Termini e Condizioni

InPost Privacy Policy – postal and transport services

effective as of 27/04/2026

1. Who are we and how can you contact us?

The Controller of your personal data is InPost sp. z o.o., with its registered office in Kraków (“InPost” or the “Controller”). Below you will find the contact details that allow you to reach us on matters related to the processing of your personal data, including the exercise of your rights.

InPost sp. z o.o. ul. Pana Tadeusza 4, 30‑727 Kraków, Poland

Contact channels:

• phone: +48 722 444 000 or +48 746 600 000
• postal address: ul. Pana Tadeusza 4, 30‑727 Kraków
• contact form: https://inpost.pl/formularz-kontaktowy
• live chat: https://inpost.pl/kontakt

We have appointed a Data Protection Officer (“DPO”), who is responsible for overseeing the proper processing of personal data within our organisation. You may contact the DPO through the channels listed above. You may contact the Controller or the DPO, in particular, to:

• obtain information about the processing of your personal data;
• exercise your rights as set out in section 8 of this Privacy Policy.

2. What does this Privacy Policy cover?

This Privacy Policy (“Policy”) describes how personal data is processed in connection with:

1. the use of postal and transport services, including courier services, and services provided through the Paczkomat® device;
2. the operation of CCTV surveillance at Paczkomat® devices;
3. the provision of services through Paczkomat® Plus (formerly: Lodówkomat);
4. the use of the Controller’s websites other than inpost.pl and other than those related to the InPost Account.

This Privacy Policy is a separate and independent document from the InPost Account Privacy Policy. It applies exclusively to the processing of personal data on the Polish market and does not cover services related to the InPost Account or any other digital services provided by InPost.

In our operations we comply with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

3. What personal data do we process and for what purposes?

Depending on your relationship with InPost, including the service you use, we will process your personal data for the following purposes:

3.1. PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED THROUGH THE PACZKOMAT® DEVICE

Purposes and legal bases for processing:

1. Provision of postal and transport services, including courier services and services provided through the Paczkomat® device.

Legal basis for processing: contract – Art. 6(1)(b) GDPR.

1. Handling complaints.

Legal basis for processing: a legal obligation – Art. 6(1)(c) GDPR; consent to the processing of special category personal data – Art. 9(2)(a) GDPR.

What personal data do we process?

• first name and last name of the sender (including the payer) and the recipient (addressee) of the parcel;
• the sender’s address (street, building number, flat number, postcode, city);
• the recipient’s address (street, building number, flat number, postcode, city);
• a new delivery address for the parcel, if after dispatch the sender instructs InPost to deliver it to a new address or InPost agrees with the recipient on a different delivery address prior to delivery;
• the e-mail address of the sender and the recipient, processed for the purpose of sending messages related to the performance of the service, in particular information about the current delivery status of the parcel or information enabling collection of the parcel from a Paczkomat® device;
• the phone number of the sender and the recipient for direct contact or for sending messages related to the performance of the service, in particular for the purpose of agreeing on an alternative delivery location or providing information enabling collection of the parcel from a Paczkomat® device;
• depending on the service selected, we may also process a bank account number necessary to transfer collected cash (in the case of a cash-on-delivery service) to the person designated by the sender, as well as information enabling identification of the circumstances of payment for cash-on-delivery amounts or account top-ups when paying for our services on a pre-paid basis;
• in the case of services provided to business customers (B2B contract): data relating to the business activity conducted (including VAT number (NIP), statistical number (REGON), company name, business address, contact details), including details of contact persons or persons authorised to represent the business and data relating to the cooperation with InPost;
• IP addresses of persons who use our systems;
• information obtained from you in the course of the complaints procedure or claims handling (loss adjustment), including health information, if you choose to provide it.

Further information:

In connection with the payment processing, your data will be processed in the Przelewy24 service by PayPro S.A., based in Poznań, which acts as an independent controller.

If your parcel is an international shipment, your data will be processed by our partner – a courier company – in the destination country, which acts as an independent controller of personal data.

If you have submitted a complaint, your personal data may be disclosed to our insurer (an insurance company with which we have concluded a contract, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna, based in Warsaw), which acts as an independent controller of personal data.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper provision of the services, and thereafter – no longer than until the expiry of the limitation period for claims, which is generally up to 6 years. In exceptional circumstances, this period may be extended if statutory provisions – including the Civil Code – provide for the suspension or interruption of the limitation period.

3.2. CCTV SURVEILLANCE OF PACZKOMAT® DEVICES

Purposes and legal bases for processing:

1. Ensuring the security of the Paczkomat® device through CCTV surveillance.

Legal basis for processing: the Controller’s legitimate interest in ensuring the security of the device and its users and in handling complaints relating to services provided by InPost – Art. 6(1)(f) GDPR.

What personal data do we process?

• image (likeness).

Further information:

We process your image when you are within the field of view of the camera installed on the Paczkomat® device. CCTV recordings are stored in a manner ensuring security and protection against access by unauthorised persons.

Controller: InPost Paczkomaty sp. z o.o.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims.

3.3. PACZKOMAT® PLUS (FORMERLY: LODÓWKOMAT)

Purposes and legal bases for processing:

1. Provision of services through the Paczkomat® Plus device (formerly: Lodówkomat).

Legal basis for processing: contract – Art. 6(1)(b) GDPR.

1. Handling complaints.

Legal basis for processing: a legal obligation – Art. 6(1)(c) GDPR.

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address;
• in the case of services provided to business customers (B2B contract): data relating to the business activity conducted (including VAT number (NIP), statistical number (REGON), company name, business address, contact details), including details of contact persons or persons authorised to represent the business and data relating to the cooperation with our company;
• information obtained from you in the course of the complaints procedure or claims handling (loss adjustment), including health information, if you choose to provide it.

Further information:

In connection with the handling of the complaints process, your personal data may be disclosed to our insurer (an insurance company with which we have concluded a contract, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna, based in Warsaw), which acts as an independent controller of personal data.

Controller: Integer S.A.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims.

3.4. USE OF WEBSITES

This section applies to websites operated at the following addresses: greencity.pl, szybkiezwroty.pl, urzad24.inpost.pl, bliskociebie.inpost.pl, inpostpay.pl, inpostfresh.pl, outofthebox.pl, integer.pl, manager.paczkomaty.pl, inpost.eu (hereinafter referred to as the “Websites”).

Purposes and legal bases for processing:

1. Provision of electronic services (in the scope of making content collected on the Websites available to users) and, where applicable, the placing and fulfilment of orders.

Legal basis for processing: contract – Art. 6(1)(b) GDPR.

1. Own and partner marketing

Legal basis for processing: the Controller’s legitimate interest in marketing its own products or services – Art. 6(1)(f) GDPR; consent to the use of cookies and other technologies – Art. 6(1)(a) GDPR.

1. Analysis of user activity on the Websites for non-advertising purposes, including for analytical and statistical purposes.

Legal basis for processing: the Controller’s legitimate interest in analysing user activity on the Websites – Art. 6(1)(f) GDPR.

1. Handling and processing complaints.

Legal basis for processing: a legal obligation or the Controller’s legitimate interest in handling complaints relating to services provided by InPost – Art. 6(1)(c) or (f) GDPR.

1. Pursuing claims and defending against claims.

Legal basis for processing: the Controller’s legitimate interest in establishing, pursuing or defending against claims – Art. 6(1)(f) GDPR.

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address;
• information relating to purchases on the Website, including account information, basket information, delivery method and payment details;
• data on activity on the Website;
• marketing data, including data on how a user’s mobile application device or web browser is used, in particular: clicks and traffic on the website, opening of push notifications (where the user has consented to receive them);
• device identifiers and other online identifiers;
• location data – we use various technologies to determine your location, including IP address, GPS, Wi-Fi access points and mobile base stations; your location data allows us to locate and display InPost points and Paczkomat® devices in your vicinity;
• information obtained from you in the course of the complaints procedure or claims handling (loss adjustment).

Further information:

In connection with the handling of the complaints process, your personal data may be disclosed to our insurer (an insurance company with which we have concluded a contract, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna, based in Warsaw), which acts as an independent controller of personal data.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims. Data collected using cookies is retained until the expiry of the lifetime of the individual cookies, or until you withdraw your consent or delete the cookie from your device – whichever occurs first.

4. Security of personal data

The security of your personal data is our priority. We take a range of measures to ensure the security of the information we process.

Purposes and legal bases for processing:

Preventing, detecting and handling personal data breaches, information security incidents and other security threats – necessary to ensure the secure operation of the services.

Your personal data may be processed by us when analysing incidents or (suspected) breaches:

1. for the purpose of analysing, investigating, documenting and reporting individual incidents;
2. for the purpose of preparing analyses and reports on the state of security;
3. for the purpose of establishing, pursuing and/or defending against legal claims.

Legal basis for processing:

The Controller’s legitimate interest in ensuring security and investigating incidents or breaches – Art. 6(1)(f) GDPR, or a legal obligation – Art. 6(1)(c) GDPR (where no specific legal obligation exists, the processing of your personal data for security and protection purposes is based on our legitimate interest).

What personal data do we process?

• user contact data;
• transaction and order history;
• payment data;
• incident logs, event logs.

Individual logs may contain data such as: information on abuse, including (suspected) criminal activity.

Further information:

We take a range of measures to ensure the security of:

• users,
• property,
• InPost’s IT infrastructure.

We endeavour to protect our assets against cyber-attacks, fraud, abuse and other harmful activities.

We ensure the security of your personal data by applying effective technical and organisational safeguards. All information we receive from you is stored on appropriately secured servers. All payment data is encrypted using SSL technology.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper achievement of the purpose, and thereafter – no longer than for the limitation period for claims, which is generally up to 6 years. In exceptional circumstances, this period may be extended if statutory provisions – including the Civil Code – provide for the suspension or interruption of the limitation period.

5. Analytical purposes and service quality improvement

Purposes and legal bases for processing:

We process your data for the following purposes:

1. analytical purposes: developing and improving our services and enhancing customer experience;
2. creating new features;
3. analysing user activity for non-advertising purposes, including for analytical and statistical purposes and for the purpose of detecting and resolving cases of non-compliance with the terms of service.

Legal basis for processing: the Controller’s legitimate interest in conducting analytical, optimisation and service-supporting activities – Art. 6(1)(f) GDPR, or consent – Art. 6(1)(a) GDPR (if the data is to be used for marketing purposes).

What personal data do we process?

• e-mail address or phone number;
• user identifier;
• number and history of orders or complaints;
• behavioural and contextual data;
• other system-generated data originating from your activities and interactions with us.

The data used for development and improvement purposes was collected for various purposes. All analyses are carried out at the level of aggregated data. Where sufficient and possible, we use anonymised data.

Further information:

Our aim is to create easily accessible and personalised services, which requires analysis of the needs and expectations of our users. This includes analysis aimed at making our services more user-friendly, e.g. modifying interfaces to simplify information flow or identifying and developing services and their features.

We occasionally use customer satisfaction surveys and feedback forms. In such cases, all your personal data will be processed solely for the specific purpose described in the relevant survey or form.

In the interests of transparency, we explain the differences between service personalisation, profiling and automated decision-making:

• Personalisation consists in adapting the manner of presentation or operation of our services so that they better correspond to your preferences and your typical way of using them. This may include, for example, adjusting the user interface or suggesting specific features. Personalisation is based on general usage patterns or your previous interactions, but is not intended to evaluate you as a person or to predict your behaviour in a way that produces legal effects or analogously significant effects.
• Profiling means any form of automated processing of personal data consisting in the use of your data to evaluate certain personal aspects, in particular to analyse or predict your preferences, interests, behaviour or usage patterns. Where we apply profiling, it is carried out primarily for analytical and statistical purposes, service improvement and user segmentation. Profiling does not result in decisions producing legal effects or analogously significant effects for you.
• Automated decision-making means decisions made solely by automated means, without human involvement, which produce legal effects concerning you or analogously significantly affect you. As a general rule, we do not apply such decision-making in respect of users of the services described in this Privacy Policy.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper achievement of the purpose, and thereafter – no longer than for the limitation period for claims, which is generally up to 6 years. In exceptional circumstances, this period may be extended if statutory provisions – including the Civil Code – provide for the suspension or interruption of the limitation period.

6. Marketing and marketing communications

The principles for the processing of personal data for marketing purposes, as set out in section II “Marketing and marketing communications” of Part II Annex A1 of the InPost Account Privacy Policy for services provided in Poland, apply accordingly to the processing of personal data on the basis of this Privacy Policy.

7. To whom do we transfer your personal data?

7.1. In connection with the provision of services, personal data is disclosed to:

7.1.1. The Integer.pl Capital Group – we may transfer your data to other companies within the Integer.pl Capital Group, a list of which is available here. These companies help us improve services, support customers, conduct business analyses, ensure security and detect abuse. The transfer of data may be necessary for you to be able to use our services.

7.1.2. Third-party service providers – we use the services of third parties who help us maintain and deliver certain solutions related to our services or provide us with specific services. These include, among others: providers responsible for the operation of IT systems, data hosting and communication channels, accounting service providers, legal service providers, insurance companies, marketing agencies, service providers responsible for dispatching, delivering or returning parcels, and customer service providers.

7.1.3. Some of these entities act as independent controllers, and some – depending on the service provided to us – process personal data as processors, i.e. in accordance with our instructions and solely to the extent indicated by us.

7.1.4. Payment service providers – in order to provide payment services, we transfer to the payment operator the data necessary to process the payment and to verify and identify the customer. The payment operator becomes an independent controller of your data.

7.1.5. Courier partners – in the case of international shipments, your data is transferred to our courier partner – a courier company – in the destination country, which acts as an independent controller of personal data.

7.1.6. Law enforcement authorities, supervisory authorities and others – we may disclose selected information about you to the relevant authorities or third parties that submit an appropriate request. We will do so in accordance with the applicable law.

We do not sell your personal data to third parties and do not share it for marketing purposes with third parties without your consent.

7.2. Transfers of data outside the European Economic Area

7.2.1. As a general rule, we do not use service providers based outside the European Economic Area (EEA). However, it may happen that some entities whose services we use directly or indirectly (e.g. hosting providers) are based outside the EEA or use subcontractors located outside the EEA.

7.2.2. Where the situation described above arises, we transfer your personal data outside the EEA only when necessary and with an appropriate level of protection as required by GDPR. To this end:

• a) we transfer your personal data to countries that the European Commission has recognised as ensuring an adequate level of protection of personal data, or
• b) we engage specific service providers and apply Standard Contractual Clauses approved by the European Commission, which, together with any additionally required security measures, ensure a level of protection of personal data equivalent to that applicable in the European Union.

If your parcel is an international shipment, the transfer of data outside the EEA may be necessary for the performance of the service – in such cases the transfer is based on Art. 49(1)(b) GDPR (necessity for the performance of a contract).

8. What rights do you have?

Under GDPR, you have the following rights in connection with the processing of your personal data:

1. Right of access – you may request information about what data we process and obtain a copy thereof.
2. Right to rectification – you may request the correction of inaccurate or the completion of incomplete data.
3. Right to erasure – you may request the deletion of your data in cases provided for by GDPR, subject to the exceptions set out in Art. 17(3) GDPR, relating to, among other things, compliance with legal obligations and the establishment, exercise or defence of legal claims.
4. Right to restriction of processing – you may request the restriction of the processing of your data in certain circumstances.
5. Right to data portability – to the extent that processing is carried out on the basis of consent or a contract and by automated means, you may request the transfer of your data to yourself or to a controller designated by you in a structured format.
6. Right to object – you may object to the processing of your data on grounds relating to your particular situation, where processing is based on the legitimate interest of the Controller, as well as to processing for direct marketing purposes.
7. Right to withdraw consent – where processing is based on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before its withdrawal.

How to exercise your rights

You may exercise your rights by contacting the Controller. Contact details and available contact methods are set out above (section 1).

The right to object may be exercised in different ways, depending on what it relates to:

• in the case of marketing e-mails – click the unsubscribe link in the message;
• in the case of marketing SMS messages, push notifications or phone calls – change the notification settings on your account to opt out of receiving them;
• in the case of cookies – click the opt-out/decline option in the cookies banner (“Manage cookies” bar at the bottom of the page);
• in other cases – contact us via the contact form or at: [email protected];
• via live chat.

Every person has the right to the protection of their personal data and, in accordance with GDPR, may exercise their rights free of charge (in most cases). We may charge a reasonable fee if your request is manifestly unfounded or excessive, in particular due to its repetitive nature. In such cases we may also refuse to act on your request.

We aim to respond to your requests within one month. If your request is particularly complex or we have received several requests from you, handling may take longer. In such a case we will inform you that it will take more time and will keep you updated on the status of your request.

If you believe that the processing of your personal data is in breach of the law, you have the right to lodge a complaint with the supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, e-mail: [email protected].

The provision of personal data is generally voluntary but necessary for the performance of the services described in this Privacy Policy. Refusal to provide data necessary for the provision of a service may prevent its performance.

9. Processing of children’s personal data

Our services are intended for adults. To the extent that applicable law requires the processing of data of minors in connection with the performance of specific services, we process only the data necessary for the provision of that service or the fulfilment of a legal obligation.

We take every reasonable step to collect only the data necessary for the provision of services. We do not knowingly collect additional information from or about minors. If we become aware that we have unintentionally collected such personal data, we will take steps to delete it without undue delay.

10. How do we update this Privacy Policy?

We may change or update this Privacy Policy. Any changes will be published on our website and via our other services. If you have provided us with your e-mail address, we may additionally notify you of any changes electronically.