Termini e Condizioni

InPost Privacy Policy – other areas of activity

effective as of 27/04/2026

1. Who are we and how can you contact us?

The Controller of your personal data is InPost sp. z o.o., with its registered office in Kraków ("InPost" or the "Controller"). Below you will find the contact details that allow you to reach us on matters related to the processing of your personal data, including the exercise of your rights.

InPost sp. z o.o. ul. Pana Tadeusza 4, 30‑727 Kraków, Poland

Contact channels:

• phone: +48 722 444 000 or +48 746 600 000
• postal address: ul. Pana Tadeusza 4, 30‑727 Kraków
• contact form: https://inpost.pl/formularz-kontaktowy
• live chat: https://inpost.pl/kontakt

We have appointed a Data Protection Officer ("DPO"), who is responsible for overseeing the proper processing of personal data within our organisation. You may contact the DPO through the channels listed above. You may contact the Controller or the DPO, in particular, to:

• obtain information about the processing of your personal data;
• exercise your rights as set out in section 9 of this Privacy Policy.

2. What does this Privacy Policy cover?

This Privacy Policy ("Policy") describes how personal data is processed in connection with:

1. Use of the InPost Fresh Platform (website and mobile application);
2. Recruitment of employees, associates, interns and trainees;
3. Conducting internal investigations (harassment/mobbing and whistleblowing);
4. Competitions and events;
5. Use of InPost Chat AI (AI Assistant – Bielik);
6. Provision of courier services – couriers.

This Policy is a separate and independent document from the InPost Account Privacy Policy. It does not apply to services related to the InPost Account.

In our operations we comply with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR").

3. What personal data do we process and for what purposes?

Depending on the area of InPost's activity with which you are associated, we process your personal data for the purposes described below.

3.1. INPOST FRESH PLATFORM

Purposes and legal bases for processing:

1. provision of services within the InPost Fresh Platform

Legal basis for processing: contract – Art. 6(1)(b) GDPR;

1. analytical and statistical purposes

Legal basis for processing: the Controller's legitimate interest in analysing user activity and preferences in order to improve features, services and to produce analyses and statistics – Art. 6(1)(f) GDPR;

1. handling and processing complaints in connection with services provided via the InPost Fresh Platform

Legal basis for processing: the Controller's legitimate interest in handling complaints relating to services provided by InPost – Art. 6(1)(f) GDPR, or a legal obligation – Art. 6(1)(c) GDPR;

1. pursuing claims and defending against claims

Legal basis for processing: the Controller's legitimate interest in establishing, pursuing or defending against claims – Art. 6(1)(f) GDPR;

1. own and partner marketing (see section 6 for details)

Legal basis for processing: the Controller's legitimate interest in marketing its own products or services – Art. 6(1)(f) GDPR; consent – Art. 6(1)(a) GDPR (in relation to cookies and other tracking technologies).

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, VAT number (NIP);
• account data, including in particular: account creation date, activity data, location data;
• activity history within the user account together with transaction details, including: basket value, payment method and payment/transaction details, transaction history, payment history, address history, information on complaints lodged, correspondence history, purchasing habits;
• marketing data, including data on how a user's mobile application device or web browser is used, such as: clicks and traffic on the website/mobile application, device information, IP address, opening of push notifications (where the user has consented to receive them).

Further information:

The controller of personal data of buyers processed in connection with the conclusion of a sales contract via the Platform is the seller with whom you conclude the sales contract. Detailed information on the processing of buyers' personal data by individual sellers is available in the seller's profile on the Platform.

In connection with the provision of electronic services, your personal data is entrusted to VTEX Ecommerce Platform Limited, based in London, and stored on servers located in the United States. This transfer is carried out on the basis of the Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR) and VTEX’s certification under the EU-U.S. Data Privacy Framework. More information about the transfer safeguards, as well as a copy of the clauses used, can be obtained by contacting our DPO.

If you would like to share your opinion about a purchase and give your consent to do so, you will receive a customer satisfaction survey conducted by ceneo.pl sp. z o.o., based in Wrocław, which will process your e-mail address and information about your InPost Fresh purchase as an independent controller.

In connection with the handling of the complaints process, your personal data may be disclosed to our insurer, who acts as an independent controller of personal data.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims.

3.2. RECRUITMENT OF EMPLOYEES, ASSOCIATES, INTERNS AND TRAINEES

Purposes and legal bases for processing:

1. conducting the recruitment process Legal basis for processing: in respect of candidates: a legal obligation – Art. 6(1)(c) GDPR, or consent – in relation to additional data voluntarily provided by the candidate – Art. 6(1)(a) GDPR; in respect of referrers and persons participating in the recruitment process on behalf of external companies: necessity of processing for the performance of a contract – Art. 6(1)(b) GDPR;
2. building the CV database (only where the candidate has consented to being contacted for future recruitments) Legal basis for processing: in respect of candidates: consent – Art. 6(1)(a) GDPR;
3. verifying qualifications and skills and establishing the terms of cooperation Legal basis for processing: in respect of candidates: the Controller's legitimate interest in verifying job candidates and determining the terms of potential cooperation – Art. 6(1)(f) GDPR;
4. assessing candidates' skills by means of tests Legal basis for processing: in respect of candidates: consent – Art. 6(1)(a) GDPR.

What personal data do we process?

• identification and contact data, including in particular: first name, last name, education, professional qualifications, employment history, phone number, e-mail address;
• information contained in the CV and data included in recruitment documents.

In the course of this process we may process personal data relating to:

• candidates;
• employees;
• associates;
• referrers;
• persons participating in the recruitment process on behalf of external companies.

Further information:

This section covers job vacancies and internship/traineeship offers. It encompasses the recruitment of employees, associates, employee referral candidates and internal recruitment, as well as recruitment conducted by external agencies.

In some cases, your data may also be processed by external entities, such as recruitment agencies, which either act on our behalf and for our account or act as independent controllers.

Controller: InPost sp. z o.o., Integer Group Services sp. z o.o., Integer.pl S.A., IT Technology Luxembourg s.a.r.l.

Data retention period: Data will be retained for as long as necessary to fulfil the purposes listed above and to comply with any related legal obligations. After 2 years from the end of the recruitment process, data is automatically deleted from the system.

3.3. CONDUCTING INTERNAL INVESTIGATIONS (HARASSMENT/MOBBING AND WHISTLEBLOWING)

Purposes and legal bases for processing:

1. prevention of harassment/mobbing and discrimination Legal basis for processing: a legal obligation – Art. 6(1)(c) GDPR;
2. handling reports of irregularities (whistleblowing): Legal basis for processing: acknowledging receipt of a report and providing feedback: a legal obligation – Art. 6(1)(c) GDPR; verifying the report and taking follow-up action: in respect of the person to whom the report relates – a legal obligation or, in special cases, consent to the processing of special category personal data; in respect of the person participating in the investigation – the Controller's legitimate interest – Art. 6(1)(f) GDPR.

What personal data do we process?

• identification and contact data, including in particular: first name, last name, contact details such as phone number, e-mail address;
• information contained in the report or obtained in the course of the investigation, including health information – if you choose to provide it.

In the course of an ongoing investigation we may process personal data relating to:

• the whistleblower;
• the person to whom the report relates;
• the person participating in the investigation.

Controller: Integer Group Services sp. z o.o.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims.

3.4. COMPETITIONS AND EVENTS

Purposes and legal bases for processing:

1. administering competitions and events and carrying out follow-up activities, such as confirming participation, contacting winners, awarding prizes and granting access to the event venue Legal basis for processing: the Controller's legitimate interest in organising and concluding a competition (where promotional activities take the form of a public promise) – Art. 6(1)(f) GDPR, or a contract (where promotional activities arise from a concluded contract) – Art. 6(1)(b) GDPR;
2. carrying out promotional, marketing and customer relationship activities Legal basis for processing: the Controller's legitimate interest in conducting promotional and marketing activities in relation to competitions and events – Art. 6(1)(f) GDPR.

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address;
• information provided in the course of a competition or during participation in an event.

Further information:

Our events are sometimes photographed and filmed. The resulting content may be used to market our services and promote future events on our website, social media channels and in marketing materials. Where required, we will ask for your consent.

The terms and conditions of individual promotional activities may specify different purposes or retention periods.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper fulfilment of the purpose, and thereafter – no longer than until the expiry of the limitation period for claims.

3.5. INPOST CHAT AI (AI ASSISTANT – BIELIK)

Purposes and legal bases for processing:

1. provision of electronic services by providing access to a virtual chat enabling conversations

Legal basis for processing: contract – Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party (provision of a real-time chat service).

1. using historical data and preferences to customise responses and recommendations

Legal basis for processing: the Controller's legitimate interests – Art. 6(1)(f) GDPR – consisting in improving the quality and relevance of the service provided and personalising it for the user, whilst guaranteeing the user the right to object to such processing.

You have the right to object to this processing. Should you exercise the opt-out option, the AI assistant will not draw upon the history of your previous conversations when formulating responses.

1. training and improving the artificial intelligence model – data transmitted during interactions with the AI assistant, including the content of conversations, typed questions and responses provided, may be used for this purpose.

Legal basis for processing: the Controller's legitimate interests – Art. 6(1)(f) GDPR – consisting in developing AI models, enhancing system security and improving the quality of services provided to users.

As part of the "Feed Bielik" campaign, we process in particular: the content of typed messages (questions, instructions, comments and added attachments), the content of responses generated by the assistant, information contained in messages that may constitute personal data where the user chooses to disclose it (e.g. first name, e-mail address or other identifying data), as well as the manner of formulating statements, linguistic style and language constructions used.

This data is used exclusively in aggregated or anonymised form to the extent possible. The Controller does not use conversations to identify specific users and does not build individual user profiles for the purpose of model training. The language model does not "remember" users as individuals; however, individual fragments of conversations may be used as part of training datasets following prior processing (e.g. removal or restriction of identifying data).

1. improving service quality and detecting abuse within existing system functions

Legal basis for processing: the Controller's legitimate interest – Art. 6(1)(f) GDPR, consisting in ensuring the integrity, security and proper functioning of IT systems and protection against unauthorised access or abuse;

1. pursuing and defending against claims

Legal basis for processing: the Controller's legitimate interest – Art. 6(1)(f) GDPR, consisting in the ability to pursue and defend against legal claims.

What personal data do we process?

Data provided directly by the user:

• information from queries and chat history, including attachments (e.g. questions, responses, message content, uploaded files and documents);
• identification data necessary to use the service.

Technical and operational data:

• technical data related to use of the service (e.g. IP address, timestamp);
• session identifier, device type, operating system, application version;
• activity logs and system error logs.

Data generated in the course of service provision:

• history and patterns of conversations conducted (for personalisation and model training purposes);
• thematic categories of queries (for analysis and service improvement purposes);
• user communication preferences and style identified by AI algorithms.

Important: Please do not provide information containing special category personal data (e.g. data concerning racial or ethnic origin, health, political opinions, religious or philosophical beliefs, sexuality and sexual orientation).

Further information:

• You may use our AI assistant – an artificial intelligence tool available in the mobile application that supports user service via online chat and enables conversations. In connection with the above, it may process personal data.
• We encourage you to use the AI assistant responsibly, as it may occasionally generate inaccurate or inadvertently personalised information.
• The AI assistant may use your historical data and preferences to customise responses and recommendations.
• No decisions producing legal effects or otherwise significantly affecting you are taken solely by automated means (Art. 22 GDPR). The results of conversation analysis serve solely to improve the quality of the assistant's responses – they are not used to assess your creditworthiness, financial situation, health, preferences or any other personal characteristics that could form the basis of such decisions. Chat history data may subsequently be used to improve the model, but not in real time. This data is used to deliver the current user service and to improve service quality and detect misuse within existing system functions. Data transmitted during interactions with the AI assistant – namely information from conversation content, typed questions and responses – may be used to train the artificial intelligence.
• We take every reasonable step to ensure the secure processing of data and apply world-class technical solutions alongside regular AI system audits.
• As a general rule, we do not engage service providers based in countries outside the European Economic Area ("EEA"). It may, however, occur that certain entities whose services we use directly or indirectly (e.g. hosting providers) are based outside the EEA or engage subcontractors located outside the EEA.
• Where the situation described above arises, we transfer your personal data outside the EEA only where necessary and subject to an appropriate level of protection as required by the GDPR. To this end:
  • • we transfer personal data to countries for which the European Commission has determined an adequate level of data protection, or
      • we engage specific service providers under Standard Contractual Clauses approved by the European Commission, which, together with any additionally required security measures, ensure a level of personal data protection equivalent to that applicable within the European Union.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper provision of the service, and thereafter – no longer than until the expiry of the limitation period for claims. Retention period for information in the form of attachments: up to 2 years.

Data used for training the AI model (in anonymised or pseudonymised form): for the time necessary to achieve that purpose, but no longer than is justified by the technological lifecycle of the model.

3.6. PROVISION OF COURIER SERVICES – COURIERS

Purposes and legal bases for processing:

1. entering into and performing the courier services agreement and handling financial settlements, including issuing VAT invoices Legal basis for processing: in respect of the carrier: necessity of processing for the performance of a contract – Art. 6(1)(b) GDPR; in respect of couriers: the Controller's legitimate interest in the proper performance of the contract concluded with the carrier – Art. 6(1)(f) GDPR;
2. provision of postal and transport services (handling deliveries, Paczkomat devices, settlement of parcels and cash-on-delivery amounts) Legal basis for processing: in respect of the carrier: necessity of processing for the performance of a contract – Art. 6(1)(b) GDPR; in respect of couriers: the Controller's legitimate interest – Art. 6(1)(f) GDPR;
3. verifying authorisations necessary for the provision of services (in particular: driving licence, validity of medical examinations for professional drivers, vehicle technical inspections) Legal basis for processing: in respect of the carrier: necessity of processing for the performance of a contract – Art. 6(1)(b) GDPR; in respect of couriers: the Controller's legitimate interest – Art. 6(1)(f) GDPR;
4. managing access to InPost systems (assigning logins and PIN codes to Paczkomat devices) Legal basis for processing: in respect of the carrier: necessity of processing for the performance of a contract – Art. 6(1)(b) GDPR; in respect of couriers: the Controller's legitimate interest – Art. 6(1)(f) GDPR;
5. fulfilling obligations arising from anti-money laundering and counter-terrorist financing (AML) regulations in connection with the operation of the SmartCourier service Legal basis for processing: a legal obligation – Art. 6(1)(c) GDPR in conjunction with the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing;
6. pursuing claims and defending against claims Legal basis for processing: the Controller's legitimate interest – Art. 6(1)(f) GDPR;
7. transferring the carrier's contact details to InPost's commercial partners for marketing purposes (only where the carrier has given consent) Legal basis for processing: consent – Art. 6(1)(a) GDPR.

What personal data do we process?

In respect of the carrier (party to the B2B contract with InPost):

• identification data: first name, last name, PESEL (national identification number), document type and number, issuing authority, date of birth, citizenship;
• address and contact data: residential and registered address, phone number, e-mail address;
• business data: company name, VAT number (NIP), statistical number (REGON), registered office address (as per CEIDG printout);
• financial data: bank account number, VAT invoice details, remuneration settlement history;
• authorisation and qualification data: driving licence number and category, vehicle data (registration number, year of manufacture, validity of technical inspection), validity of medical examination for a professional driver, declaration of no criminal record;
• access data: login and PIN for Paczkomat devices.

In respect of couriers (subcontractors or employees of the carrier):

• identification data: first name, last name, document type and number;
• residential and registered address;
• authorisation data: driving licence number and category;
• access data: login and PIN for Paczkomat devices;
• operational data: history of deliveries performed, settlement of parcels and cash-on-delivery amounts;
• in the case of the SmartCourier service: date of birth, citizenship, PESEL, number of the card used at the cash deposit machine and the assigned PIN.

Further information:

InPost processes couriers' data as third parties providing services under a contract concluded with the carrier. The courier is not a party to any contract with InPost – their data is transmitted to InPost by the carrier or collected directly from the courier only to the extent necessary for the operation of InPost systems (access to Paczkomat devices) and to fulfil legal obligations (AML).

With regard to the SmartCourier service, it should be noted that Ria Payment Institution, E.P., S.A.U., based in Spain, processes couriers' data as an independent controller – solely for the purpose of complying with AML requirements, for a period of generally 5 years from the end of the business relationship.

Controller: InPost sp. z o.o.

Data retention period: The carrier's data is processed for the duration of the contract, and thereafter – no longer than for the limitation period for claims, which is generally up to 6 years. Couriers' data is processed for the time necessary to fulfil the purpose for which it was collected, and thereafter – no longer than for the limitation period for claims arising from the services provided. In exceptional circumstances, these periods may be extended if statutory provisions provide for the suspension or interruption of the limitation period.

4. Security of personal data

The security of your personal data is our priority. We take a range of measures to ensure the security of the information we process.

Purposes and legal bases for processing:

Preventing, detecting and handling personal data breaches, information security incidents and other security threats – necessary to ensure the secure operation of online services.

Your personal data may be processed by us when analysing incidents or (suspected) breaches:

1. for the purpose of analysing, investigating, documenting and reporting individual incidents;
2. for the purpose of preparing analyses and reports on the state of security;
3. for the purpose of establishing, pursuing and/or defending against legal claims.

Legal basis for processing:

The Controller's legitimate interest in ensuring security and investigating incidents or breaches – Art. 6(1)(f) GDPR, or a legal obligation – Art. 6(1)(c) GDPR (where no specific legal obligation exists, the processing of your personal data for security and protection purposes is based on our legitimate interest).

What personal data do we process?

• customer ID;
• user contact data;
• order history;
• payment data;
• purchasing behaviour;
• incident logs, event logs.

Individual logs may contain data such as: information on abuse, including (suspected) criminal activity.

Further information:

We take a range of measures to ensure the security of:

• users,
• property,
• InPost's IT infrastructure.

We endeavour to protect our assets against cyber-attacks, fraud, abuse and other harmful activities.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper achievement of the purpose, and thereafter – no longer than for the limitation period for claims, which is generally up to 6 years. In exceptional circumstances, this period may be extended if statutory provisions – including the Civil Code – provide for the suspension or interruption of the limitation period.

5. Analytical purposes and service quality improvement

Purposes and legal bases for processing:

We process your data for the following purposes:

1. analytical purposes: developing and improving our services and enhancing customer experience;
2. creating new features;
3. personalising InPost Account settings in the application and other services available via the InPost Account;
4. analysing user activity within the InPost Account for non-advertising purposes, including for analytical and statistical purposes and for the purpose of detecting and resolving cases of non-compliance with the terms of service.

Legal basis for processing: the Controller's legitimate interest in conducting analytical, optimisation and sales-supporting activities, providing services and carrying out advertising activities – Art. 6(1)(f) GDPR, or consent – Art. 6(1)(a) GDPR (if the data is to be used for marketing purposes).

What personal data do we process?

• e-mail address/phone number;
• user ID;
• number and history of parcels/complaints;
• behavioural and contextual data;
• other system-generated data originating from your activities and interactions with us.

The data used for development and improvement purposes was collected for various purposes. For example, we may use data relating to online transactions to develop our online ordering system – for this purpose we use anonymised data. All analyses are carried out at the level of aggregated data. Where sufficient and possible, we use anonymised data.

Further information:

Our aim is to create easily accessible and personalised services, which requires analysis of the needs and expectations of the user/customer. This includes analysis aimed at making our services more user-friendly (for you), e.g. modifying the interface to simplify information flow or identifying and developing services and their features.

We occasionally use customer satisfaction surveys and feedback forms. In such cases, all your personal data will be processed solely for the specific purpose described in the relevant survey or form.

We create and collect statistics, including via your smart devices, in order to optimise our product range and services, and we also analyse and plan the use of personnel, equipment and devices.

We aim to conduct analyses and segmentation in order to provide you with personalised services/shopping.

We may share your data with our advertising partners for purposes related to the optimisation and targeting of advertisements.

In the interests of transparency, we explain the differences between service personalisation, profiling and automated decision-making:

• Personalisation consists in adapting the manner of presentation or operation of our services so that they better correspond to your preferences and your typical way of using the InPost Account. This may include, for example, adjusting the user interface, suggesting specific features or remembering your settings. Personalisation is based on general usage patterns or your previous interactions, but is not intended to evaluate you as a person or to predict your behaviour in a way that produces legal effects or analogously significant effects.
• Profiling means any form of automated processing of personal data consisting in the use of your data to evaluate certain personal aspects, in particular to analyse or predict your preferences, interests, behaviour or usage patterns. Where we apply profiling, it is carried out primarily for analytical and statistical purposes, service improvement, user segmentation and – where applicable – marketing purposes (based on your consent, where required). Profiling does not result in decisions producing legal effects or analogously significant effects for you. Where profiling is carried out for marketing purposes, including advertising targeting, more detailed information can be found in the sections of this Privacy Policy devoted to marketing activities.
• Automated decision-making means decisions made solely by automated means, without human involvement, which produce legal effects concerning you or analogously significantly affect you. As a general rule, we do not apply such decision-making in respect of InPost Account users.

Controller: InPost sp. z o.o.

Data retention period: The time necessary for the proper achievement of the purpose, and thereafter – no longer than for the limitation period for claims, which is generally up to 6 years. In exceptional circumstances, this period may be extended if statutory provisions – including the Civil Code – provide for the suspension or interruption of the limitation period.

6. Marketing and marketing communications

The principles for the processing of personal data for marketing purposes, as set out in section II "Marketing and marketing communications" of Part II Annex A1 of the InPost Account Privacy Policy for services provided in Poland, apply accordingly to the processing of personal data on the basis of this Privacy Policy.

7. To whom do we transfer your personal data?

7.1. In connection with the provision of electronic services, personal data is disclosed to:

7.1.1. The Integer.pl Capital Group – we may transfer your data to other companies within the Integer.pl Capital Group, a list of which is available here. These companies help us improve services, support customers, conduct business analyses, ensure security and detect abuse. The transfer of data may be necessary for you to be able to use our services.

7.1.2. Third-party service providers – we use the services of third parties who help us maintain and deliver certain solutions related to our services or provide us with specific services. These include, among others: providers responsible for the operation of IT systems, data hosting and communication channels, accounting service providers, legal service providers, insurance companies, marketing agencies, service providers responsible for dispatching, delivering or returning parcels, customer service providers, and chatbot and conversation analysis service providers.

7.1.3. Some of these entities act as independent controllers, and some – depending on the service provided to us – process personal data as processors, i.e. in accordance with our instructions and solely to the extent indicated by us.

7.1.4. Marketing and analytics service providers – in order to improve our services, we sometimes share information about you with providers such as Google or Meta. They help us analyse how users use mobile applications and support our online marketing activities. More information can be found in our Cookies Policy.

Payment service providers available in our mobile application and other services – in order to provide the payment services available in the mobile application, we transfer to the payment operator the data necessary to process the payment and to verify and identify the customer. The payment operator becomes an independent controller of your data.

7.1.5. Law enforcement authorities, supervisory authorities and others – we may disclose selected information about you to the relevant authorities or third parties that submit an appropriate request. We will do so in accordance with the applicable law.

7.2. Transfers of data outside the European Economic Area

7.2.1. As a general rule, we do not use service providers based outside the European Economic Area (EEA). However, it may happen that some entities whose services we use directly or indirectly (e.g. social media providers) are based in countries outside the EEA or may use subcontractors based outside the EEA.

7.2.2. Where the situation described above arises, we transfer your personal data outside the EEA only when necessary and with an appropriate level of protection as required by GDPR. To this end:

• a) we transfer your personal data to countries that the European Commission has recognised as ensuring an adequate level of protection of personal data, or
• b) we engage specific service providers and apply Standard Contractual Clauses approved by the European Commission. Together with any additionally required security measures, these ensure that personal data is protected to the same standard as in the European Union.

8. What rights do you have?

Under GDPR, you have the following rights in connection with the processing of your personal data:

1. Right of access – you may request information about what data we process and obtain a copy thereof.
2. Right to rectification – you may request the correction of inaccurate or the completion of incomplete data.
3. Right to erasure – you may request the deletion of your data in cases provided for by GDPR, subject to the exceptions set out in Art. 17(3) GDPR, relating to, among other things, compliance with legal obligations and the establishment, exercise or defence of legal claims.
4. Right to restriction of processing – you may request the restriction of the processing of your data in certain circumstances.
5. Right to data portability – to the extent that processing is carried out on the basis of consent or a contract and by automated means, you may request the transfer of your data to yourself or to a controller designated by you in a structured format.
6. Right to object – you may object to the processing of your data on grounds relating to your particular situation, where processing is based on the legitimate interest of the Controller, as well as to processing for direct marketing purposes.
7. Right to withdraw consent – where processing is based on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before its withdrawal.

How to exercise your rights

You may exercise your rights by contacting the Controller. Contact details and available contact methods are set out above (section 1).

The right to object may be exercised in different ways, depending on what it relates to:

• in the case of marketing e-mails – click the unsubscribe link in the message;
• in the case of marketing SMS messages, push notifications or phone calls – change the notification settings on your account to opt out of receiving them;
• in the case of cookies – click the opt-out/decline option in the cookies banner (the "Manage cookies" bar at the bottom of the page);
• in other cases relating to the InPost Account – contact us via the contact form or at: [email protected];
• via live chat.

Every person has the right to the protection of their personal data and, in accordance with GDPR, may exercise their rights free of charge (in most cases). We may charge a reasonable fee if your request is manifestly unfounded or excessive, in particular due to its repetitive nature. In such cases we may also refuse to act on your request.

We aim to respond to your requests within one month. If your request is particularly complex or we have received several requests from you, handling may take longer. In such a case we will inform you that it will take more time and will keep you updated on the status of your request.

You have the right to lodge a complaint with the competent supervisory authority at any time. In matters relating to the processing of data in connection with our services or the services of local entities, you may contact the supervisory authority competent for the relevant local company.

In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

9. Processing of children's personal data

Our services are intended for persons over the age of 16. If you have not yet reached the age of 16, the use of certain InPost services requires the consent of a parent or legal guardian. If we do not receive such consent, we cannot process information about you and must delete your personal data.

We take every reasonable step to collect only the data necessary for the provision of services. We do not knowingly collect additional information from or about minors. If we become aware that we have unintentionally collected such personal data, we will take steps to delete it without undue delay.

10. How do we update this Policy?

We may change or update this Privacy Policy. Any changes will be published in the mobile application and via our other services. If you have provided us with your e-mail address, we may additionally notify you of any changes electronically.