InPostInPost
Mondial RelayMondial Relay

Privacy Policy

Full text of the Privacy policy - April 27, 2026

InPost Account Privacy Policy

Date of last update: 27/04/2026

We would like to explain the rules for processing your personal data in connection with your use of our mobile application. Using the application is possible by creating an InPost Account. Below you will find detailed information, including an indication of which of the companies within the Integer Capital Group is responsible for which processes.

How is this document structured and how can you navigate it?

Part I — InPost Account Privacy Policy

In Part I, we would like to present the basic principles of data processing.

1. We respect your privacy and care about the protection of your data

2. Who processes your data?

3. When may we process your personal data?

4. What personal data do we process and for what purpose?

4.1. InPost Account

4.2. Security

4.3. Analytics purposes and improving service quality

5. Additional information on processing

5.1. Processing of children's data

5.2. Closing the InPost Account

5.3. Deletion of personal data

5.4. Security of personal data

6. To whom we disclose your data

7. Your rights

8. Changes to the privacy policy

Part II — Regional Appendices:

In this part you will find detailed information about the services and the related processing of personal data applicable to the selected country.

Appendix A1 — Services provided in Poland

Appendix A3 — Services provided in Italy

PART I

1. WE RESPECT YOUR PRIVACY AND CARE ABOUT THE PROTECTION OF YOUR DATA

Introduction — what is this privacy policy about?

  1. If you use an InPost Account, this privacy policy will explain how we process your personal data.

In Part I, we describe how we process your personal data to manage your InPost Account. Additional services available within the InPost Account may differ depending on the country. Information about them can be found in Part II — in the section dedicated to a given country.

  1. We have prepared this privacy policy to show you how we process your personal data. You will find the following information here:

a. which company acts as the controller?

b. what data do we process?

c. how and for what purposes do we process this data?

d. to whom and where do we transfer the data?

e. your rights and how you can exercise them.

  1. We recognise that reading terms and conditions or policies is not an enjoyable activity, but we recommend familiarizing yourself with our policy to learn what your rights are and how to exercise them, as well as how and why we process your personal data.
  2. A few basic terms:

Application - This is our application available as a mobile and/or web application, which you can use after creating a User Account.

Personal data — Under GDPR, personal data means all information about you that allows for your direct identification (e.g., your email address) and indirect identification (e.g., your activity on a given website). We may obtain your personal data, such as your name, surname, phone number, email address, and delivery address, from you when you register an InPost Account or use InPost digital services.

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The GDPR imposes specific obligations on entities that use personal data (both on their own behalf and on behalf of another entity). The GDPR guarantees the exercise of your rights related to data protection;

User Account or InPost Account — a profile created by you, by means of which we identify you in our digital services and enable you to use our mobile applications and other services without the need for separate registration.

Assigned region - Means the country allocated to your User Account during registration, which determines the applicable services, legal framework and relevant regional appendix (Part II — Regional Appendices).

User — Refers to you and other individuals who use our services. In this Policy, we address you directly, and other individuals using our services are referred to as "users".

Parcel Locker - A self-service automated device belonging to our network, equipped with lockers that allow customers to collect or send parcels. Depending on the market, this device may operate under a local commercial name e.g. Paczkomat®, InPost Locker, Locker Mondial Relay, while providing the same core functionality.

Privacy Policy — A document in which we describe how we process your personal data within the scope of specific services in the market(s) chosen by you.

UK GDPR - means the United Kingdom General Data Protection Regulation, as incorporated into UK law by the European Union (Withdrawal) Act 2018 and supplemented by the Data Protection Act 2018. It sets out the rules for how organisations in the UK must collect, use, store and protect personal data.

  1. Terms not defined above that are written with a capital letter have the meaning given to them in the relevant terms and conditions.
  2. We use cookies and similar technologies to provide you with convenient and secure use of our services. We encourage you to read our Cookies Policy, where you will find details about how they work and the options for managing settings.

2. WHO PROCESSES YOUR DATA?

2.1. Depending on the type of service provided, the administrator of your data is the relevant company from our capital group (hereinafter referred to as the "Administrator").

2.2. In connection with the User's use of InPost Account, providing personal data is voluntary, but necessary to use the functionalities and services offered by InPost.

2.3. Depending on the type of service performed, the Controller of your personal data may be:

The following entities act as Data Controllers with respect to your personal data, together with their contact details, including those of their appointed Data Protection Officers (DPO).

Poland

InPost sp. z o.o. ("InPost") Registered office: ul. Pana Tadeusza 4, 30-727 Kraków, Poland

You may contact the Data Controller through the following channels:

  • by phone: +48 722 444 000 or +48 746 600 000,
  • by traditional post: ul. Pana Tadeusza 4, 30-727 Kraków, Poland,
  • via the Contact Form,
  • via chat, available at: inpost.pl/kontakt.

InPost has appointed a Data Protection Officer (DPO), who can be contacted using the forms of communication indicated above. You can contact us through these channels if you wish to exercise your rights — see section "7. Your rights".

Italy

Locker InPost Italia s.r.l. Registered office: Viale Cassala 30, 20143 Milano, Italy

Locker InPost Italia S.r.l. has appointed its Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO may be contacted at the email address: <[email protected]>.

3. WHEN MAY WE PROCESS YOUR PERSONAL DATA?

3.1.We may process your personal data on the following basis:

3.1.1. consent (Article 6(1)(a) GDPR): If you give us your consent, we will process your personal data for the specific purpose to which you consent. This ground is used, for example, when you supplement your account with optional data. Please note that, where consent is the most appropriate lawful basis for processing, this is entirely voluntary and may be withdrawn at any time.

3.1.2. contract (Article 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are party to, or in order to take steps at your request prior to entering into a contract. ;

3.1.3. legal obligation (Article 6(1)(c) GDPR): When the processing of your personal data is necessary to comply with our legal obligations (e.g., for tax and accounting purposes, arising from the provisions of the Polish Law, e.g.: Postal Law Act, the Transport Law Act or the Act on counteracting money laundering and terrorist financing).

3.1.4. legitimate interest (Article 6(1)(f) GDPR): We may process your personal data when it is necessary for our legitimate interests, and those interests do not override your rights and interests. This relates to, in particular, processing for purposes related to customer support, improving or developing our services, as well as for security purposes, including fraud prevention.

4. WHAT PERSONAL DATA DO WE PROCESS AND FOR WHAT PURPOSE?

Depending on your relationship with InPost, including depending on the service you use, we will process your personal data for the following purposes:

4.1. INPOST ACCOUNT

Purposes and legal bases of processing:

setting up the InPost Account

legal basis for processing: contract — Article 6(1)(b) GDPR; consent — Article 6(1)(a) GDPR (with regard to data provided on an optional basis);

handling and maintaining the InPost Account, the ability to authenticate the user within the services available through the InPost Account, including depending on the user's Country:

  1. Postal, freight forwarding and transport services in Poland and > other Countries (postings, returns, collections, extensions of > parcel storage);
  2. additional services specific to the Assigned region that provides > them, such as loyalty programs; these services are described in > Part II in the sections dedicated to individual countries.

legal basis for processing: contract — Article 6(1)(b) GDPR;

  1. reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller in handling complaints concerning services provided by InPost - Article 6(1)(c) or (b) GDPR;

  1. pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing or defending against claims - Article 6(1)(f) GDPR

What personal data we may process?

  • identification data, in particular: telephone number, e-mail address;
  • address and contact data: first name, last name, delivery address, delivery information including information provided by you e.g. comments regarding deliver, invoice address, favourite Parcel Locker,

InPost Account data, in particular: the date of creation of the Account, the history of activities undertaken within the Account, the history of consents expressed by you and acceptances of statements (e.g. any marketing consents, acceptance of terms and conditions, confirmation of adherence with prohibited or non-compensatory item restrictions, ,), application language, selected region, information about an active session.

At present it is not possible to change the telephone number, as it is your unique identifier in our system. If you want to change the telephone number, you must create a new InPost Account.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper provision of the service, and after its completion — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional situations this period may be extended if provisions of law — including the Polish Civil Code — provide for suspension or interruption of the limitation period.

4.2. SECURITY

Purposes and legal bases for processing:

Prevention, detection and handling of data protection breaches, information security incidents, and other security considerations necessary to ensure the secure operation of online services.

Personal data may be processed by us when analysing incidents or (suspected) breaches:

  1. to analyse, investigate, document and report individual incidents;
  2. to prepare analyses and reports on the security status;
  3. to establish, pursue and/or defend legal claims.

legal basis for processing:

the legitimate interest of the Controller consisting in ensuring security and explaining incidents or breaches - Article 6(1)(f) GDPR or a legal obligation — Article 6(1)(c) GDPR (where there is no specific legal obligation, the processing of your personal data for security and protection purposes is based on our legitimate interest).

What personal data do we process?

  • Customer ID;
  • User contact data;
  • order history;
  • payment-related data;
  • shopping behaviour;
  • incident logs, event logs.

Individual logs may contain data such as: information on abuses, including (suspected) criminal activity.

More information:

We undertake a number of actions aimed at ensuring security for:

  1. users,
  2. property,
  3. InPost IT infrastructure

We try to protect our resources against cyberattacks, fraud, abuse and other malicious activities.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper achievement of the purpose, and after that period — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional situations this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the limitation period.

4.3. ANALYTICAL PURPOSES AND IMPROVING THE QUALITY OF THE INPOST ACCOUNT SERVICE

Purposes and legal bases for processing:

We process your data for the following purposes:

  1. analytical purposes: developing and improving our services and improving the customer experience;
  2. creating new functionalities;
  3. personalising InPost Account settings within the Application and other services available via the InPost Account;
  4. analysis of user activity within the InPost Account for purposes other than advertising, including for analytical and statistical purposes and in order to detect and resolve cases of non-compliance with the regulations.

legal basis for processing:the legitimate interest of the Controller consisting in conducting analytical, optimisation and sales-supporting activities, service provision and advertising activities - Article 6(1)(f) GDPR or consent — Article 6(1)(a) GDPR (if the data will be used for marketing purposes)

What personal data do we process?

  • e-mail address/telephone number;
  • User ID
  • shipment/complaint number and history;
  • behavioral and contextual data;
  • other data generated by the system, originating from your activities and interactions with us.

Data used for development and improvement have been collected for various purposes. For example, we may use data relating to online transactions to develop our online ordering system, and for this purpose we use anonymised data. All analyses are carried out at the level of aggregated data. Where sufficient and possible, we use anonymised data.

More information:

Our aim is to create easily accessible and personalised services, which requires an analysis of the needs and requirements of the user/customer. This includes analysis aimed at making our services more user-friendly (for you), e.g. modifying the user interface in order to simplify the flow of information or to identify and develop services and their functionalities.

Sometimes we use surveys and customer satisfaction assessment forms. In such a case, any personal data used and obtained from you will be processed solely for the specific purpose described there.

We create and collect statistics, including via your smart devices, in order to optimise the assortment and services provided by us, and we also analyse and plan the use of staff, equipment and devices.

We want to be able to carry out analyses and segmentation in order to provide you with personalised services/purchases.

We may share your data with our advertising partners for purposes related to optimisation and ad targeting.

In order to ensure transparency, we explain the differences between personalisation of services, profiling and automated decision-making:

Personalisation consists in adjusting the way our services are presented or function to better match your preferences and typical use of the InPost Account. This may include, for example, adapting the user interface, suggesting certain functionalities, or remembering your settings. Personalisation is based on general patterns of use or your previous interactions, but it does not aim to evaluate you as a person or predict your behaviour in a way that produces legal or similarly significant effects.

  • Profiling means any form of automated processing of personal data consisting of using your data to evaluate certain personal aspects, in particular to analyse or predict your preferences, interests, behaviour or usage patterns. Where profiling is used, it is carried out mainly for analytical and statistical purposes, service improvement, segmentation of users and, where applicable, for marketing purposes (based on your consent where required). Profiling does not result in decisions that produce legal effects or similarly significantly affect you. Where profiling is carried out for marketing purposes, including targeted advertising, you can find more detailed information in the sections of this Privacy Policy dedicated to marketing activities.

Automated decision-making refers to decisions made solely by automated means, without human involvement, which produce legal effects concerning you or similarly significantly affect you. As a rule, we do not carry out such decision-making in relation to users of the InPost Account.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper achievement of the purpose, and after that period — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional situations this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the limitation period.

5. ADDITIONAL INFORMATION ON PROCESSING

Detailed information on how individual local companies process data for marketing purposes can be found in Part II — in the section concerning the given country.

Processing of children's personal data

  1. Our services are intended for persons over 16 years of age. In some Countries the threshold may be different due to local regulations. If you are under 16, i.e. you are not entitled to use InPost digital services on your own, you must have the consent of your parent or legal guardian to use these services. If we do not receive such consent, we cannot process information about you and we must delete your personal data. This may mean that we will not be able to provide you with the services you requested.
  2. We may process the following information about you: first name, last name, date of birth and other information necessary to achieve a specific purpose.
  3. We make every effort to collect only the data that are necessary to provide the services. We do not knowingly collect additional information from minors or about them. If we learn that we inadvertently collected such personal data, we will take steps to enforce our terms and take actions aimed at promptly deleting personal data from our records.
  4. We may use your data to: make available and provide the ordered services (they must be tailored to your age), participation in competitions or events, communication with the consent of a legal guardian.
  5. We ensure that information about you is used safely and we protect it so that no unauthorised person has access to it without the consent of your parent or legal guardian. We use the collected data about you only for an appropriate period of time.
  6. Your parent or legal guardian may at any time request access to your data, change or delete it, or may withdraw consent to processing at any time.

Closure of the InPost Account

  1. If you close the account yourself (delete the account in InPost Mobile and then uninstall the application), you will lose access to your data within the active account. You may have access to such data only if you exercise the right of access to data, and we still process them. Information on how to exercise the right of access to data can be found in section 6.
  2. We may also close your account. The rules under which we may do so are described in detail in the InPost Mobile terms and conditions. In such a case you will also lose access to your data within the active account, but you will be able to exercise the right of access to data and other rights you are entitled to, provided that we still process such data.

Deletion of personal data

  1. The period of processing of data by the controller depends on the type of provided service and the purpose of processing. As a rule, data are processed for the duration of providing the service, until withdrawal of consent, or submission of an effective objection to data processing in cases where the legal basis for data processing is the controller's legitimate interest.
  2. We delete personal data after the following time conditions are met:

a) when you submit a complaint or grievance regarding services provided by InPost: the personal data contained in that complaint or grievance are processed for the time necessary to consider the complaint or grievance, and after that time we may store them for a period no longer than the limitation period of any claims arising from the submitted complaint or grievance, resulting from generally applicable provisions of law;

b) when you submit another report or inquiry to us: we store personal data for the period of handling and possible completion of the report, and after that time we may store them for a period no longer than the possible limitation period for claims, resulting from generally applicable provisions of law;

c) if the storage period of your personal data results from mandatory provisions of law, we store personal data for the period specified in those provisions.

1. The above is compliant with Article 17(3)(b) and (e) GDPR, which indicates that the right to erasure does not apply to the extent that processing is necessary, inter alia, for:

a) compliance with a legal obligation requiring processing under EU law or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

b) the establishment, exercise or defence of claims.

Personal data security

The security of your personal data is our priority. For this purpose we continuously conduct risk analysis — in order to ensure that personal data are processed by us in a secure manner, ensuring in particular that access to data is granted only to authorised persons and to the extent necessary due to the tasks performed by them.

We make all reasonable efforts to ensure the security of processed personal data by using effective technical and organisational safeguards.

  1. All information we receive about you is stored on appropriately secured servers.

We continuously assess the security level of our network, monitor internal regulations and procedures. This enables us to:

a) protect data against accidental or unlawful loss, unauthorised access or disclosure;

identify foreseeable risks to the security of our network;

minimise threats to security, including through risk assessment and regular testing.

  1. All payment-related data are encrypted using SSL technology.

6. TO WHOM DO WE DISCLOSE YOUR DATA?

  1. In connection with our provision of services by electronic means, personal data are disclosed to:

Integer.pl Capital Group — we may transfer your data to other companies in the integer.pl Capital Group, the list of which is available on our website. These companies help us improve our services, support customers, conduct business analyses, ensure security and detect abuse. The transfer of data may be necessary for you to be able to use our services.

  1. Third parties providing services — we use the services of third parties who help us maintain and deliver certain solutions related to our services or who provide certain services to us. These include, among others: providers responsible for the operation of IT systems, data hosting and communication channels, entities providing accounting services, entities providing legal services, insurance companies, marketing agencies, service providers responsible for shipping, delivery or returns of parcels, service providers providing customer service, service providers responsible for chatbots and conversation analysis.
  2. Some of these entities act as separate controllers, and some — depending on the service provided to us — process personal data as processors, i.e., in accordance with our instructions, solely to the extent indicated by us.
  3. Marketing and analytics service providers — in order to improve our services, we sometimes share information about you with providers such as Google or Meta. They help us analyse how users use mobile applications and support our online marketing. More information can be found in our cookies policy.

Entities providing payment services available in our mobile application and other services — in order to provide the payment services made available in the mobile application, we provide the payment operator with the data necessary to make the payment and to verify and identify the customer. The payment operator becomes a separate controller of your data.

  1. Law enforcement authorities, supervisory authorities and others — we may disclose selected information about you to the competent authorities or third parties that submit such a request. We will do so in accordance with the provisions of law.
  2. Transfer of data outside the EEA

1. As a rule, we do not use the services of suppliers that are established in countries outside the European Economic Area ("EEA"). However, it may happen that certain entities whose services we use directly or indirectly (e.g., social media service providers) are established in countries outside the EEA or may use subcontractors that are established outside the EEA.

2. If the situation described above occurs, we transfer your personal data outside the EEA only when it is necessary, and with the provision of an appropriate degree of protection required by the GDPR. To this end:

a) we transfer your personal data to countries which the European Commission has recognised as ensuring an adequate level of protection of personal data, or

we use the services of specific suppliers and use template contracts approved by the European Commission (Standard Contractual Clauses). Together with the required additional security measures, they ensure that personal data enjoy the same protection as in the European Union.

7. YOUR RIGHTS

7.1. How to exercise your rights:

You have the following rights regarding your personal data:

Right of access to personal data — you can check whether we process your personal data and, if so, you can obtain a copy of your data.

Right to rectification — you can that incomplete, incorrect, or outdated data be corrected. In some cases, in order to fulfil your request, we will need to verify the accuracy of the new data you provide to us.

Right to restriction of processing — you can ask us to stop processing your data when:

  • you want us to verify the accuracy of the data;
  • you believe our processing is unlawful;
  • we no longer need your data, but you need it to establish, exercise, or defend legal claims;
  • you object to processing — then we will assess whether we have overriding legitimate grounds to continue processing your data.

Right to object to processing — this applies where we process your data on the basis of a legitimate interest (ours or a third party's). You may object for reasons related to your particular situation, where you believe the processing affects your rights or freedoms. In some cases, we may have compelling legitimate grounds to process your data that override your rights and freedoms (e.g., the need to ensure the security of mobile applications and prevent fraud).

Right to erasure (right to be forgotten) — you can request deletion of your data if it is no longer necessary for the purposes for which it was collected. You may also request deletion if:

  • you withdraw your consent and we have no other legal basis for processing;
  • you successfully object to processing;
  • your personal data has been processed unlawfully;
  • your data must be erased to comply with legal obligations.

Please note that in some cases we are required to process your data under applicable laws and we may not be able to fulfil your request.

Right to data portability — When exercising this right, we will provide your personal data to you or to a third party indicated by you. However, this right applies only to data processed on the basis of consent or for the performance of a contract, and only where the processing is carried out by automated means (in IT systems).

Withdrawal of consent — If you have given us consent to process certain data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right to set out advance directives in the event of death* (For France only)* — You have the right to instruct us on what you would like us to do with your personal data after your death.

7.2. How to exercise your rights

You may exercise your rights by contacting the relevant company. Contact details and available forms of contact can be found in the table in Part I, section 2 above ("Who processes your data", point 2.3).

7.2.1. You may exercise your right to object in various ways depending on what it concerns:

  • in the case of marketing emails — click the unsubscribe link in the content of the message;
  • in the case of marketing SMS messages, push notifications or telephone calls — change the notification settings in your account to opt out;
  • in the case of cookies — click the opt-out/reject option within the cookies banner (the bottom bar of the page "Manage cookies")

in other cases regarding the InPost Account, contact us via the Contact Form or via the email address: [email protected].

  • via chat ( if this option is available in your country)

7.2.2. Everyone has the right to the protection of their personal data and, in accordance with the GDPR, you may exercise your rights free of charge (this is the case in most instances). We may charge a reasonable fee if your request is manifestly unfounded or excessive, in particular because of its repetitive nature. In such cases, we may also refuse to comply with your request.

7.2.3. We endeavour to respond to your requests within one month. If your request is particularly complex or we have received several requests from you, handling the request may take us longer. In such a case, we will inform you that it will take longer and we will keep you informed on an ongoing basis about the status of your request.

7.3. Complaint to the supervisory authority

You have the right at any time to lodge a complaint with the competent supervisory authority. In matters related to the processing of data within the scope of our services or the services of local companies, you may contact the supervisory authority competent for a given local company.

  • In Poland, the supervisory authority is the President of the Personal Data Protection Office.
  • In France, the supervisory authority is la Commission nationale de l'informatique et des libertés (CNIL)
  • In Belgium, the supervisory authority is l'Autorité de Protection des données / Gegevensbeschermingsautoriteit,
  • In Spain, the supervisory authority is Agencia Española de Protección de Datos (AEPD)
  • In Italy, the supervisory authority is Garante per la protezione dei dati personali (GPDP)
  • In Portugal, the supervisory authority is Commissão Nacional de Protecção de Dados (CNPD)
  • In the United Kingdom, the supervisory authority is Information Comissioner's Office (ICO)
  • In Netherlands, the supervisory authority is Autoriteit Persoonsgegevens (AP),
  • In Luxembourg, the supervisory authority is la Commission nationale pour la protection des données (CNPD)

8. CHANGES TO THE PRIVACY POLICY

We may change or update this Privacy Policy. Any changes will be published in the mobile application and through our other services. If you have provided us with your email, we may additionally inform you about the changes via email.

If you do not agree to changes to the Privacy Policy, you may close your account in the mobile application or on the website. You can find the option to close the account in its settings.

PART II

The list of services provided within the applications and the websites is included in the list of services provided by InPost, which forms part of this Privacy Policy. Depending on your assigned region and the relevant regional appendix, you may use the application to access the functionalities described therein. This document outlines the principles of personal data processing for individual countries.

Information regarding the exercise of your rights under the GDPR can be found in Part I of the Policy, in the section "Your rights".

Appendix A1 — Services provided in Poland

I. MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile — This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

  1. analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

legal basis for processing: legitimate interest of the controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR or consent (push notifications) - Article 6(1)(a) of the GDPR

  1. own marketing

legal basis for processing: legitimate interest of the controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR or consent (push notifications) - Article 6(1)(a) of the GDPR

  1. reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints — Article 6(1)(c) or Article 6(1)(f) GDPR;

  1. pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims — Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• marketing data, including data on the way the User uses InPost Mobile devices or an Internet browser, in particular: clicks and traffic on the website, opening push notifications (if you have agreed to receive notifications);

• device identifiers and other online identifiers;

• location data

To determine your location, we use various technologies, including IP address, GPS, Wi-Fi access points, and mobile network cell towers. Your location data allows us to find and display InPost points and Parcel Locker machines located in your neighborhood.

More information:

As part of the handling of the complaints process, your personal data may be disclosed to our insurer (an insurance company with which we have entered into an agreement, e.g., Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which acts as a separate controller of personal data.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for proper fulfilment of the purpose, and thereafter — no longer than the limitation period for claims, which as a rule is up to 6 years. In exceptional situations, this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the running of the limitation period.

II. MARKETING AND MARKETING COMMUNICATION

1. Contextual Advertising (Non-Targeted)

Purposes and legal bases for processing:

Legitimate interest of InPost in promoting its services to existing users by displaying non-targeted marketing content within the InPost mobile application and on the InPost website (Article 6(1)(f) GDPR).

We have assessed that this interest does not override your rights and freedoms: the content is generic, non-intrusive, and displayed only within our own platforms. You may object at any time.

What personal data do we process?

  1. Identification data (e-mail address and/or phone number where used to identify the logged-in user);
  2. Information about user interactions with the app or website (e.g. pages or screens viewed).

More information

InPost displays generic, non-targeted offers, promotions and recommendations within the InPost mobile application and on the InPost website. This content is not tailored to your individual profile — it is shown to users generally based on contextual factors such as the screen you are viewing.

Controller:

InPost Sp. z o.o.

Retention period:

For the duration of the user account, or until you object to this processing, whichever is earlier.

2. Direct Marketing Communications

Purposes and legal bases for processing:

Sending direct marketing communications via e-mail, SMS/MMS, push notifications — legal basis: consent (Article 6(1)(a) GDPR/ Article 398 PKE).

What personal data do we process?

  1. Phone number and/or e-mail address (depending on the channel used);
  2. Marketing preferences, including the date, time and method by which consent was given or withdrawn.

More information

InPost sends direct marketing communications via e-mail, SMS/MMS, and push notifications only. The content includes offers, promotions and recommendations relating to InPost's own services and goods, and joint initiatives with carefully selected partners and retailers. Where partner content is included, it is sent by InPost on the basis of your consent — your personal data is not shared with those partners for their own independent marketing.

By subscribing to the InPost communications, you consent to receiving messages by e-mail (Article 6(1)(a) GDPR/ Article 398 PKE). Providing consent is entirely voluntary.

You may withdraw your consent at any time by: (a) clicking 'Unsubscribe' in any e-mail we send you; (b) updating your preferences in the InPost app settings; or (c) contacting us via our contact form. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Controller:

InPost Sp. z o. o.

Retention period:

We retain marketing data until you withdraw your consent. Where you withdraw your consent, we retain a record of your marketing permissions to ensure you do not receive further direct marketing, unless and until you consent again.

3. Profiling for Marketing Purposes

Purposes and legal bases for processing:

Legitimate interest of InPost in understanding how our services are used and in making our marketing communications more relevant to users (Article 6(1)(f) GDPR).

We do not send direct marketing based on profiling without your separate consent (Section 2 above). Profiling does not involve automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR does not apply).

What personal data do we process?

  1. Frequency of app or Parcel Locker use;
  2. Preferred Parcel Locker locations;
  3. Parcel history (collections and sends);
  4. Locations where you typically collect or send parcels;
  5. Whether you have sent or received a parcel within the last 12 months

More information

We may use the data we hold about you to create a marketing profile. This means analysing information about how you use our services — such as your Parcel Locker usage frequency, preferred locations, and parcel history — in order to understand your preferences. This helps us tailor the content of marketing communications to be more relevant to you.

Controller:

InPost Sp. z o. o.

Retention period:

We do not retain profiling outputs as separate records. Profiling is carried out on personal data held for other purposes, and that data is retained in accordance with the applicable retention periods for those purposes. No additional data is stored specifically for profiling.

4. Behavioural Advertising and Remarketing

Purposes and legal bases for processing:

1. Displaying personalised marketing content tailored to your interests and preferences (behavioural advertising) — legal basis: consent (Article 6(1)(a) GDPR), obtained via the cookie consent banner in the InPost mobile application or on the InPost website.

2. Directing advertising messages to you on third-party websites and social media platforms based on your prior use of our services (remarketing) — legal basis: consent (Article 6(1)(a) GDPR).

3. Combining personal data obtained from different sources (including data from analytics providers and publicly available registers) for the purpose of creating a more complete user profile for marketing — legal basis: legitimate interest of InPost in conducting personalised marketing campaigns (Article 6(1)(f) GDPR), to the extent permitted by applicable law and where consent is not required.

What personal data do we process?

  1. Identification data (e-mail address, phone number);
  2. Behavioural data collected via cookies and similar tracking technologies: pages and screens visited, content clicked, time spent, device and browser information;
  3. Data from analytics providers (e.g. Google Analytics): technical information and usage patterns;
  4. Data from publicly available sources (e.g. Companies House, CEIDG): address and contact information relating to business activity, where relevant;
  5. Inferred interest and preference data derived from the above sources.

More information

Where you have consented to the use of cookies and similar technologies, we use data collected through those technologies to display marketing content that corresponds to your interests — for example, showing you offers related to services you have previously viewed or used (behavioural advertising).

We also use this data for remarketing: repeating advertising messages to users who have previously interacted with our mobile application or website, on third-party websites and on social media platforms. This is done through the use of advertising pixels, tags and similar technologies placed by our trusted advertising technology partners.

You may give or withdraw your consent to cookies and similar technologies at any time via the cookie consent banner in the InPost mobile application or website. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. More information is available in our Cookie Policy.

Where we rely on legitimate interest to combine data from third-party sources (purpose 3 above), we have assessed that our interest in conducting personalised campaigns does not override your rights and freedoms, given that: (a) the data sources used are limited to reputable analytics providers and publicly available registers; (b) the combined data is used solely for marketing improvements and not for automated decision-making with significant effects; and (c) you may object at any time.

*Right to withdraw consent / right to object: For purposes 1 and 2 (behavioural advertising and remarketing), you may withdraw your consent at any time via the cookie consent settings in the app or website, or by contacting* via our contact form*. For purpose 3 (data combination based on legitimate interest), you have the right to object. To object, contact us via our contact form*

Controller:

InPost Sp. z o. o.

Retention period:

Data collected via cookies and similar technologies is retained in accordance with our Cookie Policy, which sets out the specific retention period for each cookie category.

Data combined from third-party sources for profiling purposes is retained only for as long as necessary to carry out the relevant marketing activity, and no longer than the retention period applicable to the underlying data from which it was derived.

Where you withdraw consent or object to processing, we will cease the relevant activity and ensure that data used solely for that purpose is deleted, subject to any overriding legal obligation to retain records.

5. Advertising on Social Media Platforms (Non-Targeted)

Purposes and legal bases for processing:

Legitimate interest of InPost in promoting its services to relevant audiences on social media platforms including YouTube, LinkedIn, Facebook, Instagram, and TikTok (Article 6(1)(f) GDPR).

What personal data do we process?

  1. Audience parameters set by InPost for a campaign (e.g. general location, age ranges, interest categories — broad demographic criteria not linked to your individual profile);
  2. Aggregated, statistical-level performance data supplied by the platform (e.g. total impressions, click-through rates). We do not receive or process individual user data from platforms.

More information

InPost runs advertising campaigns on social media platforms. We set broad demographic parameters for our campaigns, but we do not share your personal data with those platforms for the purpose of targeting you specifically. The platforms use information they already hold about their own users — pursuant to their own terms and privacy policies — to determine who sees our adverts.

If you wish to manage how social media platforms show you adverts, please do so directly through the privacy or advertising settings of the relevant platform.

Controller:

InPost Sp. z o. o.

Retention period:

Advertising audience parameters and campaign performance data are retained only for as long as necessary to plan, review and optimise our marketing activity — usually the duration of the specific advertising campaign.

PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED VIA PARCEL LOCKER

Purposes and legal bases for processing:

  1. provision of postal services and transport services, including courier services and services provided via Parcel Locker — with respect to shipments dispatched in Poland;

legal basis for processing: contract — Article 6(1)(b) GDPR;

  1. reviewing and handling complaints

legal basis for processing: legal obligation — Article 6(1)(c) GDPR; consent to process special categories of personal data — Article 9(2)(a) GDPR

What personal data do we process?

  • the first name and surname of the sender (including the payer) and of the recipient (addressee) of the shipment;
  • the sender's address (street, house number, apartment number, postal code, city);
  • the recipient's address (street, house number, apartment number, postal code, city);
  • a new delivery address of the shipment, if after dispatch the sender instructs InPost to deliver it to a new address or InPost agrees with the recipient, before delivery of the shipment, on a different delivery address;
  • the e-mail address of the sender and the recipient of the shipment, processed in order to send messages regarding performance of the service, in particular information about the current shipment delivery status, or information enabling collection of the shipment from the Parcel Locker;
  • the phone number of the sender and the recipient of the shipment for direct contact or to send messages regarding performance of the service, in particular contact to agree on a different place of delivery of the shipment, or information enabling collection of the shipment from the Parcel Locker;
  • depending on the service selected for performance, we may also process the bank account number necessary to transfer the collected cash (under the cash on delivery service, so-called cash on delivery (COD)) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or topups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);
  • where services are provided to entrepreneurs (B2B agreement), data regarding the business activity conducted (including Tax ID, REGON, company name, business address, contact details), including data of contact persons or persons authorised to represent, and data regarding cooperation with InPost;
  • the IP address of persons using our systems;
  • information obtained from you in the course of the complaint procedure and in the course of the claims settlement procedure (loss settlement), including information about your health condition if you decide to provide it.

More information:

In connection with processing the payment, your data will be processed in the Przelewy24 service by PayPro S.A., with its registered office in Poznań, which is a separate controller.

If you dispatch a shipment from Poland to a Country other than Poland, your data will be processed by our partner — the courier company — in the destination Country, acting as a separate controller of personal data — the list of these entities is available here.

If you dispatch a shipment from a Country other than Poland, your data will be processed by our local company in the dispatch Country, acting as a separate controller of personal data — the list of these companies is provided in section 1.2 and is available here. Your data will also be processed by our partner — the courier company — in the destination country, which also acts as a separate controller of personal data — the list of these entities is available here.

If you have filed a complaint, your personal data may be disclosed to our insurer (the insurance company with which we have concluded an agreement, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which is a separate controller of personal data.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary to properly fulfil the purpose, and after that period — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional cases this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the limitation period.

LOYALTY PROGRAMME

Purposes and legal bases for processing:

  1. performance of obligations and exercise of rights arising from participation in the loyalty programme, including notifications about rewards and benefits resulting from membership, such as offers, promotions and recommendations, services, events and many others organised by us or our partner companies.

legal basis for processing: contract — Article 6(1)(b) GDPR; consent — Article 6(1)(a) GDPR (with respect to data provided optionally);

  1. marketing of our own and partners' products/services

legal basis for processing: the Controller's legitimate interest consisting in marketing of the Controller's own products or services — Article 6(1)(f) GDPR; consent to use cookies and other technologies — Article 6(1)(a) GDPR;

  1. reviewing and handling complaints

legal basis for processing: legal obligation or the Controller's legitimate interest consisting in handling complaints concerning services provided by InPost — Article 6(1)(c) or (f) GDPR;

  1. pursuing claims and defence against claims

legal basis for processing: the Controller's legitimate interest consisting in pursuing, establishing or defending against claims — Article 6(1)(f) GDPR

What personal data do we process?

  • activity within the Loyalty Programme, including the number and history of exchange / receipt / expiry of points (InCoins) and the history of tasks performed and rewards collected;
  • marketing data, including data on the manner of using the user's InPost Mobile device or web browser.

More information:

In connection with handling the complaint process, your personal data may be disclosed to our insurer (the insurance company with which we have concluded an agreement, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which acts as a separate Controller of personal data.

If you declare your intention to acquire a reward in the form of an InBox, we will disclose your data in the form of: your phone number, the status of a Loyalty Programme participant, and the status of an application user, to the lottery organiser responsible for awarding those rewards, in order to enable the lottery to be conducted and to verify your eligibility to participate in that lottery, as a separate Controller. We will also disclose the aforementioned data to selected partners of the Loyalty Programme for the purpose of performing obligations and exercising rights arising from participation in the Loyalty Programme and for reporting purposes.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary to properly fulfil the purpose, and after that period — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional cases this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the limitation period.

INPOST AI ASSISTANT

Purposes and Legal Bases for Processing

  1. Provision of services by electronic means through ensuring access to a virtual chat enabling conversation:

Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of a contract to which the data subject is party (provision of the real-time chat service).

  1. Use of historical data and preferences in order to tailor responses and recommendations:

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in improving the quality and relevance of the service provided and its personalisation for the user, while guaranteeing the user the right to object to such processing.

*The user has the right to object to this processing. If you exercise the opt-out option, the AI assistant will not use your previous conversation history when formulating responses.*

  1. Data transmitted during interaction with the AI assistant — including the content of conversations, questions entered and answers provided — may be used for training and improving the artificial intelligence model.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in improving AI models, enhancing system security and raising the quality of services provided to users.

Within the framework of the "Nakarm Bielika" campaign, we process in particular: the content of messages entered (questions, commands, comments and attachments added), the content of responses generated by the assistant, information contained in messages that may constitute personal data if the user chooses to disclose them (e.g., first name, email address, other identifying data), the manner of formulating statements, linguistic style and language constructions used.

These data are used exclusively in aggregated or anonymised form to the extent possible. The controller does not use conversations to identify specific users and does not build individual user profiles for the purpose of model training.

The language model does not "remember" users as individuals; however, individual fragments of conversations may be used as elements of training datasets after prior processing (e.g., removal or limitation of data enabling identification).

  1. Data are used to improve service quality and detect abuse within the existing system functionalities.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in ensuring the integrity, security and proper functioning of IT systems and protection against unauthorised access or abuse.

  1. Pursuit and defence of claims.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in the ability to pursue and defend legal claims.

What Personal Data Do We Process?

Data provided directly by the user:

  • information from queries and chat history, including attachments added (e.g., questions, answers, message content, files and documents uploaded);
  • identification data necessary for the use of the service.

Technical and operational data:

  • technical data related to the use of the service (e.g., IP address, timestamp);
  • session identifier, device type, operating system, application version;
  • activity logs and system error logs.

Data generated in the course of service provision:

  • conversation history and patterns (for personalisation and model training purposes);
  • thematic categories of queries (for analysis and service improvement purposes);
  • user communication preferences and style identified by AI algorithms.
  • Important: Please do not provide information containing special categories of personal data (e.g., data concerning racial or ethnic origin, health, political opinions, religious or philosophical beliefs, sexuality and sexual orientation).

More Information

  • You may use the services of our AI assistant — a tool using artificial intelligence, available in the mobile application, which supports user service through online chat and enables conversations. In connection with the above, it may use personal data.
  • We encourage prudent use of the AI assistant, as it may sometimes generate untrue or accidentally personalised information.
  • The AI assistant may use your historical data and preferences in order to tailor responses and recommendations.
  • On the basis of the above processing, no decisions producing legal effects or similarly significantly affecting you are taken in a solely automated manner (Article 22 GDPR). The results of conversation analysis serve exclusively to improve the quality of the assistant's responses — they are not used to assess your credibility, economic situation, health, preferences or any other personal characteristics that could constitute the basis for such decisions. Data from chat history will subsequently be used to improve the model, but not in real time. These data serve the provision of ongoing user support here and the improvement of service quality and detection of abuse within the existing system functionalities. Data transmitted during interaction with the AI assistant, namely information from conversation content, questions entered and answers, may be used for training artificial intelligence.
  • We make every effort to ensure secure data processing and we apply world-class technical solutions and regular AI system audits.
  • As a rule, we do not use providers based in countries outside the European Economic Area ("EEA"). However, it may happen that some entities whose services we use directly or indirectly (e.g., hosting service providers) are based outside the EEA or use subcontractors located outside the EEA.
  • In the event of the situation described above, we transfer your personal data outside the EEA only when this is necessary and while ensuring the appropriate level of protection required by the GDPR. To this end:
  • we transfer personal data to countries for which the European Commission has established an adequate level of personal data protection, or
  • we use the services of specific providers, concluding with them Standard Contractual Clauses approved by the European Commission, which together with additional required security measures ensure a level of personal data protection equivalent to that applicable in the European Union.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper provision of the service, and after that period — no longer than until the expiry of the limitation period for claims.

Retention period for information in the form of attachments: up to 2 years.

Data used for AI model training (in anonymised or pseudonymised form): for the time necessary to achieve this purpose, but no longer than for the period justified by the technological lifecycle of the model.

INPOST PAY

Purposes and legal bases for processing:

Provision of the InPost Pay service, including:

  1. a service consisting in carrying out the process of purchasing goods or services in the online store of a seller cooperating with us (within InPost Mobile),

legal basis for processing: contract — Article 6(1)(b) GDPR;

  1. a service of remembering customer data, such as address data and payment-related data, and automatically completing those data in the purchasing process

legal basis for processing: contract — Article 6(1)(b) GDPR;

  1. a service enabling customers to save card data within the user account in InPost Mobile

legal basis for processing: consent — Article 6(1)(a) GDPR;

  1. a service of making payments within InPost Pay

legal basis for processing: contract — Article 6(1)(b) GDPR;

  1. marketing of our own and partners' products/services

legal basis for processing: the Controller's legitimate interest consisting in marketing of the Controller's own products or services — Article 6(1)(f) GDPR; consent to use cookies and other technologies — Article 6(1)(a) GDPR;

  1. reviewing and handling complaints

legal basis for processing: legal obligation or the Controller's legitimate interest consisting in handling complaints concerning services provided by InPost — Article 6(1)(c) or (f) GDPR;

  1. pursuing claims and defence against claims

legal basis for processing: the Controller's legitimate interest consisting in pursuing, establishing or defending against claims — Article 6(1)(f) GDPR

What personal data do we process?

  • identification and contact data, including in particular: first name, surname, phone number, e-mail address, home address, delivery address;
  • data regarding transactions using InPost Pay, including: information regarding the basket and payments, information about the store where you made a purchase;
  • payment card data;
  • transaction history;
  • marketing data, including data on the manner of using the user's InPost Mobile device or web browser.

More information:

Within InPost Mobile, as a buyer, you may use an additional service enabling a fast purchase path in the online store of a selected seller cooperating with us, using data stored within your InPost Mobile account, including identification data, payment-related data and delivery-related data. In that case, the controller of data processed in connection with conclusion and performance of the sales agreement is the seller.

We do not store the buyer's credit card data unless you select the option to save them in order to facilitate future payments. In such a case, we will store only the cardholder's first name and surname, the card expiry date, the card type and the last four digits of the card number. We do not store the credit card verification code values. We transmit them in encrypted form only together with the credit card number for the purpose of executing the payment by the operator, as a separate Controller. The Controller of buyers' personal data processed in connection with the payment process is Aion bank S.A., a joint-stock company, branch in Poland.

In connection with handling the complaint process, your personal data may be disclosed to our insurer (the insurance company with which we have concluded an agreement, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which acts as a separate controller of personal data.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary to properly fulfil the purpose, and after that period — no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional cases this period may be extended if provisions of law — including the Civil Code — provide for suspension or interruption of the limitation period.

Appendix A3 — Services provided in Italy

MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile — This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

  1. analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

legal basis for processing: legitimate interest of the controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR own marketing

  1. reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints — Article 6(1)(c) or Article 6(1)(f) GDPR;

  1. pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims — Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• marketing data, including data on the way the User uses InPost Mobile devices or an Internet browser, IP address, cookies;

• marketing data, including data on the way the User uses InPost Mobile devices or an Internet browser, in particular: clicks and traffic on the website, opening push notifications (if you have agreed to receive notifications).

• location data

To determine your location, we use various technologies, including IP address, GPS, Wi-Fi access points, and mobile network cell towers. Your location data allows us to find and display InPost points and Parcel Locker machines located in your neighborhood.

More information:

Controller:

Locker InPost Italia S.r.l. Retention period:

The time required to properly fulfill the above purposes is as follows:

1. Up to a maximum of 2 years for the purpose of analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules.

2. 10 years, subject to opposition and the time necessary for legal defense, for the purpose of reviewing and handling complaints.

3. 10 years, subject to opposition and the time necessary for legal defense, for the purpose of pursuing claims and defending against claims.

II. MARKETING COMMUNICATION

Purposes and legal bases for processing:

1. sending offers and recommendations as part of providing services

legal basis for processing: consent — Article 6(1)(a) GDPR

2. sending direct marketing communications via e-mail, push notifications, SMS, or telephone calls

legal basis for processing: consent — Article 6(1)(a) GDPR;

What personal data do we process?

• identification data, including in particular: phone number and e-mail address;

• information on user interactions;

• information about the user and their habits (e.g., purchasing habits).

More information:

We use various forms and channels of communication, i.e., we contact you via e-mail, MMS / SMS, telephone calls, and push notifications. The content we send includes, among other things, offers and recommendations regarding our services or goods, or those of third parties, which may be of interest to you. We prepare this information using algorithms that analyse how you use our services, including by analysing your activity in mobile applications.

By subscribing to the newsletter you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

If you do not accept our marketing activities or you do not wish to use selected forms of contact with you, please contact us (contact details can be found in Part I, section 2 above ("Who processes your data", point 2.3).

Controller:

Locker InPost Italia S.r.l.

Retention period:

The time necessary for proper fulfilment of the purpose is up to 24 months.

Additional information

  • We process your personal data in order to carry out marketing activities, which may consist of:

a) displaying marketing content corresponding to your interests (behavioural advertising), as well as directing advertising messages to you on other websites and on social media platforms (remarketing);

b) displaying marketing content to you that is not tailored to your preferences (contextual advertising);

c) sending commercial information through various channels, including by e-mail (including in the form of a newsletter), by SMS/MMS, via push notifications or by phone, containing information about interesting offers or content concerning our products and services, companies from the Integer.pl Group and entities cooperating with those companies.

  • With regard to the activities referred to in point a) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR), consisting in conducting personalised advertising campaigns, and, to the extent required by law — on the basis of your consent.
  • With regard to the activities referred to in point b) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR) consisting in increasing the scale of marketing campaigns conducted.
  • With regard to the activities referred to in point c) above, we act on the basis of your consent to send marketing content to your e-mail address, phone number or via push messages (if such functionality is provided). You may give consent by ticking the relevant checkbox under the form available on the website or in the account settings. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
  • We may use the data obtained from you to create your profile (user profile). This means that, thanks to automated data processing, we will be able to predict or assess various aspects related to you, e.g. your age, gender, interests, economic situation, location. This allows us to better match the displayed or communicated content to your preferences and interests, which will enable you to take advantage of better offers and save your time. Processing of personal data is carried out in connection with the performance of our legitimate interest (Article 6(1)(f) GDPR), consisting in directing marketing communications to persons interested in our services and conducting personalised marketing campaigns. Our trusted partners are also involved in the process of displaying personalised advertising to you.
  • We may process your personal data for marketing of our own services, including sending information about offers, promotions and new developments concerning the provided services and activities aimed at promoting our services and brand. The activities we undertake may also consist in repeating advertising messages to persons who use the mobile application, on websites and social media platforms. The processing of personal data then includes user profiling.
  • We may process users' personal data, including personal data collected via cookies and other similar technologies, for marketing purposes, in connection with directing advertising to users.
  • On our websites we use cookies to make it easier for you to use our websites, e.g. to remember your settings and preferences and to simplify logging in to your account. For this purpose we use cookies. You may give consent to the use of cookies (technically, consent to storing information on an end device and obtaining information) via the so-called cookie banner, which is displayed after opening the mobile application. More information on this can be found in the cookie policy. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
  • We process your personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products. The legal basis for processing personal data is our legitimate interest (Article 6(1)(f) GDPR), consisting in promoting our own brand.

Combining information obtained from different sources

  • If you give marketing consent, we will use information collected about you that we obtained from various sources, i.e. in connection with the performance of other processes (e.g. account maintenance), and we will use it for marketing purposes, pursuing our legitimate interest (Article 6(1)(f) GDPR). Such data may be used for user profiling.
  • With the personal data we collect from you in the mobile application, we may combine data obtained from public sources and from third parties:

a) data in the form of technical information and information resulting from the manner of use, which we obtained from providers of analytical services (e.g. Google Analytics);

b) address and contact data related to conducting business activity, which we obtained from information providers.

  • In the situation described in point 4.3.1 above, the purpose of processing is: (1) fulfilling a legal obligation incumbent on the controller (Article 6(1)(c) GDPR), consisting in fulfilling legal obligations in connection with the conclusion, performance and settlement of the agreement, including proper identification of persons authorised to represent and incur obligations on the contractor's side at the time of signing the agreement, deliveries, issuing a VAT invoice or receipt, pursuing and defence of claims, as well as related to the obligation to keep accounting books and tax settlements; (2) the controller's legitimate interest (Article 6(1)(f) GDPR), consisting in conducting activities aimed at concluding and performing the agreement, conducting correspondence and exchanging e-mails, contact related to the implementation and performance of contractual provisions.

CHAT SERVICE

Purposes and legal basis for processing:

Provision of services by electronic means by enabling Users to access a chat service allowing them to communicate with InPost in matters related to the use of services.

Legal basis for processing: necessity for the performance of a contract — Article 6(1)(b) of the GDPR.

What personal data do we process?

a) data provided in the content of messages sent via the chat,

b) information necessary to handle the inquiry or request submitted by the User,

c) technical data related to the use of the service (e.g. IP address, date and time of the connection).

Additional information

The chat service is a communication channel enabling contact with InPost for the purpose of obtaining information, support or clarification regarding services. Providing personal data via the chat is voluntary; however, it may be necessary in order to respond to the inquiry or properly handle the request. Users are kindly requested not to provide special categories of personal data via the chat, unless this is necessary due to the nature of the matter. Personal data provided via the chat is used exclusively for the purpose of handling the User's inquiry and ensuring the proper functioning of the service.

Controller

Locker InPost Italia S.r.l.

Retention period

Personal data is processed for a period no longer than 2 years from the date of the interaction, unless a longer period is required for ongoing legal proceedings.