Termini e Condizioni

PRIVACY POLICY

GLOBAL MERCHANT PORTAL

1. Who are we and how can you contact us?

2. What data do we process?

3. For what purposes and on what legal basis do we process your personal data?

User Account

Concluding service agreements

Handling correspondence

4. How long do we process your data?

5. Who do we share your data with?

6. Your rights

7. Transfer of data outside the EEA

8. Personal data security

9. Changes to the privacy policy

1. Who are we and how can you contact us?
   1. InPost Spółka z ograniczoną odpowiedzialnością with its registered office in Kraków, at ul. Pana Tadeusza 4, 30-727 Kraków, entered in the register of entrepreneurs maintained by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register under KRS number: 0000543759, NIP: 6793108059, share capital: PLN 116,278,450.00 is the controller of your personal data (hereinafter the Controller) within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR), in connection with your use of the Global Merchant Portal (hereinafter the Portal).
   2. Personal data means information about an identified or identifiable natural person through one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person, including device IP address, location data, online identifiers, and information collected via cookies and similar technologies.
   3. User means you, as well as other individuals who use the Portal. In this policy we address you directly; other individuals using the Portal are referred to as “users”.
   4. You may contact us:
      1. via the contact form at https://inpost.pl/formularz-kontaktowy
      2. by post to: ul. Pana Tadeusza 4, 30-727 Kraków;
      3. by email: [email protected];
      4. by telephone: +48 722 444 000 or +48 746 600 000.
      5. via chat (see https://inpost.pl/kontakt).
   5. We have appointed a Data Protection Officer, whose name and surname you can find on our website Contact InPost - helpline and complaints | InPost - Parcel Lockers, Courier, Courier Shipments.. You may contact them regarding matters related to the processing of your personal data by email: [email protected], via our contact form (Contact us | InPost) or by post to our address stated above.
   6. We are part of the InPost Capital Group.
2. What data do we process?
   1. We collect data to the extent necessary to provide electronic services, as well as information about your activity in the Portal. In particular, we collect data necessary to create and manage your Portal Account (email address, password or other authentication credentials where required, first name, surname, job title, telephone number, data concerning the business activity of the User or the Merchant they represent), data used for analytical and marketing purposes (Account information, activity data within the Portal and on the Account, including clicks and site traffic, information about the device and web browser such as identifiers, data used for content personalisation), and data provided in the course of complaints handling (identification and contact details as above, and any other data submitted to us in connection with a complaint).
   2. When you use the Portal, we may collect information about your activity using cookies or similar technologies, such as tracking pixels, as well as data about the device you are using. Detailed information about these tools and the rules governing their use can be found in the Cookies Policy available at Cookies Policy | InPost.
3. For what purposes and on what legal basis do we process your personal data?
   1. Unless stated otherwise below, providing your personal data is voluntary; however, it may sometimes be necessary for the purposes of providing services to you, for example, it may be required to enter into or perform a contract, or to respond to an enquiry you have submitted. This means that failure to provide such data may in some cases result in our refusing to enter into a contract or make a particular functionality available to you, or in our taking steps to resolve the relevant matter.

User Account

• 1. 1.9. The User Account is your individual area within the Portal, accessible after providing an email address and password or other secure login methods, through which you can use the Portal's functionalities.
  2. 1.10. When creating an account in the Portal, during registration we will ask you to provide the personal data marked as mandatory in the registration form. These are necessary to create and maintain your account and to make available the services and functionalities offered within the account. Providing additional data is optional.
  3. In connection with the provision of the account management service to you, we process your personal data for the following purposes:
     1. to provide services related to the operation and management of the account, including enabling the conclusion of service agreements with individual InPost companies – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
     2. to handle complaints relating to the account and use of the Portal – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
     3. to detect and prevent fraud and abuse – the legal basis for processing is the legitimate interest of the Service Provider (Article 6(1)(f) GDPR), consisting in taking steps to prevent unauthorised activity by Users in the Portal;
     4. for our analytical and statistical purposes – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR), consisting in analysing User activity and preferences in order to improve the functionalities we offer and the services we provide;
     5. to establish, pursue, or defend legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR), consisting in the protection of our rights;
     6. to carry out marketing activities involving the sending of commercial information by electronic means – the legal basis for processing is consent given in accordance with the applicable provisions on electronic communications (Article 398 of the Electronic Communications Law);
     7. to carry out other types of marketing activities – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR), consisting in the marketing of our own goods and services;
     8. to personalise content, tailor services, and improve them – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR), consisting in improving the quality of services provided and the experience of using the Portal by tailoring content to User preferences.
  4. To enable you to use our digital services, we will automatically create an InPost Account for you – this is your profile that allows you to log in to our mobile applications and other services without having to register each time. We create the InPost Account solely for the purpose of providing the services you have consented to, and we do not use it for any other purpose. This allows you to use our solutions more quickly and conveniently, without additional formalities. Detailed rules regarding the processing of data in connection with the use of the InPost Account can be found in the Privacy Policy available at Privacy Policy | InPost.

Concluding service agreements

• 1. If you wish to conclude a service agreement through the Portal, we will share your data with the service provider with whom you are entering into the contract. That service provider will be an independent controller of your personal data.
  2. Detailed information on the processing of Users' personal data by individual service providers is available in the Portal.

Handling correspondence and chat

• 1. We collect data that you send us via email, post, electronic delivery, and all types of contact forms. Personal data obtained in this way is processed solely for the purpose of identifying the sender and providing a response.
  2. In the case of telephone or email contact, we collect all the information you choose to share during the conversation or correspondence with our representatives.
  3. In connection with handling queries, requests, and complaints submitted through the available contact channels, we process your data:
     1. to identify the sender, handle their enquiry, and provide a response – the legal basis for processing mandatory data is our legitimate interest (Article 6(1)(f) GDPR), consisting in responding to enquiries directed to us concerning our business activities;
     2. to handle enquiries submitted via our chat, which may use generative artificial intelligence technology – the legal basis for processing is the legitimate interest of the Service Provider (Article 6(1)(f) GDPR), consisting in the ability to provide efficient and personalised user support using ethical artificial intelligence solutions.
     3. to handle data subject requests – the legal basis for processing is the legal obligation of the controller (Article 6(1)(c) in conjunction with Articles 12–21 GDPR);
     4. for analytical and statistical purposes – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR), consisting in maintaining statistics on queries submitted by users.

1. How long do we process your data?
   1. The duration for which we process your data depends on the purposes for which it is used and the legal basis for processing. In determining appropriate retention and deletion periods, we have also taken into account the scope, volume, nature, and sensitivity of the data, as well as the potential risk of harm:
      1. where processing is necessary for the performance of a contract – we retain data for the duration of the contract and thereafter until the expiry of the limitation period for claims arising from it;
      2. where data is processed on the basis of consent – we retain it until the purpose of processing is achieved, and no longer than until consent is withdrawn;
      3. where data is processed on the basis of legitimate interest – we retain it until the purpose of processing has been fulfilled or until the limitation period for claims has expired, but no longer than until a valid objection is raised;
      4. where the obligation to retain data arises from legal provisions – we apply the periods specified in those provisions.

Deletion of personal data

• 1. We will permanently delete your data only once it is no longer needed for any processing purpose.
  2. We may retain certain data for longer than other data. This occurs when particular data is still necessary for one processing purpose, even though that purpose no longer applies to other data**.**

Account closure

• 1. You may delete your account in accordance with the terms of the Portal's terms of service. We may also close your account in accordance with those terms. If an account is closed, you will lose access to your data within the active account. You may only access such data if you exercise your right of access and we are still processing it. Information on how to exercise your right of access can be found later in this Policy.
  2. If the email address you use for your User Account is the same as the one registered in your InPost Account, deletion of the User Account will not affect your ability to use the InPost Account. Deletion of the User Account will mean that you will no longer be able to use the Merchant Portal. Requests to delete a User Account are processed within the timeframes set out in applicable law, including the GDPR. Fulfilling such a request may require us to take additional steps, including contacting you to verify the request.
  3. If you delete your InPost Account in accordance with the InPost Account terms of service, you will lose access to your User Account. For this reason, it is important that when registering your User Account, you ensure that the email address you provide is not already in use under your InPost Account for personal purposes. Please note that when using the Portal, you should use your business contact details, such as your work email address and telephone number.
  4. We may automatically delete your account if you have not carried out any activity in the Portal for a period of 3 months, and the business client associated with your account is not using the services of InPost Group companies offered through the portal.

1. Who do we share your data with?
   1. We share your data with other entities to provide you with the best possible services, or where we are legally obliged to do so. All entities that have access to your data are those for whom such access is necessary to carry out specific tasks.
      1. Third-party service providers – we use the services of third parties who help us maintain and deliver certain solutions related to our services. These include, for example, providers responsible for IT systems, entities providing accounting services, entities providing financial services such as banks, entities providing legal services, marketing agencies, and entities providing recruitment or verification services to us. These entities process data in accordance with our instructions and only to the extent we specify.
      2. Marketing and analytics service providers – to improve our services, we sometimes share information about you with providers such as Google and Meta. They help us analyse how users interact with the Portal and support our online marketing.
2. Your rights
   1. You have the following rights: to access your data and receive a copy of it, to rectify your data, to request erasure of your data, to request restriction of processing, and the right to data portability.
   2. You also have the right to object to the processing of your data for marketing purposes where processing is based on our legitimate interest, as well as – on grounds relating to your particular situation – in other cases where the legal basis for processing is our legitimate interest (for example, in connection with analytical and statistical purposes).
   3. If we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
   4. To exercise the above rights, please contact us by email at [email protected] or using the contact details set out in section 1.4 above.
   5. If you have concerns about the lawfulness of our processing of your personal data, you have the right to lodge a complaint with a supervisory authority. In Poland, the relevant supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
3. Transfer of data outside the EEA
   1. We transfer personal data outside the EEA only where necessary and ensure a level of protection required by the GDPR. To this end:
      1. we work with data processors in countries for which the European Commission has issued an adequacy decision;
      2. we use standard contractual clauses issued by the European Commission;
      3. we apply binding corporate rules approved by the competent supervisory authority.
   2. You may request further information about data transfers outside the EEA and obtain a copy of the safeguards in place by writing to us at [email protected] or by post to our correspondence address.
4. Personal data security
   1. We carry out ongoing risk assessments to ensure that personal data is processed by us in a secure manner – in particular by ensuring that access to data is granted only to authorised individuals and only to the extent necessary for the tasks they perform. We ensure that all operations on personal data are logged and carried out solely by authorised employees and collaborators.
   2. We take all necessary steps to ensure that our subcontractors and other cooperating entities also provide guarantees of applying appropriate security measures whenever they process personal data on our behalf.
5. Changes to the privacy policy
   1. This Policy is reviewed on an ongoing basis and updated as necessary. The current version of this Policy was adopted and has been in force since 30 September 2025.
   2. If you do not agree to the changes to the privacy policy, you may close your account in accordance with the provisions of the Terms of Service and this Privacy Policy.