Cookie Policy
In this document, we explain which cookies we use on our websites, what they are used for, and how you can manage your settings.

Politique en matière de cookies
Dernière mise à jour : 27/04/2026
La présente politique en matière de cookies (ci-après : la « politique cookies » ou la « politique ») complète la politique de confidentialité d'InPost et doit être lue conjointement avec celle-ci.
Pour l'application mobile InPost et les services fournis dans le cadre d'un compte InPost, nous avons élaboré un document distinct — la politique de confidentialité du compte InPost —, qui est le document principal régissant le traitement de vos données personnelles en lien avec l'utilisation de ces services. Dans ce document, dans la section relative au marketing, nous décrivons également les principes applicables au traitement de vos données à des fins marketing au moyen de cookies et de technologies similaires. Ces principes s'appliquent à l'ensemble de nos services et politiques de confidentialité.
Comment ce document est-il structuré ?
Nous avons divisé cette politique en deux parties afin de vous aider à trouver les informations qui vous concernent :
1. Partie I — Principes communs : expose les règles régissant l'utilisation des cookies et des technologies similaires qui sont communes à toutes les sociétés du Groupe de capital Integer.pl agissant en qualité de responsables du traitement. Ces dispositions s'appliquent quel que soit le pays dans lequel vous utilisez nos services.
2. Partie II — Annexes régionales : contient des informations propres à chaque responsable du traitement et à chaque juridiction, notamment une liste détaillée des outils et technologies de traçage utilisés localement. Ces informations peuvent varier selon la région et s'appliquent exclusivement au responsable du traitement concerné ainsi qu'à son site web ou à son application mobile.
Liste des annexes :
Annexe A1 — Outils et technologies utilisés en Pologne
Annexe A2 — Outils et technologies utilisés en France
Annexe A3 — Outils et technologies utilisés en Italie
Annexe A4 — Outils et technologies utilisés en Espagne
Annexe A5 — Outils et technologies utilisés au Portugal
Annexe A6 — Outils et technologies utilisés au Royaume-Uni
Annexe A7 — Outils et technologies utilisés en Belgique
Annexe A8 — Outils et technologies utilisés au Luxembourg
Annexe A9 — Outils et technologies utilisés aux Pays-Bas
PARTIE I : PRINCIPES COMMUNS
Les dispositions ci-dessous s'appliquent à tous les responsables du traitement.
INFORMATIONS SUR LE TRAITEMENT
Responsable du traitement
Selon le type et la nature du service fourni, le responsable du traitement de vos données personnelles est la société concernée du Groupe de capital Integer.pl (ci-après : le « responsable »), qui peut être établie dans différents pays selon le service que vous utilisez.
Les coordonnées complètes du responsable, ses coordonnées de contact ainsi que les coordonnées du délégué à la protection des données (lorsqu'un tel délégué a été désigné) sont indiquées ci-dessous :
Pologne
InPost sp. z o.o. (« InPost ») Siège social : ul. Pana Tadeusza 4, 30-727 Cracovie, Pologne
Vous pouvez contacter le responsable du traitement via les canaux suivants :
par téléphone : +48 722 444 000 ou +48 746 600 000
par courrier postal : ul. Pana Tadeusza 4, 30-727 Cracovie, Pologne
via le formulaire de contact : inpost.pl/formularz-kontaktowy
via le chat en direct, disponible à l'adresse : inpost.pl/kontakt
InPost a désigné un délégué à la protection des données (DPD), qui peut être contacté via les canaux indiqués ci-dessus. Vous pouvez utiliser ces canaux pour exercer vos droits — voir la section « 6. COMMENT EXERCER VOS DROITS ? ».
France, Belgique, Pays-Bas et Luxembourg
Mondial Relay SASU Siège social : 1, avenue de l'Horizon, 59650 Villeneuve d'Ascq, France
Vous pouvez contacter le délégué à la protection des données (DPD) comme suit :
par courrier postal : DPO Mondial Relay, Direction juridique et conformité, 1, avenue de l'Horizon, 59650 Villeneuve d'Ascq, France
par e-mail, en utilisant l'adresse applicable à votre pays :
– France : [email protected]
– Belgique : [email protected]
– Luxembourg : [email protected]
– Pays-Bas : [email protected]
Italie
Locker InPost Italia s.r.l. Siège social : Viale Cassala 30, 20143 Milan, Italie
Locker InPost Italia S.r.l. a désigné un délégué à la protection des données (DPD) conformément aux articles 37, 38 et 39 du RGPD. Le DPD peut être contacté par e-mail à l'adresse : [email protected].
Espagne
Les entités suivantes agissent en qualité de responsables conjoints du traitement en Espagne et sont collectivement désignées sous le nom de « InPost Spain Group » :
INPOST SPAIN, S.L.U. Adresse : Gran Via De Les Corts Catalanes, 129-131, P.6, 08028 Barcelone
MONDIAL RELAY S.A.S.U. SUCURSAL EN ESPAÑA Adresse : Camí De Les Oliveres Núm. 1, 08800 – Vilanova i la Geltrú, Barcelone
SENDING TRANSPORTE Y COMUNICACION SA Adresse : Avda de Suiza 26, 28000 – Madrid
Le InPost Spain Group a désigné un délégué à la protection des données (DPD) conformément à l'article 37 du RGPD et à l'article 34 de la LOPDGDD. Le DPD peut être contacté :
par e-mail : [email protected]
par courrier postal : Gran Via De Les Corts Catalanes, 129-131, P.6, 08028 Barcelone, Espagne
Portugal
MONDIAL RELAY SUCURSAL EM PORTUGAL Siège social : Rua Coronel Edgar Pereira Da Costa Cardoso Nr. 3, Frac. E, 2615-360 Alverca do Ribatejo, Portugal
MONDIAL RELAY SUCURSAL EM PORTUGAL a désigné un délégué à la protection des données (DPD) conformément à l'article 37 du RGPD. Le DPD peut être contacté :
par e-mail : [email protected]
par courrier postal : Rua Cor. Edgar Pereira Da Costa Cardoso, 3 E, 2615-360, Alverca do Ribatejo, Portugal
Royaume-Uni
InPost UK Limited Siège social : Moray House, 23-35 Great Titchfield Street, Londres, Royaume-Uni, W1W 7PA
InPost UK Limited a désigné un délégué à la protection des données (DPD). Le bureau du DPD peut être contacté :
par e-mail : [email protected]
par courrier postal : FAO Data Protection Officer, Moray House, 23-35 Great Titchfield Street, Londres, W1W 7PA, Royaume-Uni
Finalités et bases juridiques du traitement
Nous traitons vos données personnelles collectées par l'intermédiaire de cookies et de technologies de traçage similaires (y compris les balises pixel et les mécanismes similaires ; ci-après collectivement dénommés « cookies ») aux fins suivantes :
Cela comprend des données telles que : votre adresse IP ; les identifiants d'appareil et de navigateur (p. ex. les identifiants de cookies, les identifiants publicitaires) ; les informations techniques sur votre appareil et votre navigateur (p. ex. le type et la version du navigateur, le système d'exploitation, la résolution de l'écran, la langue sélectionnée, le pays et le fuseau horaire) ; les données comportementales et d'utilisation (p. ex. les pages visitées, les liens cliqués, le temps passé sur la page, la durée de la session) ; et les données de localisation approximative dérivées de votre adresse IP :
1. Nécessaires à l'affichage et au bon fonctionnement des services — notamment pour permettre la connexion et la déconnexion, le tri des données et la transmission d'informations (art. 6, paragraphe 1, point b) du RGPD / UK GDPR) ; ainsi que pour l'exécution de nos obligations d'information en vertu du droit applicable et l'enregistrement des consentements donnés (art. 6, paragraphe 1, point c) du RGPD / UK GDPR). Base juridique :
la nécessité d'exécuter un contrat ou de prendre des mesures précontractuelles à la demande de l'utilisateur (art. 6, paragraphe 1, point b) du RGPD / UK GDPR), et
l'obligation légale (art. 6, paragraphe 1, point c) du RGPD / UK GDPR) — en ce qui concerne l'exécution des obligations d'information et l'enregistrement des consentements donnés ; et
(lorsque nous n'avons pas de contrat avec vous ou lorsqu'aucune des bases précitées ne s'applique) les intérêts légitimes du responsable à assurer le bon fonctionnement du service et à démontrer le respect du droit applicable en matière de protection des données (art. 6, paragraphe 1, point f) du RGPD / UK GDPR).
En ce qui concerne les cookies et les technologies de traçage eux-mêmes, nous appliquons en outre les législations nationales transposant la directive 2002/58/CE (ePrivacy), qui permettent leur utilisation dans la mesure de la « stricte nécessité » sans consentement séparé.
2. Analytiques et statistiques — analyse de l'activité et des préférences des utilisateurs afin d'améliorer la fonctionnalité et la qualité de nos services. Base juridique : le consentement de l'utilisateur au traitement à des fins analytiques (art. 6, paragraphe 1, point a) du RGPD / UK GDPR) et le consentement à l'utilisation des cookies et autres technologies de traçage, dans la mesure et selon les modalités requises par les législations nationales applicables transposant la directive 2002/58/CE (ePrivacy).
3. Marketing — propre et/ou de nos partenaires — notamment en ce qui concerne la présentation de publicité comportementale et le remarketing. Base juridique : uniquement le consentement de l'utilisateur (art. 6, paragraphe 1, point a) du RGPD / UK GDPR) et le consentement à l'utilisation des cookies et autres technologies de traçage, conformément aux législations nationales transposant la directive 2002/58/CE (ePrivacy).
Vous nous accordez votre consentement au stockage de cookies sur votre appareil et à la lecture des informations qui y sont stockées, par l'intermédiaire de la bannière de cookies affichée lors de l'ouverture du site web ou de l'application mobile. Vous pouvez vous opposer à l'utilisation des cookies non essentiels ou, si vous avez précédemment consenti, retirer votre consentement à tout moment.
Si vous acceptez les cookies marketing via la bannière, nous pourrons traiter les données collectées à des fins marketing — notamment la personnalisation de contenu et le profilage. Nous expliquons ci-dessous ce que ces termes signifient en pratique :
La personnalisation consiste à adapter la manière dont nos services sont présentés ou fonctionnent afin de mieux correspondre à vos préférences et habitudes d'utilisation — elle ne constitue pas un moyen de vous évaluer en tant qu'individu et ne produit pas d'effets juridiques.
Le profilage désigne le traitement automatisé de vos données ayant pour objet d'analyser ou de prédire vos préférences, intérêts ou comportements — réalisé principalement à des fins analytiques, statistiques et d'amélioration des services, de segmentation des utilisateurs et — sur la base de votre consentement lorsque cela est requis — à des fins marketing ; il ne donne pas lieu à des décisions produisant des effets juridiques ou des effets significatifs similaires à votre égard.
En règle générale, nous ne vous soumettons pas à une prise de décision basée exclusivement sur un traitement automatisé au sens de l'article 22 du RGPD.
Des informations détaillées sur les principes régissant le profilage et le marketing se trouvent dans la politique de confidentialité du compte InPost.
COOKIES ET TECHNOLOGIES SIMILAIRES
Les cookies sont de petits fichiers texte stockés sur votre appareil (ordinateur, smartphone ou tablette) qui nous permettent d'adapter les services et les contenus à vos besoins et préférences individuels, et qui sont utilisés pour générer des statistiques générales sur l'utilisation de nos sites web et services.
1. Lorsque vous utilisez notre site web, notre application mobile ou les plateformes en ligne de nos partenaires, des cookies sont stockés sur votre appareil. Ils permettent à ces services de fonctionner correctement et efficacement, en offrant un accès plus rapide et plus facile aux informations. Si vous désactivez les cookies, certaines fonctionnalités peuvent être indisponibles ou ne pas fonctionner correctement.
2. En utilisant des cookies et des technologies similaires (p. ex. des balises pixel), nous collectons des informations sur la façon dont nos services sont utilisés. Ces données peuvent inclure, entre autres : votre adresse IP, l'identifiant et le type d'appareil, le type de navigateur, la langue sélectionnée, le système d'exploitation, le pays et le fuseau horaire, ainsi que des informations sur vos interactions avec le site web ou l'application mobile (p. ex. les clics, les achats, les préférences enregistrées). Les données collectées nous permettent de mieux comprendre comment vous utilisez nos services et sont utilisées à des fins d'amélioration et d'analyse.
3. Nous utilisons deux types de cookies :
les cookies propriétaires (first-party) — définis directement par notre site web ou notre application
les cookies tiers (third-party), provenant des domaines d'entités externes opérant via nos plateformes. Nous utilisons des cookies tiers principalement à des fins analytiques et publicitaires. Les entreprises externes qui collaborent avec nous à des fins marketing peuvent collecter des données sous forme de cookies, de plug-ins logiciels et de widgets — directement depuis votre navigateur ou votre appareil. Le traitement de ces données est régi par leurs propres politiques de confidentialité. Une liste détaillée des outils se trouve dans la Partie II — Annexes régionales.
4. Nous utilisons des cookies de session — supprimés à la fin de la session du navigateur — et des cookies persistants — stockés sur votre appareil et pouvant être utilisés lors de visites ultérieures.
5. Les cookies sont sans danger pour votre appareil et les logiciels qui y sont installés — ils ne modifient pas ses paramètres, n'affectent pas les performances du système et n'interfèrent pas avec son fonctionnement.
6. En plus des cookies, nous utilisons également d'autres technologies de traçage, telles que les balises pixel et les mécanismes similaires. Nous travaillons avec des prestataires de services analytiques externes qui nous fournissent des rapports agrégés. Nous faisons également appel à des sociétés publicitaires qui — exclusivement sur la base de votre consentement — peuvent suivre votre activité sur plusieurs sites web et applications, y compris votre interaction avec les communications que nous vous envoyons.
7. Nous utilisons les catégories de cookies suivantes : nécessaires, analytiques (performance) et publicitaires (publicité comportementale et remarketing).
Des informations détaillées sur chaque catégorie sont présentées ci-dessous :
Cookies nécessaires
L'utilisation des cookies nécessaires est indispensable au bon fonctionnement de nos sites web et de notre application mobile. Nous les installons afin de mémoriser les sessions de connexion, de pré-remplir les formulaires et d'enregistrer les paramètres d'options de confidentialité (p. ex. si vous avez accepté ou refusé les cookies non essentiels). Ces cookies ne requièrent pas votre consentement en vertu des législations nationales applicables transposant la directive 2002/58/CE (ePrivacy).
Remarque : bien que les cookies nécessaires puissent traiter certains identifiants techniques (tels que les identifiants de session), l'enregistrement formel de votre consentement aux fins du RGPD (UK GDPR) est conservé dans nos systèmes back-end et non dans les cookies eux-mêmes.
Cookies analytiques
Les cookies analytiques nous permettent d'analyser la façon dont nos sites web, applications mobiles et communications sont utilisés — notamment le nombre de visites et les sources de trafic. Les données collectées via ces cookies sont de nature agrégée et ne sont pas utilisées pour vous identifier directement. Nous les utilisons uniquement sur la base de votre consentement.
Cookies publicitaires
Les cookies publicitaires nous permettent d'afficher des contenus publicitaires adaptés à vos intérêts — aussi bien sur notre site web ou application mobile que sur des sites web externes et des réseaux sociaux. Ils ne stockent pas directement vos données personnelles, mais ils identifient votre navigateur et votre appareil, ce qui permet de créer un profil d'intérêts basé sur votre activité sur différents services. Nous les utilisons uniquement sur la base de votre consentement.
Publicité comportementale et remarketing
Nous et nos partenaires publicitaires de confiance — exclusivement sur la base de votre consentement — pouvons vous adresser des publicités comportementales, c'est-à-dire des publicités adaptées à vos intérêts et à votre comportement en ligne. Le remarketing consiste à recibler des utilisateurs ayant précédemment visité nos sites web ou notre application mobile avec des messages publicitaires — en affichant des publicités sur d'autres sites web et réseaux sociaux.
GESTION DE VOS PARAMÈTRES DE COOKIES ET DE VOS DROITS
L'utilisation des cookies à des fins de collecte de données, notamment l'accès aux informations stockées sur votre appareil, requiert votre consentement. Lorsque le consentement est requis, nous l'obtenons via la bannière de cookies affichée lors de l'ouverture du site web ou de l'application mobile. Vous pouvez retirer votre consentement à tout moment.
Certains cookies sont installés automatiquement, sans nécessiter votre consentement — cela s'applique uniquement aux cookies strictement nécessaires au fonctionnement technique du site web, sans lesquels l'affichage des contenus serait impossible.
Une fois la bannière affichée, vous pouvez gérer vos préférences en cliquant sur le bouton « Personnaliser », en sélectionnant les catégories pertinentes et en confirmant votre choix.
Vous pouvez également retirer votre consentement en modifiant les paramètres de votre navigateur. Des informations complémentaires sont disponibles via les liens suivants :
Internet Explorer : support.microsoft.com/en-gb/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d
Mozilla Firefox : support.mozilla.org/en-US/kb/cookies
Microsoft Edge : support.microsoft.com/en-gb/windows/manage-cookies-in-microsoft-edge
Chrome : support.google.com/chrome/bin/answer.py
Opera : help.opera.com/en/latest/web-preferences
Safari : support.apple.com/kb/PH5042
Si vous souhaitez limiter l'affichage de publicités personnalisées sur Android ou iOS, vous pouvez modifier les paramètres de votre appareil :
Android : support.google.com/googleplay/android-developer/answer/6048248
iOS : support.apple.com/en-gb/HT202074
Pour exercer vos droits — accès à vos données, rectification, effacement, limitation du traitement, portabilité des données, opposition ou dépôt d'une plainte — veuillez nous contacter de la manière décrite à la section I de la présente politique.
COMBIEN DE TEMPS CONSERVONS-NOUS VOS DONNÉES ?
La durée pendant laquelle vos données sont traitées dépend de la finalité du traitement. En règle générale, nous les conservons jusqu'à ce que vous retiriez le consentement que vous avez donné. La durée de traitement peut être prolongée lorsque cela est nécessaire pour la défense ou l'exercice de droits en justice — et par la suite uniquement dans la mesure requise par la loi. À l'expiration de la période de traitement, les données sont irréversiblement supprimées ou anonymisées.
La durée de conservation des données collectées via les cookies dépend de leur catégorie :
cookies nécessaires — conservés pour la durée de la session ou pendant la période nécessaire pour assurer le bon fonctionnement du service, mais pas plus de 12 mois
cookies analytiques — conservés pendant la période nécessaire pour atteindre les finalités analytiques et statistiques, mais pas plus de 24 mois à compter de la date à laquelle ils ont été stockés sur votre appareil ;
cookies marketing — conservés pendant la durée de validité de votre consentement, mais pas plus de 12 mois à compter de la date à laquelle le consentement a été donné ; lors du retrait du consentement, les données traitées uniquement sur cette base sont supprimées sans délai.
Les annexes régionales (Partie II) peuvent prévoir des durées de conservation plus courtes ou plus restrictives pour certaines catégories de cookies ou pour des outils et technologies spécifiques utilisés localement — dans ce cas, les durées de conservation prévues dans l'annexe régionale applicable au pays concerné s'appliquent.
À QUI DIVULGUONS-NOUS VOS DONNÉES ?
Dans le cadre de votre utilisation de nos sites web ou de notre application mobile, vos données personnelles collectées via des cookies et des technologies similaires peuvent être divulguées aux catégories de destinataires suivantes :
les sous-traitants agissant pour notre compte — des prestataires de services techniques et informatiques agissant uniquement sur la base d'un contrat de sous-traitance conclu avec nous et conformément à nos instructions. Il s'agit notamment des fournisseurs de solutions nécessaires au bon fonctionnement des sites web, de l'application mobile ou des plateformes en ligne, ainsi que des prestataires de services analytiques qui nous fournissent des rapports agrégés ;
les partenaires publicitaires indépendants et les fournisseurs de technologies marketing — qui installent leurs propres cookies et technologies similaires via nos sites web ou notre application mobile et traitent ensuite les données collectées en leur nom propre et pour leur propre compte, conformément à leurs propres politiques de confidentialité. Ces entités agissent en qualité de responsables indépendants du traitement ou — dans le cas de certains fournisseurs de plug-ins sociaux — en qualité de responsables conjoints du traitement avec nous ;
les fournisseurs de plug-ins et d'outils de réseaux sociaux (notamment Meta, TikTok, X, LinkedIn, YouTube) — dans la mesure où vous utilisez des fonctionnalités de partage de contenu ou interagissez avec des éléments de ces services sur nos plateformes. Pour certains fournisseurs, le responsable et la plateforme de réseau social concernée agissent en qualité de responsables conjoints du traitement au sens de l'article 26 du RGPD. Des informations complémentaires sur l'étendue de la responsabilité conjointe se trouvent dans la Partie II — Annexes régionales.
Une liste des entités auxquelles nous autorisons le dépôt de cookies et de technologies similaires sur votre appareil, accompagnée d'une description de leur rôle, des finalités du traitement et d'un lien vers leur politique de confidentialité, se trouve dans la Partie II — Annexes régionales.
COMMENT EXERCER VOS DROITS ?
Pour exercer vos droits — accès à vos données, rectification, effacement, limitation du traitement, portabilité des données, opposition au traitement ou dépôt d'une plainte relative aux technologies de traçage — veuillez contacter le responsable de la manière décrite à la section I de la présente politique. Vous avez également le droit de déposer une plainte auprès d'une autorité de contrôle. Des informations complémentaires se trouvent dans la politique de confidentialité.
TRANSFERTS DE DONNÉES EN DEHORS DE L'EEE
En règle générale, nous ne faisons pas appel à des prestataires de services établis en dehors de l'Espace économique européen (EEE) ou du Royaume-Uni. Il peut toutefois arriver que certaines entités dont nous utilisons les services, directement ou indirectement — telles que des prestataires de services de réseaux sociaux ou d'analyse — soient établies dans des pays hors de l'EEE ou fassent appel à des sous-traitants situés dans ces pays.
Dans ce cas, nous ne transférons vos données personnelles en dehors de l'EEE que lorsque cela est nécessaire et uniquement lorsqu'un niveau de protection adéquat requis par le RGPD est garanti. À cet effet :
nous transférons des données vers des pays pour lesquels la Commission européenne a adopté une décision d'adéquation, ou
nous faisons appel à des prestataires spécifiques sur la base de clauses contractuelles types approuvées par la Commission européenne (Standard Contractual Clauses), qui — conjointement avec les mesures de sécurité supplémentaires requises — assurent un niveau de protection des données équivalent à celui applicable au sein de l'Union européenne.
Vous pouvez obtenir des informations sur les garanties appliquées en nous contactant de la manière décrite à la section I de la présente politique.
MODIFICATIONS DE LA POLITIQUE EN MATIÈRE DE COOKIES
Nous révisons régulièrement cette politique et — lorsque cela s'avère nécessaire — nous la mettons à jour.
PART II: REGIONAL ANNEXES
The following provisions apply exclusively to the named Controller and to its websites, mobile applications, and partner platforms.
Information on how to exercise your rights under the GDPR can be found in the Privacy Policy.
ANNEX A1 – TOOLS AND TECHNOLOGIES USED IN POLAND
Controller: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.
How we collect and manage your consent
InPost uses a Consent Management Platform (CMP) to collect, manage and record your preferences regarding cookies and similar technologies. The CMP allows you to grant or refuse consent separately for each category of processing – such as analytics, behavioural advertising or audience profiling.
When you make your choices, the CMP records the date and time of your decision and your specific selections. This allows InPost to demonstrate at any time on what basis your data are being processed.
You can withdraw or change your consent at any time. On the InPost website, click the "Cookie settings" link at the bottom of every page. In the InPost mobile application, open the privacy settings menu. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Until you have given your consent in the CMP, none of the analytical or marketing cookies, pixels, scripts or tags described in sections B and C below will be loaded or activated. Strictly necessary cookies (section A) operate without consent on the basis of Article 6(1)(b) and 6(1)(f) GDPR and the exemption set out in Article 399 of the Polish Electronic Communications Act (PKE).
A. Necessary cookies
Necessary cookies are installed without your consent on the basis of Article 6(1)(f) GDPR (the legitimate interest of the Controller in ensuring the smooth and secure operation of its services) or Article 6(1)(b) GDPR (performance of a contract or provision of a service).
Didomi – consent management platform
Didomi is the main CMP we use across InPost websites in Poland. It saves the cookie choices you make in the consent banner and manages consents under the IAB TCF framework, so that your preferences are remembered between visits and applied consistently across InPost services.
Cookie names: didomi_token, euconsent.
Purpose: Stores the cookie choices you have made (which consents you granted and which you declined) so that your preferences are not reset every time you visit our website.
Legal basis: Article 6(1)(c) GDPR (legal obligation – compliance with GDPR requirements) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Didomi SAS, 117 rue de la Tour, 75116 Paris, France.
Transfer outside EEA: EEA (France) – no additional safeguards required.
Further information: https://www.didomi.io/privacy-policy
OneTrust – consent management for selected services only
OneTrust is used as the CMP only on selected InPost services (urzad24.inpost.pl and merchant.inpost.pl). For all other InPost services, consent is managed by Didomi (see above).
Cookie names: OptanonConsent, OptanonAlertBoxClosed.
Purpose: Stores your consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date you closed the consent banner.
Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.onetrust.com/privacy-notice/
Cloudflare – bot protection and security
Cloudflare protects InPost websites against bots, DDoS attacks and abuse. It distinguishes human visitors from automated traffic and manages session limits per user.
Cookie names: __cf_bm, _cfuvid, cf_clearance, cf_chl_rc_ni.
Purpose: Tells human traffic apart from bots and automated attacks. Necessary for the secure operation of InPost services.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.cloudflare.com/privacypolicy/
Dynatrace – technical check before monitoring starts
A short, one-time check that the browser supports cookies before the Dynatrace performance-monitoring agent is launched.
Cookie name: dTValidationCookie.
Purpose: Checks whether your browser supports cookies before the Dynatrace monitoring agent is started. Contains no behavioural data and expires within a few minutes.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
Synerise – technical check (localStorage availability)
A one-time check whether your browser supports localStorage – a technical prerequisite for the Synerise SDK to start correctly.
Cookie name: lsCheck.
Purpose: Tests whether your browser supports localStorage so that the Synerise SDK can start. Expires immediately and contains no personal or behavioural data.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
Google reCAPTCHA – form protection against bots
Verifies that an InPost form is being completed by a human and not a bot. Analyses browser interactions to calculate a "bot score". Not used for advertising.
Cookie names: rc::a, rc::c.
Purpose: Confirms that a form is being completed by a human, not a bot.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and protection against abuse).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
CallPage – callback widget (technical operation)
Operates the callback request widget. Stores the phone number you typed (so you do not have to enter it again), controls how the widget is displayed during your session, and secures the connection between the InPost website and CallPage.
Cookie names: cp, cp_*, callpage-widget-version, cp_widget_session.
Purpose: Runs the callback widget: remembers the phone number you provided, manages how often the widget is shown, controls the widget version and secures the session.
Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://www.callpage.io/privacy-policy
Revive Ad Server – InPost's own ad server
Stores your decision regarding the display of InPost's own advertising materials on ads.inpost.pl. Necessary so that we can respect your preferences within InPost's own advertising system.
Cookie name: RVGDPR (set on ads.inpost.pl).
Purpose: Stores your decision about whether to display InPost's own ads.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – giving effect to your preferences).
Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller.
Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://inpost.pl/polityka-prywatnosci
InPost Pay – payment session management
Operates the InPost Pay payment widget: links the shopping basket to the payment session and manages the currency during checkout. Necessary for completing transactions.
Cookie names: basket_binding_api_key, inpost_pay_currency_restore_uid.
Purpose: Connects your shopping basket with the payment session and manages the currency at checkout.
Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).
Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller.
Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://inpost.pl/polityka-prywatnosci
B. Analytical cookies
Analytical cookies are activated only on the basis of your consent (Article 6(1)(a) GDPR). You can decline them or withdraw your consent at any time via the cookie banner.
Some of the analytical tools described below – in particular Microsoft Clarity, CUX and Hotjar – record user sessions and generate heatmaps. Session recordings are pseudonymised and configured to mask sensitive form fields (passwords, payment details, contact data). They are activated only after you have granted consent to the analytics category in the cookie banner; consent can be withdrawn at any time. InPost periodically reviews the masking configuration to make sure that sensitive data are not captured.
Google Analytics 4 – website traffic analysis
Counts visits and sessions, looks at where traffic comes from and how visitors move through our pages, identifies the most popular content, and groups users by behaviour. Data are pseudonymised and aggregated – they cannot be used to identify a specific person.
Cookie names: _ga, _ga_*, _gid, _gat, FPID, FPLC.
Purpose: Measures website traffic, analyses where visitors come from and how they navigate, and segments users by behaviour.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Microsoft Bing UET – analysis of traffic from the Microsoft network
Analyses traffic that reaches us through Microsoft's network (Bing Search, MSN). Identifies traffic sources, measures time spent on the website and segments returning users. Data are aggregated.
Cookie names: MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp.
Purpose: Analyses where Microsoft-network traffic comes from, measures time on site, and identifies returning users.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Dynatrace – performance monitoring and error detection
Real-time monitoring of how InPost websites perform on your device. Detects errors, measures page load and server response times, and analyses navigation patterns. Used only to optimise the technical operation of our services.
Cookie names: dtCookie, rxVisitor, rxvisitid, dtPC, dtSa, rxvt.
Purpose: Monitors front-end performance, detects errors and outages, measures load and response times, and analyses navigation paths – for technical optimisation of InPost services only.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
DataDog – error and performance monitoring
Detects technical errors, outages and performance issues affecting InPost services. Data are not used to identify users and are not used for advertising.
Cookie names: _dd_s, dd_cookie_test_*.
Purpose: Detects technical errors, outages and performance issues affecting InPost services.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.datadoghq.com/legal/privacy/
CUX – navigation analysis and usability research
Analyses how visitors navigate the website (clicks, scrolling, navigation paths, how far they get with filling in forms). Helps us identify and fix usability problems. CUX records sessions; sensitive form fields are masked and the recordings are activated only after you give consent for analytics.
Cookie names: _cux_u, _cux_s, _cux_v, _cux_h, _cux_n, _cux_e, _cux_pr, _cux_pv, _cux_*_ttl.
Purpose: Analyses how visitors navigate, scroll and interact with forms in order to fix usability problems.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://cux.io/legal/privacy-policy/
Microsoft Clarity – session recording and heatmaps
Records and analyses how visitors navigate InPost websites: clicks, scroll depth, navigation paths and form completion patterns. Generates session recordings and heatmaps. Microsoft Clarity automatically masks sensitive form fields (passwords, payment details) and anonymises IP addresses; InPost is responsible for verifying that this masking is effective on InPost forms.
Cookie names: _clck, _clsk, CLID, ANONCHK, MR, MUID, SM.
Purpose: Generates session recordings and heatmaps to identify and fix usability problems.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – Microsoft processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission. Microsoft Ireland Operations Limited has entered into an SCC-based agreement with Microsoft Corporation (USA); Microsoft is also certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission in July 2023).
Further information: https://clarity.microsoft.com/privacy and https://www.microsoft.com/privacy/privacystatement. Note: data may also be processed by Microsoft for service-improvement and AI-development purposes.
Hotjar – heatmaps and anonymous session recording
Records areas of clicks and scrolling on our pages (heatmaps). Used to optimise the layout and usability of the website. Sensitive form fields are masked.
Cookie names: _hjid, _hjSession_*, _hjSessionUser_*, _hjTLDTest.
Purpose: Records click and scroll areas to help us improve the layout and usability of our pages.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.hotjar.com/legal/policies/privacy/
Synerise – traffic analysis and segmentation
Measures website traffic, identifies traffic sources (UTM campaign parameters), groups users into segments and analyses navigation paths across InPost domains. Data are used to generate aggregated reports for InPost.
Cookie names: _snrs_params, _snrs_profile_config, synerise-traffic-storage_*.
Purpose: Measures traffic and traffic sources, segments users and analyses navigation paths across InPost domains.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
CallPage – effectiveness of the callback widget
Measures how effective the callback widget is: tracks scroll depth and time on the page (a behavioural score that decides when the widget is shown), analyses how well conversion rules work, and uses geolocation to apply geographic display rules.
Cookie names: cp_* (engagement and geolocation metrics).
Purpose: Measures the effectiveness of the callback widget and applies geographic display rules.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://www.callpage.io/privacy-policy
Zowie – chatbot interaction analysis
Analyses how visitors interact with our chatbot: questions asked, points where conversations end, how users move between topics. Used to improve the conversation flow and the quality of the service. Stores the time of your last visit to the chat widget.
Cookie names: zowie-tracking-id, zowie-tracking-session, herochat-last-visit-time.
Purpose: Analyses chatbot interactions to improve conversation flow and service quality.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Zowie sp. z o.o., ul. Domaniewska 37, 02-672 Warsaw, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://zowie.ai/privacy-policy/
C. Marketing cookies
Marketing cookies are activated only on the basis of your consent (Article 6(1)(a) GDPR in conjunction with Article 398 of the Polish Electronic Communications Act – PKE). You can decline them or withdraw your consent at any time via the cookie banner.
C1. Advertising platforms – principal vendors
Google Analytics 4 – cross-domain conversion attribution
Attributes conversions across the various domains of the InPost group and synchronises data with Google Ads. The FPID cookie (First-Party ID) lets us measure conversions consistently even when third-party cookies are blocked. The FPLC cookie (First-Party Linker Cookie) keeps conversion measurement consistent across domains. These data feed into Google Ads campaign optimisation.
Cookie names: FPID, FPLC.
Purpose: Attributes conversions across InPost domains and feeds Google Ads campaign optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Google Tag Manager – tag orchestration and conversion linking
Google Tag Manager (GTM) is the InPost tool used to manage analytical and marketing tags on InPost websites. Google – as the operator of the GTM service – processes HTTP request logs (IP address, user agent, timestamp) and the diagnostic data needed to operate the service. In a marketing context, GTM generates the _gcl_au cookie (Google Ads Conversion Linker), which links clicks on Google ads to conversions completed on the website. This makes it possible to attribute conversions correctly to campaigns and keywords and to optimise bids.
Tags managed via GTM are activated only after you have granted the relevant category of consent in the CMP. Disabling the _gcl_au cookie does not restrict access to content; it may, however, lead to incorrect conversion attribution in Google Ads reports.
Cookie names: _gcl_au, _gcl_ls.
Purpose: Manages analytical and marketing tags on InPost websites; links Google ad clicks to conversions.
Legal basis: For HTTP logs and operational diagnostics – Article 6(1)(f) GDPR (legitimate interest of Google in operating the service securely). For the _gcl_au cookie (conversion linking) – Article 6(1)(a) GDPR (consent).
Vendor role: For tag orchestration: data processor on InPost's behalf. For the operation of GTM itself (HTTP logs, diagnostics): Google Ireland Limited acts in its own right. For _gcl_au cookie data: Google Ireland Limited acts as an independent controller.
Vendor: InPost sp. z o.o. / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF).
Further information: https://policies.google.com/privacy?hl=en
Google Advertising Products (Google Ads / DoubleClick, Google Marketing Platform)
Displays personalised InPost ads on the Google Display Network and in Google Search results, runs remarketing (re-engaging visitors who previously used InPost services), measures advertising performance and attributes conversions. Through Google Ads, InPost may also use Customer Match (matching pseudonymised contact data to Google users), look-alike targeting (reaching new users with a profile similar to existing InPost customers) and dynamic product ads (ads tailored to products or services you previously browsed).
Cookie names: IDE, _gcl_au, _gcl_ls, test_cookie.
Purpose: Personalised advertising in Google networks, remarketing, performance measurement and conversion attribution.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Display & Video 360 (DV360) – programmatic media buying, remarketing, audience targeting, frequency capping and conversion attribution
Display & Video 360 is Google's demand-side platform (DSP) for programmatic media buying. InPost uses it to purchase and serve display, video, audio, Connected TV and Digital Out-of-Home advertising inventory through automated real-time bidding (RTB). The platform enables precise audience targeting, frequency capping, remarketing, cross-channel campaign measurement and conversion attribution via Floodlight tags. Within Google's programmatic ecosystem, advertising identifiers are synchronised with supply-side and demand-side partners (SSPs and DSPs).
Cookie name(s): IDE, DSID, FLC, AID, TAID, id (doubleclick.net), NID, _gcl_au.
Purpose: Programmatic purchase and delivery of InPost advertisements across display, video, audio, Connected TV and Digital Out-of-Home inventory; audience targeting; frequency capping; remarketing; cross-channel measurement and conversion attribution via Floodlight tags; identifier synchronisation with advertising partners (DSPs/SSPs) within the Google programmatic ecosystem.
Legal basis: Article 6(1)(a) UK GDPR (consent).
Vendor role: processor – processes data on behalf of InPost under the Google Ads Data Processing Terms; for certain functions Google acts as joint controller under the Google Controller-Controller Data Protection Terms.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).
Further information: https://policies.google.com/privacy?hl=en
Campaign Manager 360 (CM360) – ad serving and centralised conversion measurement (Floodlight)
Campaign Manager 360 is the ad server within Google Marketing Platform. It handles the delivery of InPost advertising creatives across channels, centralised conversion measurement via Floodlight tags, multi-touch attribution, ad delivery verification, and campaign performance reporting – covering both activity run through Google Marketing Platform and inventory purchased from third-party media owners.
Cookie name(s): id (doubleclick.net), IDE, Floodlight cookies (domain .fls.doubleclick.net), test_cookie.
Purpose: Delivery of InPost advertising creatives (ad serving), centralised conversion measurement via Floodlight tags, cross-channel attribution, ad delivery verification, and campaign performance reporting across Google Marketing Platform and third-party media buys.
Legal basis: Article 6(1)(a) UK GDPR (consent).
Vendor role: Processor – processes data on behalf of InPost under the Google Ads Data Processing Terms.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).
Further information: https://policies.google.com/privacy?hl=en
Search Ads 360 (SA360) – cross-engine paid search campaign management
Search Ads 360 is Google's platform for managing paid search campaigns across multiple search engines from a single interface. InPost uses it to plan, run and optimise campaigns on Google, Microsoft Bing and Yahoo simultaneously. The platform automates bid management, attributes search conversions to the correct queries and keywords, and produces unified performance reports across all engines.
Cookie name(s): _gcl_aw, _gcl_dc, _gcl_au, _gac_*, IDE.
Purpose: Management and optimisation of InPost paid search campaigns across multiple search engines (Google, Microsoft Bing, Yahoo), automated bid management, attribution of search conversions, and cross-engine performance reporting.
Legal basis: Article 6(1)(a) UK GDPR (consent).
Vendor role: Processor – processes data on behalf of InPost under the Google Ads Data Processing Terms.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).
Further information: https://policies.google.com/privacy?hl=en
Meta Pixel – Facebook and Instagram advertising
Displays InPost ads to users on Facebook and Instagram based on their activity on InPost services, measures advertising performance and creates lookalike audience segments.
Cookie names: _fbp, _fbc, lastExternalReferrer, lastExternalReferrerTime, topicsLastReferenceTime.
Purpose: Targets InPost ads to Facebook and Instagram users, measures performance and builds lookalike audiences.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: joint controller – InPost and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of Page Insights statistics. See section C5 (Social Media Platforms) for further information.
Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.facebook.com/about/privacy/update and https://www.facebook.com/legal/terms/page_controller_addendum.
TikTok Pixel – TikTok advertising
Displays InPost ads to users on TikTok based on their activity on InPost services, measures TikTok Ads performance and creates lookalike audience segments.
Cookie names: _ttp, tt_enable_cookie, ttcsid, ttcsid_*, tt_sessionId, tt_appInfo.
Purpose: Targets InPost ads to TikTok users, measures TikTok Ads performance and builds lookalike audiences.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel. See section C5 (Social Media Platforms) for further information.
Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland.
Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
LinkedIn Insight Tag – B2B advertising
Targets InPost ads to LinkedIn users by job title, industry and company (B2B), measures LinkedIn Ads performance and attributes advertising conversions.
Cookie names: bcookie, li_gc, lidc, li_fat_id.
Purpose: B2B targeting and conversion measurement on LinkedIn.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.linkedin.com/legal/privacy-policy
Microsoft Advertising / Bing UET – marketing
Remarketing and targeting of InPost ads in the Microsoft Advertising network (Bing, MSN), measurement of Bing Ads performance, conversion attribution, and building of remarketing and lookalike segments.
Cookie names: MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp.
Purpose: Remarketing and targeting in Microsoft's advertising network and measurement of Bing Ads campaigns.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Adform DSP – programmatic advertising network
Displays personalised InPost ads in the Adform programmatic network, runs remarketing, limits how often the same ad is shown (frequency capping) and measures campaign performance. Synchronises advertising identifiers with partners (DSP/SSP) within the programmatic ecosystem.
Cookie names: uid, C, CM, CM14, DID, idt, cache0, permanent, cm_uid.
Purpose: Personalised programmatic advertising, remarketing, frequency capping and campaign measurement.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.
Vendor: Adform A/S, Silkegade 3B, 1113 Copenhagen, Denmark.
Transfer outside EEA: EEA (Denmark) – no additional safeguards required.
Further information: https://site.adform.com/privacy-center/platform-privacy/
Synerise – marketing personalisation and audience building
Builds a behavioural profile based on your activity (browsing history, clicks, interest in particular products and services, parcel locker preferences). Personalises marketing content on the website and in the mobile application. Sends personalised push notifications. Powers lifecycle marketing campaigns. Inside Synerise (a Customer Data Platform), InPost prepares pseudonymised audience lists which may then be transferred to advertising platforms (Google Ads, Meta, TikTok, LinkedIn) for targeting purposes – for details and the legal basis for that subsequent transfer, see section C6 below.
Profiling: Synerise generates user segments and behavioural scoring. Profiling does not result in decisions producing legal effects or similarly significant effects on you (Article 22 GDPR does not apply). You have the right to object to profiling-based processing.
Cookie names: _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*, _snrs_params.
Purpose: Builds behavioural profiles, personalises content and push notifications, powers lifecycle and remarketing campaigns.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required at the level of Synerise itself.
Further information: https://synerise.com/legal/privacy-policy/
C2. Other vendors – advertising profiles and data synchronisation
The vendors listed below participate in the programmatic advertising ecosystem (Real-Time Bidding). This may involve sharing a pseudonymised user identifier (such as a cookie ID) with multiple parties during an advertising auction. Each of them processes such data as an independent controller, in accordance with its own privacy policy.
Adobe Experience Cloud / Audience Manager
Builds a user advertising profile using Adobe Audience Manager (DMP), creates audience segments, synchronises profiles with advertising platforms (DSP/SSP) and creates lookalike groups.
Cookie names: demdex, dpm.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.adobe.com/privacy/experience-cloud.html
ADITION / Active Agent
Synchronises advertising profiles with the Active Agent DSP platform (Virtual Minds), limits how often the same ad is shown (frequency capping) and runs cross-device tracking inside the Active Agent network.
Cookie names: ct_uid, ct_did, ct_idt, UserID1, block_reset, cookie_ver, cm_uid.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Virtual Minds GmbH, Osterbekstr. 90b, 22083 Hamburg, Germany.
Transfer outside EEA: EEA (Germany) – no additional safeguards required.
Further information: https://adsafety.net/privacy
Eyeota
Targets InPost ads using demographic segments (predicted age, gender, interests) supplied by the Eyeota Data Marketplace. Operates on pseudonymised identifiers.
Cookie name: SERVERID (eyeota.net).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Eyeota Pte. Ltd., 1 Raffles Place, #21-61 One Raffles Place Tower 2, Singapore 048616.
Transfer outside EEA: Singapore – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.eyeota.com/privacy-policy
Nielsen / eXelate
Enriches a user's advertising profile with Nielsen demographic segments (age, gender, income, interests) for targeting InPost ads.
Cookie names: EE, ud (exelate.com).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Nielsen Marketing Cloud, 85 Broad Street, New York, NY 10004, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.nielsen.com/us/en/legal/privacy-statement/
ID5 Technology
Creates a pseudonymised advertising identity that works independently of third-party cookies (cookie-less identity), so that ads can still be targeted even when third-party cookies are blocked at browser level.
Cookie names: id5-sync.com (pixel sync), cf, car, gdpr, gpp, cip, cnac.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: ID5 Technology Ltd, 6 rue de la Paix, 75002 Paris, France.
Transfer outside EEA: EEA (France) – no additional safeguards required.
Further information: https://id5.io/privacy/
LiveRamp
Pseudonymously links user data across advertising partners without disclosing personal data (LiveRamp IdentityLink). Used to target InPost ads inside the LiveRamp and The Trade Desk networks.
Cookie names: pxrc, rlas3.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: LiveRamp Netherlands B.V., Singel 250, 1016 AB Amsterdam, the Netherlands.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://liveramp.com/privacy/
OnAudience
Segments users and enriches advertising profiles through a Polish Data Management Platform. Synchronises identifiers with advertising partners (AppNexus, Yahoo, Bidberry).
Cookie names: cookie (onaudience.com), done_redirects# (onaudience.com).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Cloud Technologies S.A., ul. Złota 61, 00-819 Warsaw, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://www.onaudience.com/privacy-policy
Semasio
Targets InPost ads using a semantic method – matching ads to the content you browse and to your interest profile, without relying on personal data.
Cookie name: SEUNCY (semasio.net).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Semasio GmbH, Burchardstrasse 24, 20095 Hamburg, Germany.
Transfer outside EEA: EEA (Germany) – no additional safeguards required.
Further information: https://semasio.com/privacy-policy/
Weborama
Targets InPost ads using Weborama's behavioural and demographic segments – a European advertising data management platform.
Cookie name: AFFICHE_W (weborama.fr).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Weborama SA, 14 rue Crespin du Gast, 75011 Paris, France.
Transfer outside EEA: EEA (France) – no additional safeguards required.
Further information: https://weborama.com/politique-de-confidentialite-des-services-weborama/
Zeotap
Builds a unified advertising profile by combining data from several sources (online, offline, CRM) without relying on third-party cookies (Zeotap ID+).
Cookie names: zc, zc1, zsc (zeotap.com).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Zeotap GmbH, Unter den Linden 32-34, 10117 Berlin, Germany.
Transfer outside EEA: EEA (Germany) – no additional safeguards required.
Further information: https://zeotap.com/privacy-policy/
Roku Advertising Services
Cross-screen targeting of InPost ads on Roku TVs and streaming platforms (TV + web + mobile). Synchronises the advertising profile with the Roku ecosystem.
Cookie names: matchadform, wfivefivec (w55c.net).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller.
Vendor: Roku, Inc., 1155 Coleman Ave, San Jose, CA 95110, USA.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://docs.w55c.net/privacy.html
C3. SSP platforms and identifier synchronisation in the programmatic ecosystem
The entities listed below operate as Supply-Side Platforms (SSPs) or advertising identifier synchronisation services in the Real-Time Bidding ecosystem. Their files and pixels are loaded via InPost services as part of campaigns run through Adform DSP. Each of them is an independent data controller.
AudienceProject (Aarhus, Denmark; EEA – DK): https://audienceproject.com/privacy/
Audiencerate (London, United Kingdom; UK – SCCs): https://audiencerate.com/privacy-policy/
BIDSWITCH / IPONWEB (London, United Kingdom; UK – SCCs): https://www.bidswitch.com/privacy-policy/
Equativ / SmartAdServer (Paris, France; EEA – FR): https://equativ.com/privacy-policy/
FreeWheel / NBCUniversal (New York, USA; USA – SCCs): https://www.nbcuniversal.com/privacy
Improve Digital / 360yield (Amsterdam, the Netherlands; EEA – NL): https://www.improvedigital.com/platform-privacy-policy/
Index Exchange (Toronto, Canada; Canada – EC adequacy decision): https://www.indexexchange.com/privacy/
OpenX (Monrovia, USA; USA – SCCs): https://www.openx.com/legal/privacy-policy/
Teads (Montpellier, France; EEA – FR): https://www.teads.com/privacy-policy/
The Trade Desk (Ventura, USA; USA – SCCs): https://www.thetradedesk.com/general/privacy-policy
TripleLift (New York, USA; USA – SCCs): https://triplelift.com/privacy/
C4. Tools used in InPost mobile applications
Google Firebase – necessary services and security
Ensures the technical operation of the InPost mobile application, including SDK instance management and service-integrity monitoring. Verifies that interactions inside the application come from a human user and not an automated script, protecting the application and its users against fraud, abuse and automated attacks. Without these functions the application cannot operate correctly and securely.
Cookie names: rc::a, rc::c, firebase-heartbeat-database, firebase-installations-database.
Purpose: Operates the mobile app and protects it against fraud and automated abuse.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in ensuring the technical operation and security of the application and protecting users against fraudulent activity).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://firebase.google.com/support/privacy
Synerise – mobile application
Builds a behavioural profile of the application user, personalises marketing communications and runs push and re-engagement campaigns inside the InPost mobile application.
Cookie names: _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*.
Purpose: Behavioural profiling, content personalisation, push and re-engagement campaigns inside the mobile app.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.
Transfer outside EEA: EEA (Poland) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
C5. Social media platforms
Our websites and mobile applications contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.
We maintain profiles on the following platforms: Facebook (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA); YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA); LinkedIn (LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA); X – formerly Twitter (X Corporation, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA); Instagram (Instagram LLC, 1601 Willow Rd., Menlo Park, CA 94025, USA); TikTok (TikTok Technology Ltd., 2 Cardiff Lane Grand Canal Dock, Dublin, D02 E395, Ireland).
As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing on Facebook, TikTok and YouTube can be found at: [link to be inserted].
C6. Transfers of first-party data to advertising platforms
In addition to the cookies and pixels described in sections C1–C5, InPost may transfer pseudonymised first-party data (hashed using the SHA-256 algorithm) to selected advertising platforms in order to: (i) target advertisements to specific groups of existing customers ("matched audiences" / "customer match"); (ii) build look-alike audience segments composed of users whose behaviour is similar to that of existing InPost customers ("look-alike audiences"); (iii) exclude existing customers from acquisition campaigns to avoid showing them irrelevant advertising; and (iv) improve the attribution of advertising conversions to specific clicks and ad interactions ("enhanced conversions").
The data transferred is limited to the minimum required for matching: typically a hashed e-mail address, optionally accompanied by a hashed telephone number. Hashing is performed before transmission. InPost does not transfer plain-text identifiers, parcel data, parcel locker history or the content of communications under these functionalities. The source data for matched audiences is taken primarily from the Synerise CDP (see card above), based on the consent recorded by the user.
Each advertising platform receiving data acts as an independent controller (or, where applicable, a joint controller within the meaning of Article 26 GDPR – see the cards for Meta Pixel and TikTok Pixel in section C1) and processes the data received in accordance with its own privacy policy and the terms of its data processing agreement with InPost.
You can withdraw consent for these data transfers at any time via the CMP (cookie banner – marketing category) or by contacting InPost using the contact details set out in the Privacy Policy. The right to object to processing based on legitimate interest applies and will be respected without the need to give reasons.
Google Customer Match and Enhanced Conversions (Google Ads)
Targets ads to existing InPost customers (Customer Match), builds look-alike audience segments, excludes existing customers from acquisition campaigns and attributes online conversions completed by users signed in to a Google account (Enhanced Conversions). Ads may be displayed on Google's own properties (Google Search, YouTube, Gmail, Discover) and on the Google Display Network (third-party websites and apps using Google's ad-serving technology). InPost may target ads using Google demographic, geographic and interest segments derived from Google's third-party data.
Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number. Hashing performed client-side or by the Synerise CDP before transmission.
Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.
Vendor role: Independent controller – Google Ireland Limited determines the means and purposes of processing in connection with matching, profiling and ad delivery within the Google ecosystem.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transfer outside EEA: USA (Google LLC) – EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).
Further information: https://policies.google.com/privacy?hl=en
Meta Custom Audience and Lookalike Audience (Facebook / Instagram)
Targets ads to existing InPost customers on Facebook and Instagram (Custom Audience), builds look-alike audiences composed of users whose behaviour resembles that of existing InPost customers (Lookalike Audience), and excludes existing customers from acquisition campaigns. A minimum audience size enforced by Meta prevents the re-identification of any single user.
Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number.
Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.
Vendor role: for Custom Audience based on customer lists, data processor under Meta's Custom Audience Terms. For Lookalike Audience – independent controller, since Meta uses its own user data to build the look-alike segment.
Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland.
Transfer outside EEA: USA (Meta Platforms Inc.) – Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF).
Further information: https://www.facebook.com/about/privacy/update and https://www.facebook.com/legal/terms/customaudience.
TikTok Custom Audience and Lookalike Audience
Targets ads to existing InPost customers on the TikTok platform, builds look-alike audiences and measures conversions.
Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number or hashed mobile advertising identifier (MAID).
Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.
Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel and matched audiences.
Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland.
Transfer outside EEA: USA and potentially China – Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards. InPost has assessed the transfer risk and applies enhanced contractual and technical measures (data minimisation and hashing).
Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
C7. Other tools used in InPost's marketing ecosystem (no cookies on InPost websites)
For the sake of complete transparency, InPost informs you that the following tools form part of its marketing measurement ecosystem but do not use cookies, pixels or similar technologies on InPost websites. They are listed here for information purposes; they do not require cookie consent.
Adverity – aggregation and analytics of marketing data
Adverity aggregates anonymised statistical performance data from advertising platforms on which InPost runs campaigns (Meta, TikTok, Microsoft Bing, Google Ads, LinkedIn and similar). This allows InPost to measure the overall reach and effectiveness of its campaigns (such as the number of impressions and click-through rates).
Data scope: aggregated, anonymised statistical data only (e.g. "how many users saw or clicked on a given campaign"). Adverity does NOT receive any data about InPost users, parcels, user identifiers (user_id), telephone numbers or e-mail addresses. Because no personal data of website users is processed by Adverity in this configuration, no GDPR legal basis specific to Adverity applies. The legal bases relevant to the underlying advertising platforms remain as set out in sections C1–C6.
Vendor: Adverity GmbH, Vienna, Austria.
Transfer outside EEA: EEA (Austria) – no additional safeguards required.
Further information: https://www.adverity.com/privacy-policy
Adjust – mobile application attribution
Adjust acts as a measurement layer between mobile advertising platforms (Google Ads, Meta/Facebook, TikTok Ads) and the InPost mobile application. The Adjust SDK is embedded in the InPost mobile application and records events (such as install, login, purchase) which are then attributed to specific advertising campaigns and channels. Detailed information on processing inside the InPost mobile application is set out in section C4.
Data scope: in-app event data and pseudonymised mobile advertising identifiers; no website cookies are involved. Legal basis: in the mobile application, Article 6(1)(a) GDPR (consent) collected via the in-app consent mechanism for marketing purposes.
Vendor: Adjust GmbH (acquired by AppLovin), Berlin, Germany.
Transfer outside EEA: Possible transfer to USA – Standard Contractual Clauses (SCCs).
Further information: https://www.adjust.com/privacy-policy/
How to withdraw consent or exercise your rights
You can withdraw your consent or change your cookie preferences at any time. There are several ways to do this.
On the InPost website, click the "Cookie settings" link at the bottom of every page. This opens the CMP (Didomi or, on selected services, OneTrust) and lets you grant or refuse consent on a per-purpose and per-vendor basis.
In the InPost mobile application, open the privacy settings menu.
Directly in your web browser, you can delete or block cookies. Note that this may also disable cookies necessary for InPost services to work properly.
You can also use external opt-out tools provided by industry associations, such as www.youronlinechoices.com (European Interactive Digital Advertising Alliance).
Finally, you can contact InPost directly using the contact details set out in the Privacy Policy.
Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Where processing is based on legitimate interest (Article 6(1)(f) GDPR), you may at any time object to such processing on grounds relating to your particular situation; for direct marketing purposes (including profiling for direct marketing), the right to object applies absolutely and does not require justification.
Annex A3 – Tools and Technologies Used in Italy
Controller: Locker InPost Italia s.r.l., Viale Cassala numero 30, 20143, Milan, Italy.
Cookie inventory
resi.inpost.it
OptanonAlertBoxClosed
Cookie ID: d725c871-74d5-4ed7-b1bd-15937623488e
Source: SCAN
Duration: PERSISTENT
Hostname: resi.inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.
_ga_xxxxxxxxxx
Cookie ID: a5934e73-2ac7-493e-a6e5-3ba2d016e70d
Source: SCAN
Duration: PERSISTENT
Hostname: inpost.it
Category: Performance cookies
OptanonConsent
Cookie ID: 9bf35347-9af1-4579-b7ee-5226d3d7fb9a
Source: SCAN
Duration: PERSISTENT
Hostname: resi.inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.
_ga
Cookie ID: 92ae3a3d-9c87-43d0-8768-767fbad0c39f
Source: SCAN
Duration: PERSISTENT (730 days)
Hostname: inpost.it
Category: Performance cookies
Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.
_ga
Cookie ID: d8d39cd2-7c84-4c08-87d8-f77923b7acaf
Source: MANUAL
Duration: PERSISTENT (730 days)
Hostname: resi.inpost.it
Category: Performance cookies
Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.
inpost.it
__cf_bm
Cookie ID: 73a7a6d0-ea0f-4f03-91d4-0648aa727ba0
Source: SCAN
Duration: PERSISTENT
Hostname: pipedriveassets.com
Category: Strictly necessary and functional cookies
Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.
_fbp
Cookie ID: af6f7860-d89c-4a4b-a845-0cd61b822632
Source: SCAN
Duration: PERSISTENT (89 days)
Hostname: inpost.it
Category: Advertising cookies
Description: Used by Facebook to deliver a range of advertising products, including real-time bidding from third-party advertisers.
IDE
Cookie ID: daca17be-fe12-4c89-bf24-0dda8d037366
Source: SCAN
Duration: PERSISTENT (389 days)
Hostname: doubleclick.net
Category: Advertising cookies
Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.
OptanonAlertBoxClosed
Cookie ID: d725c871-74d5-4ed7-b1bd-15937623488e
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: resi.inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.
OptanonAlertBoxClosed
Cookie ID: 375f9686-a960-4375-81d5-43d0f5891a5d
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.
__cf_bm
Cookie ID: 3f8f5f3a-6711-4e7c-8894-3ad4a8ac83b6
Source: SCAN
Duration: PERSISTENT
Hostname: hubspot.com
Category: Advertising cookies
Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.
_ga_xxxxxxxxxx
Cookie ID: a5934e73-2ac7-493e-a6e5-3ba2d016e70d
Source: SCAN
Duration: PERSISTENT (729 days)
Hostname: inpost.it
Category: Performance cookies
YSC
Cookie ID: 31b27ab1-fb46-4aa3-92fb-4914d1c42ba1
Source: SCAN
Duration: SESSION
Hostname: youtube.com
Category: Performance cookies
Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.
OptanonConsent
Cookie ID: 9bf35347-9af1-4579-b7ee-5226d3d7fb9a
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: resi.inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.
OptanonConsent
Cookie ID: 28e3a4d2-823b-4dd6-ad23-8af83b08130c
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.
OptanonConsent
Cookie ID: fa92f2b2-6312-4c4c-9610-bc4466749dc3
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: resi.inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.
OptanonConsent
Cookie ID: dd8a61fb-fcec-4a62-9d42-d70100ead713
Source: SCAN
Duration: PERSISTENT (364 days)
Hostname: inpost.it
Category: Strictly necessary and functional cookies
Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.
_ga
Cookie ID: 92ae3a3d-9c87-43d0-8768-767fbad0c39f
Source: SCAN
Duration: PERSISTENT (729 days)
Hostname: inpost.it
Category: Performance cookies
Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.
_ga
Cookie ID: fbb76678-1ffa-4fe0-ba66-85d5df417e1a
Source: SCAN
Duration: PERSISTENT (729 days)
Hostname: inpost.it
Category: Performance cookies
Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.
_cfuvid
Cookie ID: cbf707c7-9c3e-4019-bed3-7db7eb32b471
Source: SCAN
Duration: SESSION
Hostname: hubspot.com
Category: Advertising cookies
_cfuvid
Cookie ID: 5ce059b5-350d-46b7-9fa6-4883f63d5307
Source: SCAN
Duration: SESSION
Hostname: hubspot.com
Category: Advertising cookies
Description: This domain is owned by HubSpot. The company provides a range of technologies and services for online marketing and sales.
(unnamed)
Cookie ID: 610cf45f-7ad0-49e8-b436-7e40769d7d32
Source: SCAN
Duration: SESSION
Hostname: www.facebook.com
Category: Advertising cookies
Description: This domain is owned by Facebook, the world's largest social networking service. As a third-party hosting provider, it primarily collects data on users' interests through widgets such as the 'Like' button found on many websites. This data is used to serve targeted advertising to its own users when they are logged into its services. Since 2014 it has also delivered targeted behavioural advertising on third-party sites, similarly to most dedicated online marketing companies.
(unnamed)
Cookie ID: c6e5d2dc-cb4f-4824-aefe-14ffdfabe3b2
Source: SCAN
Duration: SESSION
Hostname: www.facebook.com
Category: Advertising cookies
Description: This domain is owned by Facebook, the world's largest social networking service. As a third-party hosting provider, it primarily collects data on users' interests through widgets such as the 'Like' button found on many websites. This data is used to serve targeted advertising to its own users when they are logged into its services. Since 2014 it has also delivered targeted behavioural advertising on third-party sites, similarly to most dedicated online marketing companies.
f5avraaaaaaaaaaaaaaaa_session_
Cookie ID: ba6486e9-1e4d-4edf-8821-8beef071adc0
Source: SCAN
Duration: SESSION
Hostname: geowidget.easypack24.net
Category: Strictly necessary and functional cookies
Description: This cookie is associated with the F5 BIG-IP product suite and is an integral part of load balancing. It is used to store the user's session in order to identify it within the application's traffic.
f5avraaaaaaaaaaaaaaaa_session_
Cookie ID: 52071743-a179-458a-8aba-a4241aff8137
Source: SCAN
Duration: SESSION
Hostname: geowidget.easypack24.net
Category: Strictly necessary and functional cookies
Description: This cookie is associated with the F5 BIG-IP product suite and is an integral part of load balancing. It is used to store the user's session in order to identify it within the application's traffic.
_dd_s
Cookie ID: 0d2ba18f-db01-4168-8664-950918211473
Source: SCAN
Duration: PERSISTENT
Hostname: inpost.it
Category: Performance cookies
_dd_s
Cookie ID: 60bbf704-d8c6-41a4-9580-f7b6e3800237
Source: SCAN
Duration: PERSISTENT
Hostname: inpost.it
Category: Performance cookies
test_cookie
Cookie ID: e6098c6d-1b04-4269-821a-97d44d97fe6f
Source: SCAN
Duration: PERSISTENT
Hostname: doubleclick.net
Category: Advertising cookies
Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.
test_cookie
Cookie ID: 62a18356-b872-4427-a97e-8e68689495cc
Source: SCAN
Duration: PERSISTENT
Hostname: doubleclick.net
Category: Advertising cookies
Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.
CONSENT
Cookie ID: 6e1ccb19-7467-4404-9a7c-b34523c0ae45
Source: SCAN
Duration: PERSISTENT (6,105 days)
Hostname: youtube.com
Category: Performance cookies
Description: This cookie collects information on how the end user uses the website and on any advertising the end user may have seen prior to visiting the site.
CONSENT
Cookie ID: cd7cd423-f856-40d2-b55d-729bdc696ea5
Source: SCAN
Duration: PERSISTENT (6,105 days)
Hostname: youtube.com
Category: Performance cookies
Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.
__cf_bm
Cookie ID: 9d2a3c84-5adf-4176-9558-b58d6662b7e8
Source: SCAN
Duration: PERSISTENT
Hostname: pipedrive.com
Category: Strictly necessary and functional cookies
Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.
__cf_bm
Cookie ID: 02005092-6c93-4629-9017-aeb09e411e5c
Source: SCAN
Duration: PERSISTENT
Hostname: pipedriveassets.com
Category: Strictly necessary and functional cookies
Description: This is a CloudFoundry cookie.
__cf_bm
Cookie ID: 029eabc5-5242-4c74-8606-18a3c8342dad
Source: SCAN
Duration: PERSISTENT
Hostname: hubspot.com
Category: Advertising cookies
Description: This is a CloudFoundry cookie.
__cf_bm
Cookie ID: aa6d8e37-f3e6-445a-966d-da98376b81e1
Source: SCAN
Duration: PERSISTENT
Hostname: pipedrive.com
Category: Strictly necessary and functional cookies
Description: This is a CloudFoundry cookie.
dd_cookie_test_
Cookie ID: 93c99e1c-acb5-4c4d-826d-cf30b78bd4a9
Source: SCAN
Duration: PERSISTENT
Hostname: inpost.it
Category: Strictly necessary and functional cookies
Description: dd_cookie_test
dd_cookie_test_
Cookie ID: 4b77f01a-c27f-4833-87ea-cb742be4350c
Source: SCAN
Duration: PERSISTENT
Hostname: inpost.it
Category: Strictly necessary and functional cookies
Description: dd_cookie_test
IDE
Cookie ID: 0941d8f2-2f90-407d-87f7-3ac1b3acbb49
Source: SCAN
Duration: PERSISTENT (389 days)
Hostname: doubleclick.net
Category: Advertising cookies
Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.
VISITOR_INFO1_LIVE
Cookie ID: 14404251-5d43-42f1-9dda-d80002135de4
Source: SCAN
Duration: PERSISTENT
Hostname: youtube.com
Category: Performance cookies
Description: This cookie is used as a unique identifier to track the viewing of videos.
VISITOR_INFO1_LIVE
Cookie ID: 19e4bbd9-6624-409a-bdff-9abfe086f166
Source: SCAN
Duration: PERSISTENT (180 days)
Hostname: youtube.com
Category: Performance cookies
Description: This cookie is used as a unique identifier to track the viewing of videos.
VISITOR_PRIVACY_METADATA
Cookie ID: bb47c22d-804a-4e8b-9974-f4439e5572e9
Source: SCAN
Duration: PERSISTENT (179 days)
Hostname: youtube.com
Category: Advertising cookies
VISITOR_PRIVACY_METADATA
Cookie ID: cbabd688-32a7-4181-858f-08f605713187
Source: SCAN
Duration: PERSISTENT (179 days)
Hostname: youtube.com
Category: Advertising cookies
Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.
_fbp
Cookie ID: 6abe391f-e09e-4218-840f-d6a435274cae
Source: SCAN
Duration: PERSISTENT (89 days)
Hostname: inpost.it
Category: Advertising cookies
Description: Used by Facebook to deliver a range of advertising products, including real-time bidding from third-party advertisers.
YSC
Cookie ID: 3f374013-b988-48ce-b02c-7480d60b29c9
Source: SCAN
Duration: SESSION
Hostname: youtube.com
Category: Performance cookies
Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.
Tools Used in Mobile Application
Google Firebase / Analytics for Firebase (in-app activity analysis, push notification personalisation, user segmentation, aggregated reporting)
Cookie name(s): rc::a, rc::c, firebase-heartbeat-database, firebase-installations-database
Purpose: Analyses the usage of InPost mobile applications (events, navigation paths, errors), creates user segments, and sends personalised push notifications.
Legal basis: Article 6(1)(a) GDPR (consent) / Article 6(1)(f) GDPR (to the extent necessary for the operation of the service).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://firebase.google.com/support/privacy
Synerise – mobile application (building behavioural profiles, push communication personalisation, lifecycle marketing)
Cookie name(s): _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage
Purpose: Builds a behavioural profile of the application user, personalises marketing communications, and runs push and re-engagement campaigns within the InPost mobile application.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Social media platforms
Our websites and mobile application contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon you will be redirected to our profile: your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the volume of personal data collected by the platform in question.
We maintain profiles on the following platforms:
- Facebook – Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA
- YouTube – YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
- LinkedIn – LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
- X (formerly Twitter) – X Corporation, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
- Instagram – Instagram LLC., 1601 Willow Rd., Menlo Park, CA 94025, USA
- TikTok – TikTok Technology Ltd., 2 Cardiff Lane Grand Canal Dock, Dublin, D02 E395, Ireland
As a result of your use of our social media pages, we may process your personal data. Detailed information on the legal basis for such processing is available at the following links:
• Facebook: [link to be inserted]
• TikTok: [link to be inserted]
• YouTube: [link to be inserted]
Annex A2 – Tools and Technologies Used in France
Annex A3 – Tools and Technologies Used in Italy
Annex A4 – Tools and Technologies Used in Spain
Annex A5 – Tools and Technologies Used in Portugal
Annex A6 – Tools and Technologies Used in the United Kingdom
Annex A7 – Tools and Technologies Used in Belgium
Annex A8 – Tools and Technologies Used in Luxembourg
Annex A9 – Tools and Technologies Used in the Netherlands
Annex A4 – Tools and Technologies Used in Spain
Controller: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA, Camí de les Oliveres, 1, 08800 Vilanova i la Geltrú, Spain (hereinafter referred to as "InPost").
A. Necessary cookies
Necessary cookies are installed without the user's consent on the basis of Article 6(1)(f) GDPR (legitimate interest of the Controller – ensuring the smooth and secure operation of the services) or Article 6(1)(b) GDPR (performance of a contract / provision of a service).
OneTrust – user consent management (CMP)
Cookie name(s): OptanonConsent, OptanonAlertBoxClosed
Purpose: Stores the user's consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date on which the banner was closed.
Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.onetrust.com/privacy-notice/
Cloudflare – bot protection, security verification, session rate management
Cookie name(s): __cf_bm, _cfuvid, cf_chl_rc_ni
Purpose: Distinguishes human traffic from automated traffic (bots and malicious traffic), supports website security and protects forms and endpoints against abuse.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.cloudflare.com/privacypolicy/
ASP.NET / website security tokens – session management, anti-forgery protection
Cookie name(s): ASP.NET_SessionId, __RequestVerificationToken, cookietest
Purpose: Maintains the user session, protects forms against unauthorised submissions and verifies browser support for cookies required for the correct operation of the website.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – secure and correct operation of the service).
Vendor role: First party – website technology used by InPost.
Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA, Camí de les Oliveres, 1, 08800 Vilanova i la Geltrú, Spain
Transfer outside EEA: EEA – no additional safeguards required.
Further information: https://www.inpost.es/politica-de-cookies/
Technical / security support cookies – request validation and anti-bot support
Cookie name(s): csrftoken, datadome, JSESSIONID, eael_screen, dicbo_id, mr.returning.visitor
Purpose: Support security validation, bot mitigation, session continuity and technical operation of certain embedded services or site components.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and technical integrity of the service).
Vendor role: First party and service-provider cookies, depending on the specific tool.
Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA and relevant service providers used on the website
Transfer outside EEA: EEA / third countries depending on the provider – appropriate safeguards apply where required.
Further information: https://www.inpost.es/politica-de-cookies/
B. Analytical cookies
Analytical cookies are processed on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.
The use of analytical cookies does not involve automated decision-making within the meaning of Article 22 GDPR.
Google Analytics 4 – traffic measurement, navigation path analysis, user segmentation, traffic source identification, conversion tracking
Cookie name(s): _ga, _gid, _ga_*, _gat_gtag_*
Purpose: Counts visits and sessions, analyses traffic sources and navigation paths, identifies the most frequently visited pages, and segments users by behaviour. Data are used for aggregated analytics and service optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Microsoft Bing UET / Microsoft Clarity – analytical (traffic source identification, time-on-site measurement, behaviour analysis)
Cookie name(s): MUID, CLID, ANONCHK, SRM_B, MR, _clck, _clsk
Purpose: Measures traffic from Microsoft services and supports behavioural analytics, session reconstruction and on-site performance insights used to improve website usability and conversion performance.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Dynatrace – analytical (technical performance analysis, error and outage monitoring, navigation path analysis, time-on-site measurement)
Cookie name(s): dtCookie, dtPC, dtSa, rxVisitor, rxvt
Purpose: Real-time front-end performance monitoring (Real User Monitoring): detects errors and outages, measures page load times and server response times, and analyses user navigation paths and correlations.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
DataDog – error and outage monitoring, technical performance analysis
Cookie name(s): _dd_s, dd_cookie_test_*
Purpose: Detects technical errors, outages, and performance issues affecting InPost services. Data are used for monitoring and technical optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.datadoghq.com/legal/privacy/
CUX – navigation path analysis, time-on-site measurement, segmentation
Cookie name(s): _cux_e, _cux_e_ttl, _cux_n, _cux_n_ttl, _cux_u, _cux_v, _cux_v_ttl
Purpose: Analyses how users navigate the website (clicks, scrolling, navigation paths, form completion depth). Enables identification and resolution of usability issues (UX).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://cux.io/legal/privacy-policy/
Hotjar – click heatmaps, anonymous session recording, content engagement measurement
Cookie name(s): _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInSessionSample_*, _hjSession_*, _hjSessionUser_*, _hjTLDTest
Purpose: Records areas of clicking and scrolling on the website (heatmaps), measures engagement and supports UX optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.hotjar.com/legal/policies/privacy/
Synerise – analytical (traffic source identification, traffic measurement, segmentation)
Cookie name(s): _snrs_3d3d57f81449e8759f4b2da884091381, _snrs_4f8ae797f4d11c3734fee52b0d398d12, _snrs_params, _snrs_puuid, _snrs_sa, _snrs_sb, _snrs_uuid
Purpose: Measures website traffic, identifies traffic sources, segments users, and analyses navigation paths. Data are used to generate aggregated reports for the Controller.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
HubSpot – analytical / CRM support
Cookie name(s): __hstc, __hssc, __hssrc, hubspotutk
Purpose: Supports analytics and CRM-related attribution, helps measure website visits and distinguish sessions for marketing and lead-management purposes.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: HubSpot, Inc., 2nd Floor 30 North Wall Quay, Dublin 1, Ireland / Cambridge, Massachusetts, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://legal.hubspot.com/privacy-policy
CallPage – analytical (content engagement measurement, sales funnel analysis, geographic user location)
Cookie name(s): cp_*
Purpose: Measures the effectiveness of the callback widget: tracks page scroll depth and time spent on the page, analyses the effectiveness of conversion rules, and uses geolocation data to match display rules.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://www.callpage.io/privacy-policy
Zowie – chatbot engagement measurement, conversation tree navigation path analysis
Cookie name(s): zowie-tracking-id
Purpose: Analyses user interactions with the chatbot and helps optimise support flows and the quality of automated conversations.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Zowie sp. z o.o., ul. Domaniewska 37, 02-672 Warsaw, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://zowie.ai/privacy-policy/
C. Marketing cookies
Marketing cookies are processed exclusively on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.
C1. Advertising platforms – principal vendors
Google Analytics 4 – marketing (cross-domain conversion attribution, synchronisation with advertising platforms)
Cookie name(s): FPID, FPLC
Purpose: Attributes conversions across domains and synchronises data with advertising platforms to support optimisation and measurement.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Google Tag Manager – advertising conversion attribution
Cookie name(s): _gcl_au, _gcl_aw, _gcl_gs, GCL_AW_P
Purpose: Supports attribution of ad clicks to conversions and the management of advertising-related tags on the website.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: First party – an InPost tool used to manage analytical and marketing tags; data may be transferred to Google Ireland Limited where applicable.
Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Google Ads / Google Marketing Platform / YouTube advertising – remarketing, conversion attribution, embedded video advertising support
Cookie name(s): IDE, test_cookie, CONSENT, VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC, __Secure-BUCKET, __Secure-ROLLOUT_TOKEN, __Secure-YEC, __Secure-YNID
Purpose: Displays personalised advertisements in Google and YouTube environments, supports remarketing, campaign performance measurement, embedded video interactions and conversion attribution.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Google Ireland Limited / YouTube LLC, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Meta Pixel – building advertising profiles, remarketing, interest-based targeting, advertising conversion attribution
Cookie name(s): _fbp, _fbc
Purpose: Displays InPost advertisements to users on Facebook and Instagram based on their activity on InPost services, measures advertising campaign performance, and creates lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – InPost and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.
Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.facebook.com/about/privacy/update
TikTok Pixel – behavioural advertising, remarketing, TikTok Ads campaign measurement
Cookie name(s): _ttp, _tt_enable_cookie, _tt_session, ttcsid, ttcsid_*
Purpose: Displays InPost advertisements to users on the TikTok platform based on their activity on InPost services, measures TikTok Ads campaign conversions, and creates lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.
Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland
Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
LinkedIn Insight Tag – building advertising profiles, creation of B2B remarketing segments, conversion attribution, advertising budget optimisation
Cookie name(s): bcookie, li_gc, lidc, li_sugr
Purpose: Targets InPost advertisements to LinkedIn users by company and profile-based characteristics, measures LinkedIn Ads campaign conversions, and attributes advertising conversions.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.linkedin.com/legal/privacy-policy
Microsoft Advertising / Bing UET – marketing (building advertising profiles, remarketing, conversion attribution, campaign performance measurement)
Cookie name(s): MUID, _uetsid, _uetvid
Purpose: Remarketing and targeting of InPost advertisements in the Microsoft Advertising network, campaign effectiveness measurement, and advertising conversion attribution.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Pinterest – advertising and conversion tracking
Cookie name(s): _pin_unauth, _pinterest_ct_ua, ar_debug
Purpose: Supports advertising measurement, conversion tracking and audience building in the Pinterest ecosystem.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policy.pinterest.com/en/privacy-policy
C2. Other vendors – advertising profiles and data synchronisation
The vendors listed below participate in the programmatic advertising ecosystem (RTB – Real-Time Bidding). This may involve the sharing of a pseudonymised user identifier (e.g. a cookie ID) with multiple parties in the course of an advertising auction. Each of them processes such data as an independent controller, in accordance with their own privacy policy.
Taboola – native advertising, recommendation and tracking ecosystem
Cookie name(s): t_gid, t_pt_gid, taboola_session_id, datadome
Purpose: Supports native advertising, recommendation widgets, audience measurement and related campaign performance tracking.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.
Vendor: Taboola, Inc., 16 Madison Square West, 7th Floor, New York, NY 10010, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.taboola.com/policies/privacy-policy
StackAdapt – programmatic advertising, identity resolution and campaign optimisation
Cookie name(s): sa-user-id, sa-user-id-v2, sa-user-id-v3, sa-user-id-v4
Purpose: Supports programmatic advertising, campaign optimisation and user recognition across programmatic environments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.
Vendor: StackAdapt, 700-111 Peter Street, Toronto, Ontario M5V 2H1, Canada
Transfer outside EEA: Canada / third countries – appropriate safeguards as required.
Further information: https://www.stackadapt.com/privacy-policy
TradeTracker – affiliate tracking and attribution
Cookie name(s): uf
Purpose: Supports affiliate attribution and commission measurement when users reach the website through affiliate referral links.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.
Vendor: TradeTracker.com, De Ruijterkade 112, 1011 AB Amsterdam, the Netherlands
Transfer outside EEA: EEA (NL) – no additional safeguards required.
Further information: https://tradetracker.com/privacy-policy/
C3. SSP platforms and identifier synchronisation in the programmatic ecosystem
The vendors listed in section C2 (in particular Taboola and StackAdapt) may operate within the Real-Time Bidding (RTB) ecosystem and may involve identifier synchronisation between platforms. This process may include the sharing of pseudonymised identifiers (e.g. cookie IDs) with multiple participants in the course of programmatic advertising auctions. Each of these entities acts as an independent controller and processes such data in accordance with its own privacy policy.
C4. Tools used in mobile applications
InPost mobile applications may use SDK-based technologies (including analytics, attribution and engagement tools) that enable measurement of application performance, user behaviour and marketing effectiveness. These technologies may include tools supporting install attribution, push notifications, in-app analytics and user segmentation. Such processing is carried out on the basis of user consent where required, or on the basis of legitimate interest in the case of strictly necessary functionalities. Detailed information regarding mobile application technologies is provided within the mobile application environment and relevant privacy notices.
C5. Social media platforms
Our websites may contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon, you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.
Each platform acts as an independent controller of personal data once the user is redirected to its services.
We maintain profiles on the following social media platforms:
- Facebook – Meta Platforms Ireland Limited
- YouTube – Google Ireland Limited
- LinkedIn – LinkedIn Ireland Unlimited Company
- Instagram – Meta Platforms Ireland Limited
- TikTok – TikTok Technology Limited
As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing can be found at the links below:
• Facebook: https://www.facebook.com/about/privacy/update
• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en
• YouTube: https://policies.google.com/privacy?hl=en
Annex A5 – Tools and Technologies Used in Portugal
Controller: MONDIAL RELAY SUCURSAL EM PORTUGAL
A. Necessary cookies
Necessary cookies are installed without the user's consent on the basis of Article 6(1)(f) GDPR (legitimate interest of the Controller – ensuring the smooth and secure operation of the services) or Article 6(1)(b) GDPR (performance of a contract / provision of a service).
OneTrust – user consent management (CMP)
Cookie name(s): OptanonConsent, OptanonAlertBoxClosed
Purpose: Stores the user's consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date on which the banner was closed.
Legal basis: Article 6(1)(c) GDPR (legal obligation – compliance with GDPR requirements) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.onetrust.com/privacy-notice/
Cloudflare – bot protection, security verification, session rate management
Cookie name(s): __cf_bm, _cfuvid, cf_chl_rc_ni
Purpose: Distinguishes human traffic from automated traffic (bots and malicious traffic), supports website security and protects forms and endpoints against abuse.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.cloudflare.com/privacypolicy/
ASP.NET / website security tokens – session management, anti-forgery protection
Cookie name(s): ASP.NET_SessionId, __RequestVerificationToken, cookietest
Purpose: Maintains the user session, protects forms against unauthorised submissions and verifies browser support for cookies required for the correct operation of the website.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – secure and correct operation of the service).
Vendor role: First party – website technology used by Mondial Relay.
Vendor: MONDIAL RELAY SUCURSAL EM PORTUGAL
Transfer outside EEA: EEA – no additional safeguards required.
Further information: https://www.inpost.pt/politica-de-cookies/
CUX – necessary (technical initialisation required before analytical tools are activated)
Cookie name(s): _cux_n, _cux_n_ttl
Purpose: Technical cookies used to initialise the CUX environment and maintain the technical state required for subsequent UX measurement tools.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://cux.io/legal/privacy-policy/
Technical / security support cookies – request validation and anti-bot support
Cookie name(s): JSESSIONID, eael_screen, mr.returning.visitor
Purpose: Support security validation, session continuity and the technical operation of certain embedded services or site components.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and technical integrity of the service).
Vendor role: First party and service-provider cookies, depending on the specific tool.
Vendor: MONDIAL RELAY SUCURSAL EM PORTUGAL and relevant service providers used on the website
Transfer outside EEA: EEA / third countries depending on the provider – appropriate safeguards apply where required.
Further information: https://www.inpost.pt/politica-de-cookies/
B. Analytical cookies
Analytical cookies are processed on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.
The use of analytical cookies does not involve automated decision-making within the meaning of Article 22 GDPR.
Google Analytics 4 – traffic measurement, navigation path analysis, user segmentation, traffic source identification, conversion tracking
Cookie name(s): _ga, _ga_xxxxxxxxxx
Purpose: Counts visits and sessions, analyses traffic sources and navigation paths, identifies the most frequently visited pages, and segments users by behaviour. Data are used for aggregated analytics and service optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Microsoft Bing UET / Microsoft Clarity – analytical (traffic source identification, time-on-site measurement, behaviour analysis)
Cookie name(s): _uetvid, _clck, _clsk
Purpose: Measures traffic from Microsoft services and supports behavioural analytics, session reconstruction and on-site performance insights used to improve website usability and conversion performance.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Dynatrace – analytical (technical performance analysis, error and outage monitoring, navigation path analysis, time-on-site measurement)
Cookie name(s): dtCookie, dtPC, dtSa, rxVisitor, rxvt
Purpose: Real-time front-end performance monitoring (Real User Monitoring): detects errors and outages, measures page load times and server response times, and analyses user navigation paths and correlations.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
DataDog – error and outage monitoring, technical performance analysis
Cookie name(s): _dd_s, dd_cookie_test_*
Purpose: Detects technical errors, outages, and performance issues affecting the services. Data are used for monitoring and technical optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.datadoghq.com/legal/privacy/
CUX – navigation path analysis, time-on-site measurement, segmentation
Cookie name(s): _cux_e, _cux_e_ttl, _cux_u, _cux_v, _cux_v_ttl
Purpose: Analyses how users navigate the website (clicks, scrolling, navigation paths, form completion depth). Enables identification and resolution of usability issues (UX).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://cux.io/legal/privacy-policy/
Hotjar – click heatmaps, anonymous session recording, content engagement measurement
Cookie name(s): _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInSessionSample_*, _hjSession_*, _hjSessionUser_*, _hjTLDTest
Purpose: Records areas of clicking and scrolling on the website (heatmaps), measures engagement and supports UX optimisation.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.hotjar.com/legal/policies/privacy/
Synerise – analytical (traffic source identification, traffic measurement, segmentation)
Cookie name(s): _snrs_8e1ba456442593f1c87dc22a03be52c1, _snrs_puuid, _snrs_sa, _snrs_sb, _snrs_uuid
Purpose: Measures website traffic, identifies traffic sources, segments users, and analyses navigation paths. Data are used to generate aggregated reports for the Controller.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
HubSpot – analytical / CRM support
Cookie name(s): __hstc, __hssc, __hssrc, hubspotutk
Purpose: Supports analytics and CRM-related attribution, helps measure website visits and distinguish sessions for marketing and lead-management purposes.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.
Vendor: HubSpot, Inc., 2nd Floor, 30 North Wall Quay, Dublin 1, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://legal.hubspot.com/privacy-policy
C. Marketing cookies
Marketing cookies are processed exclusively on the basis of your consent (Article 6(1)(a) GDPR) in conjunction with Article 126 of the Portuguese Electronic Communications Law. You may decline them or withdraw your consent at any time via the cookie banner.
C1. Advertising platforms – principal vendors
Google Tag Manager / Google Ads / Google Marketing Platform / YouTube advertising – remarketing, conversion attribution, embedded video advertising support
Cookie name(s): _gcl_au, IDE, test_cookie, VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC, __Secure-BUCKET, __Secure-ROLLOUT_TOKEN, __Secure-YEC, __Secure-YNID
Purpose: Supports attribution of ad clicks to conversions, displays personalised advertisements in Google and YouTube environments, supports remarketing, campaign performance measurement, and embedded video interactions.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Meta Pixel – building advertising profiles, remarketing, interest-based targeting, advertising conversion attribution
Cookie name(s): _fbp
Purpose: Displays advertisements to users on Facebook and Instagram based on their activity on the services, measures advertising campaign performance, and creates lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – Mondial Relay and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.
Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.facebook.com/about/privacy/update
LinkedIn Insight Tag – building advertising profiles, creation of B2B remarketing segments, conversion attribution, advertising budget optimisation
Cookie name(s): AnalyticsSyncHistory, UserMatchHistory, bcookie, bscookie, li_gc, li_sugr, lidc
Purpose: Targets advertisements to LinkedIn users by company and profile-based characteristics, measures LinkedIn Ads campaign conversions, and attributes advertising conversions.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.linkedin.com/legal/privacy-policy
Microsoft Advertising / Bing UET – marketing (building advertising profiles, remarketing, conversion attribution, campaign performance measurement)
Cookie name(s): MUID, MSPTC, _uetsid
Purpose: Remarketing and targeting of advertisements in the Microsoft Advertising network, campaign effectiveness measurement, and advertising conversion attribution.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Pinterest – advertising and conversion tracking
Cookie name(s): _pin_unauth, ar_debug
Purpose: Supports advertising measurement, conversion tracking and audience building in the Pinterest ecosystem.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policy.pinterest.com/en/privacy-policy
C2. Other vendors – advertising profiles and data synchronisation
Based on the current OneTrust scan for the Portuguese website environment, no additional named RTB / programmatic vendors beyond the principal advertising platforms listed in section C1 were identified as separate cookies requiring individual disclosure in this Annex.
C3. SSP platforms and identifier synchronisation in the programmatic ecosystem
At present, no SSP platforms or identifier synchronisation services are actively identified as separate named technologies in the Portuguese website scan.
C4. Tools used in mobile applications
The current OneTrust scan provided relates to the website environment. It does not constitute a complete mobile application SDK inventory. Where mobile application tools such as analytics SDKs, attribution platforms or in-app engagement technologies are used, they should be documented separately on the basis of the mobile SDK inventory and application-specific scan results.
C5. Social media platforms
Our websites may contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon, you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.
Each platform acts as an independent controller of personal data once the user is redirected to its services.
We maintain profiles on the following social media platforms:
- Facebook – Meta Platforms Ireland Limited
- YouTube – Google Ireland Limited
- LinkedIn – LinkedIn Ireland Unlimited Company
- Instagram – Meta Platforms Ireland Limited
- TikTok – TikTok Technology Limited
As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing can be found at the links below:
• Facebook: https://www.facebook.com/about/privacy/update
• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en
• YouTube: https://policies.google.com/privacy?hl=en