. Upon termination, the Provider will cease processing personal data and delete or return it in accordance with Section 3.

MB "Unicorn Lab" | labas@korta.app | korta.app