privacy policy inpost account

Find out about the upcoming changes to the InPost Account Policy.

Effective from 18.05.2026

InPost Account Privacy Policy

Date of last update: 18.05.2026

We would like to explain the rules for processing your personal data in connection with your use of our mobile application. Using the application is possible by creating an InPost Account. Below you will find detailed information, including an indication of which of the companies within the Integer Capital Group is responsible for which processes.

How is this document structured and how can you navigate it?

Part I – InPost Account Privacy Policy

In Part I, we would like to present the basic principles of data processing.

1. We respect your privacy and care about the protection of your data

2. Who processes your data?

3. When may we process your personal data?

4. What personal data do we process and for what purpose?

4.1. InPost Account

4.2. Security

4.3. Analytics purposes and improving service quality

5. Additional information on processing

5.1. Processing of children’s data

5.2. Closing the InPost Account

5.3. Deletion of personal data

5.4. Security of personal data

6. To whom we disclose your data

7. Your rights

8. Changes to the privacy policy

Part II – Regional Appendices:

In this part you will find detailed information about the services and the related processing of personal data applicable to the selected country.

Appendix A1 – Services provided in Poland

Appendix A2 – Services provided in France

Appendix A3 – Services provided in Italy

Appendix A4 – Services provided in Spain

Appendix A5 – Services provided in Portugal

Appendix A6 – Services provided in United Kingdom

Appendix A7 – Services provided in Belgium

Appendix A8 – Services provided in Luxembourg

Appendix A9 – Services provided in the Netherlands.

PART I

1. WE RESPECT YOUR PRIVACY AND CARE ABOUT THE PROTECTION OF YOUR DATA

Introduction – what is this privacy policy about?

If you use an InPost Account, this privacy policy will explain how we process your personal data.

In Part I, we describe how we process your personal data to manage your InPost Account. Additional services available within the InPost Account may differ depending on the country. Information about them can be found in Part II – in the section dedicated to a given country.

We have prepared this privacy policy to show you how we process your personal data. You will find the following information here:

a. which company acts as the controller?

b. what data do we process?

c. how and for what purposes do we process this data?

d. to whom and where do we transfer the data?

e. your rights and how you can exercise them.

We recognise that reading terms and conditions or policies is not an enjoyable activity, but we recommend familiarizing yourself with our policy to learn what your rights are and how to exercise them, as well as how and why we process your personal data.
A few basic terms:

Application - This is our application available as a mobile and/or web application, which you can use after creating a User Account.

Personal data – Under GDPR, personal data means all information about you that allows for your direct identification (e.g., your email address) and indirect identification (e.g., your activity on a given website). We may obtain your personal data, such as your name, surname, phone number, email address, and delivery address, from you when you register an InPost Account or use InPost digital services.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The GDPR imposes specific obligations on entities that use personal data (both on their own behalf and on behalf of another entity). The GDPR guarantees the exercise of your rights related to data protection – you can read more about this in Chapter 6;

User Account or InPost Account – a profile created by you, by means of which we identify you in our digital services and enable you to use our mobile applications and other services without the need for separate registration.

Assigned region - Means the country allocated to your User Account during registration, which determines the applicable services, legal framework and relevant regional appendix (Part II – Regional Appendices).

User – Refers to you and other individuals who use our services. In this Policy, we address you directly, and other individuals using our services are referred to as “users”.

Parcel Locker - A self-service automated device belonging to our network, equipped with lockers that allow customers to collect or send parcels. Depending on the market, this device may operate under a local commercial name e.g. Paczkomat®, InPost Locker, Locker Mondial Relay, while providing the same core functionality.

Privacy Policy– A document in which we describe how we process your personal data within the scope of specific services in the market(s) chosen by you.

UK GDPR - means the United Kingdom General Data Protection Regulation, as incorporated into UK law by the European Union (Withdrawal) Act 2018 and supplemented by the Data Protection Act 2018. It sets out the rules for how organisations in the UK must collect, use, store and protect personal data.

Terms not defined above that are written with a capital letter have the meaning given to them in the relevant terms and conditions.
We use cookies and similar technologies to provide you with convenient and secure use of our services. We encourage you to read our Cookies Policy, where you will find details about how they work and the options for managing settings.

2. WHO PROCESSES YOUR DATA?

2.1. Depending on the type of service provided, the administrator of your data is the relevant company from our capital group (hereinafter referred to as the “Administrator”).

2.2. In connection with the User’s use of InPost Account, providing personal data is voluntary, but necessary to use the functionalities and services offered by InPost.

2.3. Depending on the type of service performed, the Controller of your personal data may be:

The following entities act as Data Controllers with respect to your personal data, together with their contact details, including those of their appointed Data Protection Officers (DPO).

Poland

InPost sp. z o.o. ("InPost") Registered office: ul. Pana Tadeusza 4, 30-727 Kraków, Poland

You may contact the Data Controller through the following channels:

by phone: +48 722 444 000 or +48 746 600 000,
by traditional post: ul. Pana Tadeusza 4, 30-727 Kraków, Poland,
via the Contact Form,
via chat, available at: inpost.pl/kontakt.

InPost has appointed a Data Protection Officer (DPO), who can be contacted using the forms of communication indicated above. You can contact us through these channels if you wish to exercise your rights – see section "7. Your rights".

France, Belgium, the Netherlands and Luxembourg

Mondial Relay SASU Registered office: 1, avenue de l'Horizon, 59650 Villeneuve d'Ascq, France

You may contact the Data Protection Officer (DPO) as follows:

by traditional post: DPO Mondial Relay, Direction juridique et conformité,

1, avenue de l'Horizon, 59650 Villeneuve d'Ascq, France

by email, using the address applicable to your country:
- France: [email protected]
- Belgium and Luxembourg: [email protected], [email protected]
- Netherlands: [email protected]

Italy

Locker InPost Italia s.r.l. Registered office: Viale Cassala 30, 20143 Milano, Italy

Locker InPost Italia S.r.l. has appointed its Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO may be contacted at the email address: [email protected].

Spain

The following entities act jointly as Data Controllers in Spain and are referred to collectively as the "InPost Spain Group":

INPOST SPAIN, S.L.U. Address: Gran Via De Les Corts Catalanes, 129-131, P.6, 08028 Barcelona
MONDIAL RELAY S.A.S.U. SUCURUSAL EN ESPAÑA Address: Cami De Les Oliveres Num. 1, 08800 - (Vilanova I La Geltru), Barcelona
SENDING TRANSPORTE Y COMUNICACION SA Address: Avda De Suiza 26, 28000 - Madrid

InPost Spain Group has appointed its Data Protection Officer (DPO) pursuant to Article 37 of the GDPR and Article 34 of the LOPDGDD. The DPO can be contacted:

by email address: [email protected],
by traditional post: Gran Via De Les Corts Catalanes, 129-131, P.6, 08028 Barcelona, Spain.

Portugal

MONDIAL RELAY SUCURSAL EM PORTUGAL Registered office: Rua Coronel Edgar Pereira Da Costa Cardoso Nr. 3, Frac. E, 2615-360 Alverca do Ribatejo, Portugal

MONDIAL RELAY SUCURSAL EM PORTUGAL has appointed its Data Protection Officer (DPO) pursuant to Article 37 of the GDPR. The DPO can be contacted at:

the email address: [email protected],
by postal mail: Alverca do Ribatejo (Rua Cor. Edgar Pereira Da Costa Cardoso, 3 E, 2615-360).

United Kingdom

InPost UK Limited Registered office: Moray House, 23-35 Great Titchfield Street, London, United Kingdom, W1W 7PA

InPost UK Limited has appointed a Data Protection Officer (DPO). You can contact the DPO office using the following methods:

by email address: [email protected],
by traditiona post: FAO Data Protection Officer, Moray House, 23-35 Great Titchfield Street, London, W1W 7PA, United Kingdom.

3. WHEN MAY WE PROCESS YOUR PERSONAL DATA?

3.1. We may process your personal data on the following basis:

3.1.1. consent (Article 6(1)(a) GDPR): If you give us your consent, we will process your personal data for the specific purpose to which you consent. This ground is used, for example, when you supplement your account with optional data. Please note that, where consent is the most appropriate lawful basis for processing, this is entirely voluntary and may be withdrawn at any time.

3.1.2. contract (Article 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are party to, or in order to take steps at your request prior to entering into a contract. ;

3.1.3. legal obligation (Article 6(1)(c) GDPR): When the processing of your personal data is necessary to comply with our legal obligations (e.g., for tax and accounting purposes, arising from the provisions of the Polish Law, e.g.: Postal Law Act, the Transport Law Act or the Act on counteracting money laundering and terrorist financing).

3.1.4. legitimate interest (Article 6(1)(f) GDPR): We may process your personal data when it is necessary for our legitimate interests, and those interests do not override your rights and interests. This relates to, in particular, processing for purposes related to customer support, improving or developing our services, as well as for security purposes, including fraud prevention.

4. WHAT PERSONAL DATA DO WE PROCESS AND FOR WHAT PURPOSE?

Depending on your relationship with InPost, including depending on the service you use, we will process your personal data for the following purposes:

4.1. INPOST ACCOUNT

Purposes and legal bases of processing:

setting up the InPost Account

legal basis for processing: contract – Article 6(1)(b) GDPR; consent – Article 6(1)(a) GDPR (with regard to data provided on an optional basis);

handling and maintaining the InPost Account, the ability to authenticate the user within the services available through the InPost Account, including depending on the user’s Country:

1.1. Postal, freight forwarding and transport services in Poland and other Countries (postings, returns, collections, extensions of parcel storage);

1.2. additional services specific to the Assigned region that provides them, such as loyalty programs; these services are described in Part II in the sections dedicated to individual countries.

legal basis for processing: contract – Article 6(1)(b) GDPR;

reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller in handling complaints concerning services provided by InPost - Article 6(1)(c) or (b) GDPR;

pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing or defending against claims - Article 6(1)(f) GDPR

What personal data we may process?

identification data, in particular: telephone number, e-mail address;
address and contact data: first name, last name, delivery address, delivery information including information provided by you e.g. comments regarding deliver, invoice address, favourite Parcel Locker,

InPost Account data, in particular: the date of creation of the Account, the history of activities undertaken within the Account, the history of consents expressed by you and acceptances of statements (e.g. any marketing consents, acceptance of General Terms and Conditions of InPost Account Services ., confirmation of adherence with prohibited or non-compensatory item restrictions, ,), application language, selected region, information about an active session.

At present it is not possible to change the telephone number, as it is your unique identifier in our system. If you want to change the telephone number, you must create a new InPost Account.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper provision of the service, and after its completion – no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional situations this period may be extended if provisions of law – including the Polish Civil Code – provide for suspension or interruption of the limitation period.

4.2. SECURITY

Purposes and legal bases for processing:

Prevention, detection and handling of data protection breaches, information security incidents, and other security considerations necessary to ensure the secure operation of online services.

Personal data may be processed by us when analysing incidents or (suspected) breaches:

to analyse, investigate, document and report individual incidents;
to prepare analyses and reports on the security status;
to establish, pursue and/or defend legal claims.

legal basis for processing:

the legitimate interest of the Controller consisting in ensuring security and explaining incidents or breaches - Article 6(1)(f) GDPR or a legal obligation – Article 6(1)(c) GDPR (where there is no specific legal obligation, the processing of your personal data for security and protection purposes is based on our legitimate interest).

What personal data do we process?

Customer ID;
User contact data;
order history;
payment-related data;
shopping behaviour;
incident logs, event logs.

Individual logs may contain data such as: information on abuses, including (suspected) criminal activity.

More information:

We undertake a number of actions aimed at ensuring security for:

users,
property,
InPost IT infrastructure

We try to protect our resources against cyberattacks, fraud, abuse and other malicious activities.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper achievement of the purpose, and after that period – no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional situations this period may be extended if provisions of law – including the Civil Code – provide for suspension or interruption of the limitation period.

4.3. ANALYTICAL PURPOSES AND IMPROVING THE QUALITY OF THE INPOST ACCOUNT SERVICE

Purposes and legal bases for processing:

We process your data for the following purposes:

analytical purposes: developing and improving our services and improving the customer experience;
creating new functionalities;
personalising InPost Account settings within the Application and other services available via the InPost Account;
analysis of user activity within the InPost Account for purposes other than advertising, including for analytical and statistical purposes and in order to detect and resolve cases of non-compliance with the regulations.

legal basis for processing: the legitimate interest of the Controller consisting in conducting analytical, optimisation and sales-supporting activities, service provision and advertising activities - Article 6(1)(f) GDPR or consent – Article 6(1)(a) GDPR (if the data will be used for marketing purposes)

What personal data do we process?

e-mail address/telephone number;
User ID
shipment/complaint number and history;
behavioral and contextual data;
other data generated by the system, originating from your activities and interactions with us.

Data used for development and improvement have been collected for various purposes. For example, we may use data relating to online transactions to develop our online ordering system, and for this purpose we use anonymised data. All analyses are carried out at the level of aggregated data. Where sufficient and possible, we use anonymised data.

More information:

Our aim is to create easily accessible and personalised services, which requires an analysis of the needs and requirements of the user/customer. This includes analysis aimed at making our services more user-friendly (for you), e.g. modifying the user interface in order to simplify the flow of information or to identify and develop services and their functionalities.

Sometimes we use surveys and customer satisfaction assessment forms. In such a case, any personal data used and obtained from you will be processed solely for the specific purpose described there.

We create and collect statistics, including via your smart devices, in order to optimise the assortment and services provided by us, and we also analyse and plan the use of staff, equipment and devices.

We want to be able to carry out analyses and segmentation in order to provide you with personalised services/purchases.

We may share your data with our advertising partners for purposes related to optimisation and ad targeting.

In order to ensure transparency, we explain the differences between personalisation of services, profiling and automated decision-making:

Personalisation consists in adjusting the way our services are presented or function to better match your preferences and typical use of the InPost Account. This may include, for example, adapting the user interface, suggesting certain functionalities, or remembering your settings. Personalisation is based on general patterns of use or your previous interactions, but it does not aim to evaluate you as a person or predict your behaviour in a way that produces legal or similarly significant effects.

Profiling means any form of automated processing of personal data consisting of using your data to evaluate certain personal aspects, in particular to analyse or predict your preferences, interests, behaviour or usage patterns. Where profiling is used, it is carried out mainly for analytical and statistical purposes, service improvement, segmentation of users and, where applicable, for marketing purposes (based on your consent where required). Profiling does not result in decisions that produce legal effects or similarly significantly affect you. Where profiling is carried out for marketing purposes, including targeted advertising, you can find more detailed information in the sections of this Privacy Policy dedicated to marketing activities.

Automated decision-making refers to decisions made solely by automated means, without human involvement, which produce legal effects concerning you or similarly significantly affect you. As a rule, we do not carry out such decision-making in relation to users of the InPost Account.

Controller:

InPost sp. z o.o.

Retention period:

5. ADDITIONAL INFORMATION ON PROCESSING

Detailed information on how individual local companies process data for marketing purposes can be found in Part II – in the section concerning the given country.

5.1. Processing of children’s personal data

5.1.1. Our services are intended for persons over 16 years of age. In some Countries the threshold may be different due to local regulations. If you are under 16, i.e. you are not entitled to use InPost digital services on your own, you must have the consent of your parent or legal guardian to use these services. If we do not receive such consent, we cannot process information about you and we must delete your personal data. This may mean that we will not be able to provide you with the services you requested.

5.1.2. We may process the following information about you: first name, last name, date of birth and other information necessary to achieve a specific purpose.

5.1.3. We make every effort to collect only the data that are necessary to provide the services. We do not knowingly collect additional information from minors or about them. If we learn that we inadvertently collected such personal data, we will take steps to enforce our terms and take actions aimed at promptly deleting personal data from our records.

5.1.4. We may use your data to: make available and provide the ordered services (they must be tailored to your age), participation in competitions or events, communication with the consent of a legal guardian.

5.1.5. We ensure that information about you is used safely and we protect it so that no unauthorised person has access to it without the consent of your parent or legal guardian. We use the collected data about you only for an appropriate period of time.

5.1.6. Your parent or legal guardian may at any time request access to your data, change or delete it, or may withdraw consent to processing at any time.

5.1. Closure of the InPost Account

5.1.1. If you close the account yourself (delete the account in InPost Mobile and then uninstall the application), you will lose access to your data within the active account. You may have access to such data only if you exercise the right of access to data, and we still process them. Information on how to exercise the right of access to data can be found in section 6.

5.1.2. We may also close your account. The rules under which we may do so are described in detail in the General Terms and Conditions of InPost Account Services . In such a case you will also lose access to your data within the active account, but you will be able to exercise the right of access to data and other rights you are entitled to, provided that we still process such data.

5.2. Deletion of personal data

5.2.1. The period of processing of data by the controller depends on the type of provided service and the purpose of processing. As a rule, data are processed for the duration of providing the service, until withdrawal of consent, or submission of an effective objection to data processing in cases where the legal basis for data processing is the controller’s legitimate interest.

5.2.2. We delete personal data after the following time conditions are met:

when you submit a complaint or grievance regarding services provided by InPost: the personal data contained in that complaint or grievance are processed for the time necessary to consider the complaint or grievance, and after that time we may store them for a period no longer than the limitation period of any claims arising from the submitted complaint or grievance, resulting from generally applicable provisions of law;
when you submit another report or inquiry to us: we store personal data for the period of handling and possible completion of the report, and after that time we may store them for a period no longer than the possible limitation period for claims, resulting from generally applicable provisions of law;
if the storage period of your personal data results from mandatory provisions of law, we store personal data for the period specified in those provisions.

5.2.3. The above is compliant with Article 17(3)(b) and (e) GDPR, which indicates that the right to erasure does not apply to the extent that processing is necessary, inter alia, for:

compliance with a legal obligation requiring processing under EU law or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
the establishment, exercise or defence of claims.

5.3. Personal data security

The security of your personal data is our priority. For this purpose we continuously conduct risk analysis – in order to ensure that personal data are processed by us in a secure manner, ensuring in particular that access to data is granted only to authorised persons and to the extent necessary due to the tasks performed by them.

We make all reasonable efforts to ensure the security of processed personal data by using effective technical and organisational safeguards.

5.3.1. All information we receive about you is stored on appropriately secured servers.

We continuously assess the security level of our network, monitor internal regulations and procedures. This enables us to:

protect data against accidental or unlawful loss, unauthorised access or disclosure;

identify foreseeable risks to the security of our network;

minimise threats to security, including through risk assessment and regular testing.

5.3.2. All payment-related data are encrypted using SSL technology.

6. TO WHOM DO WE DISCLOSE YOUR DATA?

6.1. In connection with our provision of services by electronic means, personal data are disclosed to:

Integer.pl Capital Group – we may transfer your data to other companies in the integer.pl Capital Group, the list of which is available here. These companies help us improve our services, support customers, conduct business analyses, ensure security and detect abuse. The transfer of data may be necessary for you to be able to use our services.

6.1.1. Third parties providing services – we use the services of third parties who help us maintain and deliver certain solutions related to our services or who provide certain services to us. These include, among others: providers responsible for the operation of IT systems, data hosting and communication channels, entities providing accounting services, entities providing legal services, insurance companies, marketing agencies, service providers responsible for shipping, delivery or returns of parcels, service providers providing customer service, service providers responsible for chatbots and conversation analysis.

6.1.2. Some of these entities act as separate controllers, and some – depending on the service provided to us – process personal data as processors, i.e., in accordance with our instructions, solely to the extent indicated by us.

6.1.3. Marketing and analytics service providers – in order to improve our services, we sometimes share information about you with providers such as Google or Meta. They help us analyse how users use mobile applications and support our online marketing. More information can be found in our cookies policy.

Entities providing payment services available in our mobile application and other services – in order to provide the payment services made available in the mobile application, we provide the payment operator with the data necessary to make the payment and to verify and identify the customer. The payment operator becomes a separate controller of your data.

6.1.4. Law enforcement authorities, supervisory authorities and others – we may disclose selected information about you to the competent authorities or third parties that submit such a request. We will do so in accordance with the provisions of law.

6.2. Transfer of data outside the EEA

6.2.1. As a rule, we do not use the services of suppliers that are established in countries outside the European Economic Area (“EEA”). However, it may happen that certain entities whose services we use directly or indirectly (e.g., social media service providers) are established in countries outside the EEA or may use subcontractors that are established outside the EEA.

6.2.2. If the situation described above occurs, we transfer your personal data outside the EEA only when it is necessary, and with the provision of an appropriate degree of protection required by the GDPR. To this end:

we transfer your personal data to countries which the European Commission has recognised as ensuring an adequate level of protection of personal data, or
we use the services of specific suppliers and use template contracts approved by the European Commission (Standard Contractual Clauses). Together with the required additional security measures, they ensure that personal data enjoy the same protection as in the European Union.

7. YOUR RIGHTS

7.1. How to exercise your rights:

You have the following rights regarding your personal data:

Right of access to personal data — you can check whether we process your personal data and, if so, you can obtain a copy of your data.

Right to rectification — you can that incomplete, incorrect, or outdated data be corrected. In some cases, in order to fulfil your request, we will need to verify the accuracy of the new data you provide to us.

Right to restriction of processing — you can ask us to stop processing your data when:

you want us to verify the accuracy of the data;
you believe our processing is unlawful;
we no longer need your data, but you need it to establish, exercise, or defend legal claims;
you object to processing — then we will assess whether we have overriding legitimate grounds to continue processing your data.

Right to object to processing — this applies where we process your data on the basis of a legitimate interest (ours or a third party’s). You may object for reasons related to your particular situation, where you believe the processing affects your rights or freedoms. In some cases, we may have compelling legitimate grounds to process your data that override your rights and freedoms (e.g., the need to ensure the security of mobile applications and prevent fraud).

Right to erasure (right to be forgotten) — you can request deletion of your data if it is no longer necessary for the purposes for which it was collected. You may also request deletion if:

you withdraw your consent and we have no other legal basis for processing;
you successfully object to processing;
your personal data has been processed unlawfully;
your data must be erased to comply with legal obligations.

Please note that in some cases we are required to process your data under applicable laws and we may not be able to fulfil your request.

Right to data portability — When exercising this right, we will provide your personal data to you or to a third party indicated by you. However, this right applies only to data processed on the basis of consent or for the performance of a contract, and only where the processing is carried out by automated means (in IT systems).

Withdrawal of consent — If you have given us consent to process certain data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right to set out advance directives in the event of death (For France only) — You have the right to instruct us on what you would like us to do with your personal data after your death.

7.2. How to exercise your rights

You may exercise your rights by contacting the relevant company. Contact details and available forms of contact can be found in the table in Part I, section 2 above (“Who processes your data”, point 2.3).

7.2.1. You may exercise your right to object in various ways depending on what it concerns:

in the case of marketing emails – click the unsubscribe link in the content of the message;
in the case of marketing SMS messages, push notifications or telephone calls – change the notification settings in your account to opt out;
in the case of cookies – click the opt-out/reject option within the cookies banner (the bottom bar of the page “Manage cookies”)

in other cases regarding the InPost Account, contact us via the Contact Form or via the email address: [email protected].

via chat ( if this option is available in your country)

7.2.2. Everyone has the right to the protection of their personal data and, in accordance with the GDPR, you may exercise your rights free of charge (this is the case in most instances). We may charge a reasonable fee if your request is manifestly unfounded or excessive, in particular because of its repetitive nature. In such cases, we may also refuse to comply with your request.

7.2.3. We endeavour to respond to your requests within one month. If your request is particularly complex or we have received several requests from you, handling the request may take us longer. In such a case, we will inform you that it will take longer and we will keep you informed on an ongoing basis about the status of your request.

7.3. Complaint to the supervisory authority

You have the right at any time to lodge a complaint with the competent supervisory authority. In matters related to the processing of data within the scope of our services or the services of local companies, you may contact the supervisory authority competent for a given local company.

In Poland, the supervisory authority is the President of the Personal Data Protection Office.
In France, the supervisory authority is la Commission nationale de l’informatique et des libertés (CNIL)
In Belgium, the supervisory authority is l’Autorité de Protection des données / Gegevensbeschermingsautoriteit,
In Spain, the supervisory authority is Agencia Española de Protección de Datos (AEPD)
In Italy, the supervisory authority is Garante per la protezione dei dati personali (GPDP)
In Portugal, the supervisory authority is Commissão Nacional de Protecção de Dados (CNPD)
In the United Kingdom, the supervisory authority is Information Comissioner’s Office (ICO)
In Netherlands, the supervisory authority is Autoriteit Persoonsgegevens (AP),
In Luxembourg, the supervisory authority is la Commission nationale pour la protection des données (CNPD)

8. CHANGES TO THE PRIVACY POLICY

We may change or update this Privacy Policy. Any changes will be published in the mobile application and through our other services. If you have provided us with your email, we may additionally inform you about the changes via email.

If you do not agree to changes to the Privacy Policy, you may close your account in the mobile application or on the website. You can find the option to close the account in its settings.

PART II

The list of services provided within the applications and the websites is included in the list of services provided by InPost, which forms part of this Privacy Policy. Depending on your assigned region and the relevant regional appendix, you may use the application to access the functionalities described therein. This document outlines the principles of personal data processing for individual countries.

Information regarding the exercise of your rights under the GDPR can be found in Part I of the Policy, in the section “Your rights”.

Appendix A1 – Services provided in Poland

I. MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile – This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

legal basis for processing: legitimate interest of the controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR or consent (push notifications) - Article 6(1)(a) of the GDPR

own marketing

reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims – Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• marketing data, including data on the way the User uses InPost Mobile devices or an Internet browser, in particular: clicks and traffic on the website, opening push notifications (if you have agreed to receive notifications);

• device identifiers and other online identifiers;

• location data

To determine your location, we use various technologies, including IP address, GPS, Wi-Fi access points, and mobile network cell towers. Your location data allows us to find and display InPost points and Parcel Locker machines located in your neighborhood.

More information:

As part of the handling of the complaints process, your personal data may be disclosed to our insurer (an insurance company with which we have entered into an agreement, e.g., Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which acts as a separate controller of personal data.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for proper fulfilment of the purpose, and thereafter – no longer than the limitation period for claims, which as a rule is up to 6 years. In exceptional situations, this period may be extended if provisions of law – including the Civil Code – provide for suspension or interruption of the running of the limitation period.

II. MARKETING AND MARKETING COMMUNICATION

1. Contextual Advertising (Non-Targeted)

Purposes and legal bases for processing:

Legitimate interest of InPost in promoting its services to existing users by displaying non-targeted marketing content within the InPost mobile application and on the InPost website (Article 6(1)(f) GDPR).

We have assessed that this interest does not override your rights and freedoms: the content is generic, non-intrusive, and displayed only within our own platforms. You may object at any time.

What personal data do we process?

Identification data (e-mail address and/or phone number where used to identify the logged-in user);
Information about user interactions with the app or website (e.g. pages or screens viewed).

More information

InPost displays generic, non-targeted offers, promotions and recommendations within the InPost mobile application and on the InPost website. This content is not tailored to your individual profile — it is shown to users generally based on contextual factors such as the screen you are viewing.

Controller:

InPost Sp. z o.o.

Retention period:

For the duration of the user account, or until you object to this processing, whichever is earlier.

2. Direct Marketing Communications

Purposes and legal bases for processing:

Sending direct marketing communications via e-mail, SMS/MMS, push notifications — legal basis: consent (Article 6(1)(a) GDPR/ Article 398 PKE).

What personal data do we process?

Phone number and/or e-mail address (depending on the channel used);
Marketing preferences, including the date, time and method by which consent was given or withdrawn.

More information

InPost sends direct marketing communications via e-mail, SMS/MMS, and push notifications only. The content includes offers, promotions and recommendations relating to InPost's own services and goods, and joint initiatives with carefully selected partners and retailers. Where partner content is included, it is sent by InPost on the basis of your consent — your personal data is not shared with those partners for their own independent marketing.

By subscribing to the InPost communications, you consent to receiving messages by e-mail (Article 6(1)(a) GDPR/ Article 398 PKE). Providing consent is entirely voluntary.

You may withdraw your consent at any time by: (a) clicking 'Unsubscribe' in any e-mail we send you; (b) updating your preferences in the InPost app settings; or (c) contacting us via our contact form. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Controller:

InPost Sp. z o. o.

Retention period:

We retain marketing data until you withdraw your consent. Where you withdraw your consent, we retain a record of your marketing permissions to ensure you do not receive further direct marketing, unless and until you consent again.

3. Profiling for Marketing Purposes

Purposes and legal bases for processing:

Legitimate interest of InPost in understanding how our services are used and in making our marketing communications more relevant to users (Article 6(1)(f) GDPR).

We do not send direct marketing based on profiling without your separate consent (Section 2 above). Profiling does not involve automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR does not apply).

What personal data do we process?

Frequency of app or Parcel Locker use;
Preferred Parcel Locker locations;
Parcel history (collections and sends);
Locations where you typically collect or send parcels;
Whether you have sent or received a parcel within the last 12 months

More information

We may use the data we hold about you to create a marketing profile. This means analysing information about how you use our services — such as your Parcel Locker usage frequency, preferred locations, and parcel history — in order to understand your preferences. This helps us tailor the content of marketing communications to be more relevant to you.

Controller:

InPost Sp. z o. o.

Retention period:

We do not retain profiling outputs as separate records. Profiling is carried out on personal data held for other purposes, and that data is retained in accordance with the applicable retention periods for those purposes. No additional data is stored specifically for profiling.

4. Behavioural Advertising and Remarketing

Purposes and legal bases for processing:

1. Displaying personalised marketing content tailored to your interests and preferences (behavioural advertising) — legal basis: consent (Article 6(1)(a) GDPR), obtained via the cookie consent banner in the InPost mobile application or on the InPost website.

2. Directing advertising messages to you on third-party websites and social media platforms based on your prior use of our services (remarketing) — legal basis: consent (Article 6(1)(a) GDPR).

3. Combining personal data obtained from different sources (including data from analytics providers and publicly available registers) for the purpose of creating a more complete user profile for marketing — legal basis: legitimate interest of InPost in conducting personalised marketing campaigns (Article 6(1)(f) GDPR), to the extent permitted by applicable law and where consent is not required.

What personal data do we process?

Identification data (e-mail address, phone number);
Behavioural data collected via cookies and similar tracking technologies: pages and screens visited, content clicked, time spent, device and browser information;
Data from analytics providers (e.g. Google Analytics): technical information and usage patterns;
Data from publicly available sources (e.g. Companies House, CEIDG): address and contact information relating to business activity, where relevant;
Inferred interest and preference data derived from the above sources.

More information

Where you have consented to the use of cookies and similar technologies, we use data collected through those technologies to display marketing content that corresponds to your interests — for example, showing you offers related to services you have previously viewed or used (behavioural advertising).

We also use this data for remarketing: repeating advertising messages to users who have previously interacted with our mobile application or website, on third-party websites and on social media platforms. This is done through the use of advertising pixels, tags and similar technologies placed by our trusted advertising technology partners.

You may give or withdraw your consent to cookies and similar technologies at any time via the cookie consent banner in the InPost mobile application or website. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. More information is available in our Cookie Policy.

Where we rely on legitimate interest to combine data from third-party sources (purpose 3 above), we have assessed that our interest in conducting personalised campaigns does not override your rights and freedoms, given that: (a) the data sources used are limited to reputable analytics providers and publicly available registers; (b) the combined data is used solely for marketing improvements and not for automated decision-making with significant effects; and (c) you may object at any time.

Right to withdraw consent / right to object: For purposes 1 and 2 (behavioural advertising and remarketing), you may withdraw your consent at any time via the cookie consent settings in the app or website, or by contacting via our contact form. For purpose 3 (data combination based on legitimate interest), you have the right to object. To object, contact us via our contact form

Controller:

InPost Sp. z o. o.

Retention period:

Data collected via cookies and similar technologies is retained in accordance with our Cookie Policy, which sets out the specific retention period for each cookie category.

Data combined from third-party sources for profiling purposes is retained only for as long as necessary to carry out the relevant marketing activity, and no longer than the retention period applicable to the underlying data from which it was derived.

Where you withdraw consent or object to processing, we will cease the relevant activity and ensure that data used solely for that purpose is deleted, subject to any overriding legal obligation to retain records.

5. Advertising on Social Media Platforms (Non-Targeted)

Purposes and legal bases for processing:

Legitimate interest of InPost in promoting its services to relevant audiences on social media platforms including YouTube, LinkedIn, Facebook, Instagram, and TikTok (Article 6(1)(f) GDPR).

What personal data do we process?

Audience parameters set by InPost for a campaign (e.g. general location, age ranges, interest categories — broad demographic criteria not linked to your individual profile);
Aggregated, statistical-level performance data supplied by the platform (e.g. total impressions, click-through rates). We do not receive or process individual user data from platforms.

More information

InPost runs advertising campaigns on social media platforms. We set broad demographic parameters for our campaigns, but we do not share your personal data with those platforms for the purpose of targeting you specifically. The platforms use information they already hold about their own users — pursuant to their own terms and privacy policies — to determine who sees our adverts.

If you wish to manage how social media platforms show you adverts, please do so directly through the privacy or advertising settings of the relevant platform.

Controller:

InPost Sp. z o. o.

Retention period:

Advertising audience parameters and campaign performance data are retained only for as long as necessary to plan, review and optimise our marketing activity — usually the duration of the specific advertising campaign.

PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED VIA PARCEL LOCKER

Purposes and legal bases for processing:

provision of postal services and transport services, including courier services and services provided via Parcel Locker – with respect to shipments dispatched in Poland;

legal basis for processing: contract – Article 6(1)(b) GDPR;

reviewing and handling complaints

legal basis for processing: legal obligation – Article 6(1)(c) GDPR; consent to process special categories of personal data – Article 9(2)(a) GDPR

What personal data do we process?

the first name and surname of the sender (including the payer) and of the recipient (addressee) of the shipment;
the sender’s address (street, house number, apartment number, postal code, city);
the recipient’s address (street, house number, apartment number, postal code, city);
a new delivery address of the shipment, if after dispatch the sender instructs InPost to deliver it to a new address or InPost agrees with the recipient, before delivery of the shipment, on a different delivery address;
the e-mail address of the sender and the recipient of the shipment, processed in order to send messages regarding performance of the service, in particular information about the current shipment delivery status, or information enabling collection of the shipment from the Parcel Locker;
the phone number of the sender and the recipient of the shipment for direct contact or to send messages regarding performance of the service, in particular contact to agree on a different place of delivery of the shipment, or information enabling collection of the shipment from the Parcel Locker;
depending on the service selected for performance, we may also process the bank account number necessary to transfer the collected cash (under the cash on delivery service, so-called cash on delivery (COD)) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or topups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);called cash on delivery) to the person indicated by the sender, and information enabling identification of the circumstances of COD payments or top-ups of accounts as part of paying for the services we offer by the prepaid method (advance payment);
where services are provided to entrepreneurs (B2B agreement), data regarding the business activity conducted (including Tax ID, REGON, company name, business address, contact details), including data of contact persons or persons authorised to represent, and data regarding cooperation with InPost;
the IP address of persons using our systems;
information obtained from you in the course of the complaint procedure and in the course of the claims settlement procedure (loss settlement), including information about your health condition if you decide to provide it.

More information:

In connection with processing the payment, your data will be processed in the Przelewy24 service by PayPro S.A., with its registered office in Poznań, which is a separate controller.

If you dispatch a shipment from Poland to a Country other than Poland, your data will be processed by our partner – the courier company – in the destination Country, acting as a separate controller of personal data – the list of these entities is available here.

If you dispatch a shipment from a Country other than Poland, your data will be processed by our local company in the dispatch Country, acting as a separate controller of personal data – the list of these companies is provided in section 1.2 and is available here. Your data will also be processed by our partner – the courier company – in the destination country, which also acts as a separate controller of personal data – the list of these entities is available here.

If you have filed a complaint, your personal data may be disclosed to our insurer (the insurance company with which we have concluded an agreement, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which is a separate controller of personal data.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary to properly fulfil the purpose, and after that period – no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional cases this period may be extended if provisions of law – including the Civil Code – provide for suspension or interruption of the limitation period.

LOYALTY PROGRAMME

Purposes and legal bases for processing:

performance of obligations and exercise of rights arising from participation in the loyalty programme, including notifications about rewards and benefits resulting from membership, such as offers, promotions and recommendations, services, events and many others organised by us or our partner companies.

legal basis for processing: contract – Article 6(1)(b) GDPR; consent – Article 6(1)(a) GDPR (with respect to data provided optionally);

marketing of our own and partners’ products/services

legal basis for processing: the Controller’s legitimate interest consisting in marketing of the Controller’s own products or services – Article 6(1)(f) GDPR; consent to use cookies and other technologies – Article 6(1)(a) GDPR;

reviewing and handling complaints

legal basis for processing: legal obligation or the Controller’s legitimate interest consisting in handling complaints concerning services provided by InPost – Article 6(1)(c) or (f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the Controller’s legitimate interest consisting in pursuing, establishing or defending against claims – Article 6(1)(f) GDPR

What personal data do we process?

activity within the Loyalty Programme, including the number and history of exchange / receipt / expiry of points (InCoins) and the history of tasks performed and rewards collected;
marketing data, including data on the manner of using the user’s InPost Mobile device or web browser.

More information:

In connection with handling the complaint process, your personal data may be disclosed to our insurer (the insurance company with which we have concluded an agreement, e.g. Generali Towarzystwo Ubezpieczeń Spółka Akcyjna with its registered office in Warsaw), which acts as a separate Controller of personal data.

If you declare your intention to acquire a reward in the form of an InBox, we will disclose your data in the form of: your phone number, the status of a Loyalty Programme participant, and the status of an application user, to the lottery organiser responsible for awarding those rewards, in order to enable the lottery to be conducted and to verify your eligibility to participate in that lottery, as a separate Controller. We will also disclose the aforementioned data to selected partners of the Loyalty Programme for the purpose of performing obligations and exercising rights arising from participation in the Loyalty Programme and for reporting purposes.

Controller:

InPost sp. z o.o.

Retention period:

INPOST AI ASSISTANT

Purposes and Legal Bases for Processing

Provision of services by electronic means through ensuring access to a virtual chat enabling conversation:

Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of a contract to which the data subject is party (provision of the real-time chat service).

Use of historical data and preferences in order to tailor responses and recommendations:

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in improving the quality and relevance of the service provided and its personalisation for the user, while guaranteeing the user the right to object to such processing.

The user has the right to object to this processing. If you exercise the opt-out option, the AI assistant will not use your previous conversation history when formulating responses.

Data transmitted during interaction with the AI assistant — including the content of conversations, questions entered and answers provided — may be used for training and improving the artificial intelligence model.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in improving AI models, enhancing system security and raising the quality of services provided to users.

Within the framework of the "Nakarm Bielika" campaign, we process in particular: the content of messages entered (questions, commands, comments and attachments added), the content of responses generated by the assistant, information contained in messages that may constitute personal data if the user chooses to disclose them (e.g., first name, email address, other identifying data), the manner of formulating statements, linguistic style and language constructions used.

These data are used exclusively in aggregated or anonymised form to the extent possible. The controller does not use conversations to identify specific users and does not build individual user profiles for the purpose of model training.

The language model does not "remember" users as individuals; however, individual fragments of conversations may be used as elements of training datasets after prior processing (e.g., removal or limitation of data enabling identification).

Data are used to improve service quality and detect abuse within the existing system functionalities.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in ensuring the integrity, security and proper functioning of IT systems and protection against unauthorised access or abuse.

Pursuit and defence of claims.

Legal basis: Article 6(1)(f) GDPR — the legitimate interest of the controller consisting in the ability to pursue and defend legal claims.

What Personal Data Do We Process?

Data provided directly by the user:

information from queries and chat history, including attachments added (e.g., questions, answers, message content, files and documents uploaded);
identification data necessary for the use of the service.

Technical and operational data:

technical data related to the use of the service (e.g., IP address, timestamp);
session identifier, device type, operating system, application version;
activity logs and system error logs.

Data generated in the course of service provision:

conversation history and patterns (for personalisation and model training purposes);
thematic categories of queries (for analysis and service improvement purposes);
user communication preferences and style identified by AI algorithms.
Important: Please do not provide information containing special categories of personal data (e.g., data concerning racial or ethnic origin, health, political opinions, religious or philosophical beliefs, sexuality and sexual orientation).

More Information

You may use the services of our AI assistant — a tool using artificial intelligence, available in the mobile application, which supports user service through online chat and enables conversations. In connection with the above, it may use personal data.
We encourage prudent use of the AI assistant, as it may sometimes generate untrue or accidentally personalised information.
The AI assistant may use your historical data and preferences in order to tailor responses and recommendations.
Our AI assistant analyses the content of conversations in order to personalise responses and adapt the service to your needs (e.g., remembering conversation context, matching the tone and style of communication). This process may involve analysing the patterns of your queries and conversation topics. However, its result is not an assessment of your personal characteristics or prediction of your behaviour beyond the current session.
On the basis of the above processing, no decisions producing legal effects or similarly significantly affecting you are taken in a solely automated manner (Article 22 GDPR). The results of conversation analysis serve exclusively to improve the quality of the assistant's responses — they are not used to assess your credibility, economic situation, health, preferences or any other personal characteristics that could constitute the basis for such decisions. Data from chat history will subsequently be used to improve the model, but not in real time. These data serve the provision of ongoing user support here and the improvement of service quality and detection of abuse within the existing system functionalities. Data transmitted during interaction with the AI assistant, namely information from conversation content, questions entered and answers, may be used for training artificial intelligence.
We make every effort to ensure secure data processing and we apply world-class technical solutions and regular AI system audits.
As a rule, we do not use providers based in countries outside the European Economic Area ("EEA"). However, it may happen that some entities whose services we use directly or indirectly (e.g., hosting service providers) are based outside the EEA or use subcontractors located outside the EEA.
In the event of the situation described above, we transfer your personal data outside the EEA only when this is necessary and while ensuring the appropriate level of protection required by the GDPR. To this end:
we transfer personal data to countries for which the European Commission has established an adequate level of personal data protection, or
we use the services of specific providers, concluding with them Standard Contractual Clauses approved by the European Commission, which together with additional required security measures ensure a level of personal data protection equivalent to that applicable in the European Union.

Controller:

InPost sp. z o.o.

Retention period:

The time necessary for the proper provision of the service, and after that period — no longer than until the expiry of the limitation period for claims.

Retention period for information in the form of attachments: up to 2 years.

Data used for AI model training (in anonymised or pseudonymised form): for the time necessary to achieve this purpose, but no longer than for the period justified by the technological lifecycle of the model.

INPOST PAY

Purposes and legal bases for processing:

Provision of the InPost Pay service, including:

a service consisting in carrying out the process of purchasing goods or services in the online store of a seller cooperating with us (within InPost Mobile),

legal basis for processing: contract – Article 6(1)(b) GDPR;

a service of remembering customer data, such as address data and payment-related data, and automatically completing those data in the purchasing process

legal basis for processing: contract – Article 6(1)(b) GDPR;

a service enabling customers to save card data within the user account in InPost Mobile

legal basis for processing: consent – Article 6(1)(a) GDPR;

a service of making payments within InPost Pay

legal basis for processing: contract – Article 6(1)(b) GDPR;

marketing of our own and partners’ products/services

reviewing and handling complaints

legal basis for processing: legal obligation or the Controller’s legitimate interest consisting in handling complaints concerning services provided by InPost – Article 6(1)(c) or (f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the Controller’s legitimate interest consisting in pursuing, establishing or defending against claims – Article 6(1)(f) GDPR

What personal data do we process?

identification and contact data, including in particular: first name, surname, phone number, e-mail address, home address, delivery address;
data regarding transactions using InPost Pay, including: information regarding the basket and payments, information about the store where you made a purchase;
payment card data;
transaction history;
marketing data, including data on the manner of using the user’s InPost Mobile device or web browser.

More information:

Within InPost Mobile, as a buyer, you may use an additional service enabling a fast purchase path in the online store of a selected seller cooperating with us, using data stored within your InPost Mobile account, including identification data, payment-related data and delivery-related data. In that case, the controller of data processed in connection with conclusion and performance of the sales agreement is the seller.

We do not store the buyer’s credit card data unless you select the option to save them in order to facilitate future payments. In such a case, we will store only the cardholder’s first name and surname, the card expiry date, the card type and the last four digits of the card number. We do not store the credit card verification code values. We transmit them in encrypted form only together with the credit card number for the purpose of executing the payment by the operator, as a separate Controller. The Controller of buyers’ personal data processed in connection with the payment process is Aion bank S.A., a joint-stock company, branch in Poland.

Controller:

InPost sp. z o.o.

Retention period:

Appendix A2 – Services provided in France

The following categories of persons are concerned by this section:

Sender:
- - Any direct customer who uses the services and offers provided by Mondial Relay on its Communication Channels (‘Direct Sender’); or
    - Any person who sends a parcel through a direct customer of Mondial Relay (in particular via the Vinted, Leboncoin platforms, etc.).
Recipient’: any person who receives a parcel whose delivery has been entrusted to Mondial Relay;‘Visitors’: any person who visits and uses our Communication Channels;
Prospect’: any professional who is contacted by Mondial Relay in the course of its commercial activity;
Visitor : any person visiting our application or our website.
Third Party: any person who may be filmed by the video surveillance system installed on our APM.

Terms not defined in this Annex shall have the meanings ascribed to them in Section 4 of the Privacy Policy.

MONDIAL RELAY’S APPLICATION) and MONDIAL RELAY’S WEBSITE

MONDIAL RELAY APP – This is our mobile application, which you can use after creating an InPost Account.

By “Mondial Relay website”, we refer to the website mondialrelay.fr .

By “Communication channels”, we refer to both the Mondial Relay website and the Mondial Relay app

Purposes and Legal Bases of the Processing
Analysis and functioning

Purposes and legal bases for processing:

Analysis of your activity in MONDIAL RELAY’S APP for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules
Compilation of statistics and analysis of communication channels in order to assess the security and stability of the system.
Adaptation of Mondial Relay’s app and of Mondial Relay’s Website and/or of our social networks to ensure appropriate display and guarantee smooth and secure navigation.
Management of conversations from Timo, chatbot powered by artificial intelligence intended to provide information and answers to questions asked by you.
Management of requests in the context of exercising your rights relating to your personal data.
Compliance with legal and regulatory obligations in force or relating to compliance, in particular reports required by law or any other request from a judicial authority

Legal basis for processing:

legitimate interest of the Controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR consent for location data, and push notifications Article 6(1)(a) of the GDPR;
Legal obligation, article 6(1) (c) du RGPD.

Own marketing

Compiling statistics and conducting marketing analyses to understand the use of communication channels and improve the customer experience.

Contacting prospects through various channels (telephone, email, social media, webinars, trade shows, etc.)

Legal basis for processing:

legitimate interest : Article 6(1)(f) of the GDPR,
or consent: Article 6(1)(a) of the GDPR.

Reviewing and handling complaints and litigation

Legal basis for processing:

legal obligation or the legitimate interest of the Controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR;
contract if applicable, pursuing claims and defence against claims: article 6 (1) b) of GDPR.

Processing of your application, should you wish to collaborate with us

You may use our Communication Channels to submit an application in order to collaborate with us, including in particular:

to become a Point Relais®;
to host an APM ;
to become one of our carriers ;
to become one of our employees.

Legal basis: legitimate interest, consisting in developing our network and our business activity: Article 6(1)(f) of the GDPR.

Which personal data do we process?

Depending on situation, we may collect the following data:

Identification data, including in particular:
- if you are an individual : title, first name, last name, phone number, e-mail address, home address, delivery address, and application data, where applicable;
- if you are a professional : in addition to the Personal Data we collect for individuals, we may collect the following Personal Data: the name and business sector of your company, geographical area of activity, your position, your company’s postal address, VAT number, SIREN SIRET, link to your company’s website ;
Connection data relating to your use of the Communication Channels: we collect browsing data that may identify your preferred device (computer, telephone, tablet). In this case, we may collect your device's IP address, the type of browser and operating system used, the identity of your internet service provider, the agent ID, the external ID the number of pages viewed, the time spent on each page, etc. This data is used, on the one hand, to ensure the proper functioning of our Communication Channels, in particular their performance and security, and on the other hand, to analyse their traffic, within the limits and conditions set out in this Privacy Policy.
Location data : geographical search area for Points Relais® or APM and geolocation

Controller and retention period

Controller: Mondial Relay

Retention period:

The time necessary for proper fulfilment of the purpose, and thereafter – no longer than the limitation period for claims or the legal retention period, which as a rule is up to 10 years. In exceptional situations, this period may be extended in accordance with the applicable legal provisions.

MARKETING COMMUNICATION

Purposes and legal bases for processing:
Sending offers and recommendations as part of providing services

Legal basis for processing: the legitimate interest of the Controller consisting in conducting its own marketing towards clients – Article 6(1)(f) GDPR;

Sending direct marketing communications via e-mail, push notifications, SMS, or telephone calls

Legal basis for processing: consent – Article 6(1)(a) GDPR;

Carrying out marketing operations

through advertising messages, competitions and price draws, sponsorship, surveys, loyalty schemes and all promotional activities.

Legal basis for processing: consent – Article 6(1)(a) GDPR;

Data from Social Network

We process your Personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products.

Legal basis : Legitimate interest (Article 6(1)(f) GDPR).

Which personal data do we process?

Depending on situation, we may collect the following data:

• identification data, including in particular: phone number and e-mail address;

• information on your interactions;

• information about the user and their habits (e.g., purchasing habits).

Data controller and retention period

Data controller: Mondial Relay

Retention period:

We retain your Personal data collected under the conditions of this section either until you inform us that you no longer wish to receive marketing communications, or until we are required by law to delete it. In exceptional cases, this period may be extended if legal provisions provide for the suspension or interruption of the limitation period.

More information:

We use various forms and channels of communication, i.e., we contact you via e-mail, SMS, telephone calls, and push notifications.

The content we send includes, among other things, offers and recommendations regarding our services or goods, or those of third parties, which may be of interest to you. We prepare this information using algorithms that analyse how you use our services, including by analysing your activity in mobile applications.

By subscribing to the newsletter you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

If you do not accept our marketing activities or you do not wish to use selected forms of contact with you, please contact us using the contact details provided in section 2.3 of the main body of this Privacy Policy.

We process your Personal data in order to carry out marketing activities, which may consist of:

displaying marketing content corresponding to your interests (behavioural advertising), as well as directing advertising messages to you on other websites and on social media platforms (remarketing);
displaying marketing content to you that is not tailored to your preferences (contextual advertising);
sending commercial information through various channels, including by e-mail (including in the form of a newsletter), by SMS/MMS, via push notifications or by phone, containing information about interesting offers or content concerning our products and services, companies from the Integer.pl Group and entities cooperating with those companies;
conducting satisfaction surveys, in order to get to know you better and improve our services.

We may process your Personal data for marketing of our own services, including sending information about offers, promotions and new developments concerning the provided services and activities aimed at promoting our services and brand. The activities we undertake may also consist in repeating advertising messages to persons who use the mobile application, on websites and social media platforms. We may process your Personal data, including personal data collected via cookies and other similar technologies, for marketing purposes, in connection with directing advertising to users.

On Mondial Relay website, we use cookies to make it easier for you to use our websites, e.g. to remember your settings and preferences and to simplify logging in to your account. You may give consent to the use of cookies (technically, consent to storing information on an end device and obtaining information) via the so-called cookie banner, which is displayed after opening the mobile application. More information on this can be found in our cookie policy, available here : mondialrelay.fr/vos-preferences-pour-la-gestion-des-cookies .

You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.

Combining information obtained from different sources

If you give marketing consent, we will use information collected about you that we obtained from various sources, i.e. in connection with the performance of other processes (e.g. account maintenance), and we will use it for marketing purposes, pursuing our legitimate interest (Article 6(1)(f) GDPR). Such data may be used for user profiling.

With the personal data we collect from you in the mobile application, we may combine data obtained from public sources and from third parties:

data in the form of technical information and information resulting from the manner of use, which we obtained from providers of analytical services (e.g. Google Analytics);
address and contact data related to conducting business activity, which we obtained from information providers.

PROVISION OF FREIGHT FORWARDING AND TRANSPORT SERVICES

Purposes and legal bases for processing:
Provision of freight forwarding services and transport services,
If you are a sender or a recipient:

Provision of transport and delivery services.
Information on parcel tracking.
Notifications regarding the arrival of the parcel at a Point Relais® and/or APM.

If you are a direct shipper:

Management of sales of Mondial Relay services and offers
Secure payment service for purchasing Mondial Relay services and offers on the Mondial Relay’s website
Printing and sending shipping labels via Mondial Relay’s website
Choosing and/or searching for the destination Point Relais® and/or APM based on an address or geolocation
Management of shipments, requests for collection of parcels to be delivered to Recipients, and returns to Senders, particularly in the case of unclaimed parcels
Management of unpaid bills, disputes and litigation
Management of debt collection, including through a third party ;

If you are a carrier :

performance of the transport contract,
monitoring of the collection and delivery of parcels.

Legal basis for processing:

contract – Article 6(1)(b) GDPR;with regard to the Personal Data of carriers: legitimate interest consisting in the preservation of our equipment, pursuant to Article 6(1)(f) of the GDPR.

Customer relationship management”
Listening to and recording (non-automatic) telephone conversations during calls with customer service, for the purpose of training our staff and improving our customer service;
Customer relationship management, including call centre management and responding to contact requests sent to us,
Handling customer service complaints (disputes and damage), conducting satisfaction surveys, reconciling undelivered items and items sought, referring cases to the ombudsman,
Improving service quality by evaluating a sample of customer contacts during incoming and outgoing calls,
Improving service quality by sending out surveys and polls related to parcel shipping and service delivery,
Chatbot and voicebot (conversational agent) Conversation management from Timo designed to provide information and answers to your questions.

Legal basis for processing:

legal obligation – Article 6(1)(c) of the GDPR;
consent: Article 6(1)(a) of the GDPR;
consent to the processing of special categories of personal data – Article 9(2)(a) of the GDPR;

legitimate interest, based on the improvement of our processes and the quality of our services, Article 6(1)(f) of the GDPR.

Which personal data do we process?

Depending on the contract type and the ordering channel used, we may collect the following data:

the first name and surname of the sender (including the payer) and of the recipient (addressee) of the shipment;
the sender’s address (street, house number, apartment number, postal code, city);
the recipient’s address (street, house number, apartment number, postal code, city) as well as delivery information ;
a new delivery address of the shipment, if after dispatch the sender instructs us to deliver it to a new address or we agree with the recipient, before delivery of the shipment, on a different delivery address;
the e-mail address of the sender and the recipient of the shipment, processed in order to send messages regarding performance of the service, in particular information about the current shipment delivery status, or information enabling collection of the shipment ;
the phone number of the sender and the recipient of the shipment for direct contact or to send messages regarding performance of the service, in particular contact to agree on a different place of delivery of the shipment, or information enabling collection of the shipment ;
contents of parcels in certain cases;
where services are provided to professionnals customers (B2B agreement), or for carriers companies data regarding the business activity conducted (company name, business address, contact details, VAT number, SIREN and SIRET), including data of contact persons or persons authorized to represent, and data regarding cooperation with us;
for transport companies: transport licence, list of employees located outside the EU and any other documents required by law, geolocation data of the PDAs made available to carriers,the IP address of persons using our systems; information obtained from you in the course of the complaint procedure and in the course of the claims settlement procedure (loss settlement), if you decide to provide it, including recording telephone conversations with our Customer Service department, where such recordings are made,
CCTV footage from our APMs.
Data controller and retention period

Data Controller: Mondial Relay

Retention period:

For as long as necessary to fulfil the purpose, and for the period permitted by law (which may be up to 10 years). In exceptional cases, this period may be extended in accordance with the applicable legal provisions.

More information:

In connection with processing your payments, your data will be processed by a separate controller, which is, depending on the payment method you have selected, ADYEN or PAYPAL.

If you wish to obtain further information regarding the processing of your Personal data and/or exercise your rights relating to the protection of your Personal data processed by these service providers, we invite you to contact them directly using the following links and contact details:

ADYEN:

DPO contact details: [email protected]

PAYPAL:

DPO contact details: https://www.paypal.com/us/smarthelp/contact-us/privacy or PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal L‑2449, Luxembourg.”**

If you dispatch a shipment from a country other than France, your data will be processed by our local company in the dispatch country, acting as a separate controller of personal data – the list of these companies is provided in section 1.2 and is available here. Your data will also be processed by our subcontractors – the carriers companies, in compliance with our strict instructions pursuant to Article 28 of the GDPR.

HOW DO WE COLLECT YOUR PERSONAL DATA?

Mondial Relay may collect your personal data directly or indirectly, as well as passively collect certain data when you browse our Communication Channels.

Direct collection
- - 1. From our Communication Channels:

We collect data directly from you when you provide information via our Communication Channels. This is particularly the case when you create an account, when you contact us or when you fill in a form.

Some of the information requested may be mandatory (you will be informed of this at the time of collection by an asterisk or equivalent means). If you do not provide us the mandatory information, you will not be able to benefit from our services and offers.

Optional information is intended to help us get to know you better or to offer you other services and/or offers. If you do not provide the optional information, you will still be able to benefit from our services and offers, but certain personalisation options will not be available.

It is your responsibility to ensure that the data you provide us with is accurate, complete and up to date. The transmission of any inaccurate, false or incomplete data may result in the delay or non-delivery of a parcel. We invite you to inform us of any changes to your personal data that occur during our collaboration.

- - 1. From the APM CCTV system:

For the safety of goods and people, we directly collect images of Senders, Recipients and Third Parties who may enter the field of view of the APM CCTV cameras. Please note that data from CCTV will not be associated with your account data.

Indirect collection
From an external third party:

We indirectly collect Personal data about you when we receive it from an external third party (e.g. senders). This third party already processes your Personal data as a data controller in the context of your relationship with them (for example, to enable an online purchase), and then provides it to us to enable us to deliver parcels.

In this case, we are not responsible for the processing of your Personal data by third parties with whom you have an independent relationship, acting upstream. However, we are then responsible for the processing of your Personal data that we carry out on the basis of the data collected by these third parties and transmitted for the performance of the commercial service that links us to said third parties, with the aim of enabling the transport of parcels.

In the context of commercial prospecting:

We carry out commercial prospecting and may indirectly collect your Personal data in the same way, through an external third party, or through other channels (social networks, trade shows, events, webinars).

Passive collection

In addition, information relating to your use of our Communication Channels is automatically collected when you interact with their features. To do this, we use ‘cookies’ to collect information aboutyour. To find out more about our cookie policy, click here [mondialrelay.fr/vos-preferences-pour-la-gestion-des-cookies].

TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

We undertake to preserve the confidentiality of your Personal Data and to comply with all legal requirements relating to the sharing and disclosure of your data. As a matter of principle, only those persons and entities that need to access your data in order to enable us to achieve the purposes of the processing may do so.

The information we collect is intended for our internal departments (marketing department, IT department, customer service department, security department, etc.), which process only the data necessary for the performance of their tasks.

Your personal data may also be communicated to third parties, in France or abroad. In this respect, we invite you to refer to Section 6 of the main body of this Privacy Policy.

These partners will have access to your information only to the extent strictly necessary for the performance of their tasks and undertake not to use it for any purpose other than that which we have determined.

Appendix A3 – Services provided in Italy

MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile– This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims – Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• marketing data, including data on the way the User uses InPost Mobile devices or an Internet browser, IP address, cookies;

• location data

More information:

Controller:

Locker InPost Italia S.r.l.

Retention period:

The time required to properly fulfill the above purposes is as follows:

1. Up to a maximum of 2 years for the purpose of analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules.

2. 10 years, subject to opposition and the time necessary for legal defense, for the purpose of reviewing and handling complaints.

3. 10 years, subject to opposition and the time necessary for legal defense, for the purpose of pursuing claims and defending against claims.

II. MARKETING COMMUNICATION

Purposes and legal bases for processing:

1. sending offers and recommendations as part of providing services

legal basis for processing: consent – Article 6(1)(a) GDPR

2. sending direct marketing communications via e-mail, push notifications, SMS, or telephone calls

legal basis for processing: consent – Article 6(1)(a) GDPR;

What personal data do we process?

• identification data, including in particular: phone number and e-mail address;

• information on user interactions;

• information about the user and their habits (e.g., purchasing habits).

More information:

We use various forms and channels of communication, i.e., we contact you via e-mail, MMS / SMS, telephone calls, and push notifications. The content we send includes, among other things, offers and recommendations regarding our services or goods, or those of third parties, which may be of interest to you. We prepare this information using algorithms that analyse how you use our services, including by analysing your activity in mobile applications.

By subscribing to the newsletter you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

If you do not accept our marketing activities or you do not wish to use selected forms of contact with you, please contact us (contact details can be found in Part I, section 2 above (“Who processes your data”, point 2.3).

Controller:

Locker InPost Italia S.r.l.

Retention period:

The time necessary for proper fulfilment of the purpose is up to 24 months.

Additional information

We process your personal data in order to carry out marketing activities, which may consist of:

displaying marketing content corresponding to your interests (behavioural advertising), as well as directing advertising messages to you on other websites and on social media platforms (remarketing);
displaying marketing content to you that is not tailored to your preferences (contextual advertising);
sending commercial information through various channels, including by e-mail (including in the form of a newsletter), by SMS/MMS, via push notifications or by phone, containing information about interesting offers or content concerning our products and services, companies from the Integer.pl Group and entities cooperating with those companies.

With regard to the activities referred to in point a) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR), consisting in conducting personalised advertising campaigns, and, to the extent required by law – on the basis of your consent.
With regard to the activities referred to in point b) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR) consisting in increasing the scale of marketing campaigns conducted.
With regard to the activities referred to in point c) above, we act on the basis of your consent to send marketing content to your e-mail address, phone number or via push messages (if such functionality is provided). You may give consent by ticking the relevant checkbox under the form available on the website or in the account settings. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We may use the data obtained from you to create your profile (user profile). This means that, thanks to automated data processing, we will be able to predict or assess various aspects related to you, e.g. your age, gender, interests, economic situation, location. This allows us to better match the displayed or communicated content to your preferences and interests, which will enable you to take advantage of better offers and save your time. Processing of personal data is carried out in connection with the performance of our legitimate interest (Article 6(1)(f) GDPR), consisting in directing marketing communications to persons interested in our services and conducting personalised marketing campaigns. Our trusted partners are also involved in the process of displaying personalised advertising to you.
We may process your personal data for marketing of our own services, including sending information about offers, promotions and new developments concerning the provided services and activities aimed at promoting our services and brand. The activities we undertake may also consist in repeating advertising messages to persons who use the mobile application, on websites and social media platforms. The processing of personal data then includes user profiling.
We may process users’ personal data, including personal data collected via cookies and other similar technologies, for marketing purposes, in connection with directing advertising to users.
On our websites we use cookies to make it easier for you to use our websites, e.g. to remember your settings and preferences and to simplify logging in to your account. For this purpose we use cookies. You may give consent to the use of cookies (technically, consent to storing information on an end device and obtaining information) via the so-called cookie banner, which is displayed after opening the mobile application. More information on this can be found in the cookie policy. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We process your personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products. The legal basis for processing personal data is our legitimate interest (Article 6(1)(f) GDPR), consisting in promoting our own brand.

Combining information obtained from different sources

If you give marketing consent, we will use information collected about you that we obtained from various sources, i.e. in connection with the performance of other processes (e.g. account maintenance), and we will use it for marketing purposes, pursuing our legitimate interest (Article 6(1)(f) GDPR). Such data may be used for user profiling.
With the personal data we collect from you in the mobile application, we may combine data obtained from public sources and from third parties:

data in the form of technical information and information resulting from the manner of use, which we obtained from providers of analytical services (e.g. Google Analytics);
address and contact data related to conducting business activity, which we obtained from information providers.

In the situation described in point 4.3.1 above, the purpose of processing is: (1) fulfilling a legal obligation incumbent on the controller (Article 6(1)(c) GDPR), consisting in fulfilling legal obligations in connection with the conclusion, performance and settlement of the agreement, including proper identification of persons authorised to represent and incur obligations on the contractor’s side at the time of signing the agreement, deliveries, issuing a VAT invoice or receipt, pursuing and defence of claims, as well as related to the obligation to keep accounting books and tax settlements; (2) the controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting activities aimed at concluding and performing the agreement, conducting correspondence and exchanging e-mails, contact related to the implementation and performance of contractual provisions.

CHAT SERVICE

Purposes and legal basis for processing:

Provision of services by electronic means by enabling Users to access a chat service allowing them to communicate with InPost in matters related to the use of services.

Legal basis for processing: necessity for the performance of a contract – Article 6(1)(b) of the GDPR.

What personal data do we process?

data provided in the content of messages sent via the chat,
information necessary to handle the inquiry or request submitted by the User,
technical data related to the use of the service (e.g. IP address, date and time of the connection).

Additional information

The chat service is a communication channel enabling contact with InPost for the purpose of obtaining information, support or clarification regarding services.
Providing personal data via the chat is voluntary; however, it may be necessary in order to respond to the inquiry or properly handle the request.
Users are kindly requested not to provide special categories of personal data via the chat, unless this is necessary due to the nature of the matter.
Personal data provided via the chat is used exclusively for the purpose of handling the User’s inquiry and ensuring the proper functioning of the service.

Controller

Locker InPost Italia S.r.l.

Retention period

Personal data is processed for a period no longer than 2 years from the date of the interaction, unless a longer period is required for ongoing legal proceedings.

Appendix A4 – Services provided in Spain

MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile– This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

own marketing

reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims – Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• device identifiers and other online identifiers;

• location data

Controllers:

INPOST SPAIN S.L.U., MONDIAL RELAY SASU SUCURSAL EN ESPAÑA and SENDING TRANSPORTE Y COMUNICACION S.A.U.

Retention period:

The time necessary for proper fulfilment of the purpose, and thereafter – no longer than the limitation period for claims, which as a rule is up to 6 years. For any avoidance of doubt, after that period the data will be blocked for the legally established time for each case in accordance with current regulations and the LOPDGDD and therefore this period may be extended if provisions of law provide for suspension or interruption of the running of the limitation period.

MARKETING COMMUNICATION

Purposes and legal bases for processing:

1. sending offers and recommendations as part of providing services

legal basis for processing: the legitimate interest of the Controller consisting in conducting its own marketing towards clients – Article 6(1)(f) GDPR;

2. sending direct marketing communications via e-mail, push notifications, SMS, or telephone calls

legal basis for processing: consent – Article 6(1)(a) GDPR;

What personal data do we process?

• identification data, including in particular: phone number and e-mail address;

• information on user interactions;

• information about the user and their habits (e.g., purchasing habits).

More information:

By subscribing to the newsletter you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

Controller:

INPOST SPAIN S.L.U., MONDIAL RELAY SASU SUCURSAL EN ESPAÑA and SENDING TRANSPORTE Y COMUNICACION S.A.U.

Retention period:

Additional information

We process your personal data in order to carry out marketing activities, which may consist of:

displaying marketing content corresponding to your interests (behavioural advertising), as well as directing advertising messages to you on other websites and on social media platforms (remarketing);
displaying marketing content to you that is not tailored to your preferences (contextual advertising);
sending commercial information through various channels, including by e-mail (including in the form of a newsletter), by SMS/MMS, via push notifications or by phone, containing information about interesting offers or content concerning our products and services, companies from the Integer.pl Group and entities cooperating with those companies.

With regard to the activities referred to in point a) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR), consisting in conducting personalised advertising campaigns, and, to the extent required by law – on the basis of your consent.
With regard to the activities referred to in point b) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR) consisting in increasing the scale of marketing campaigns conducted.
With regard to the activities referred to in point c) above, we act on the basis of your consent to send marketing content to your e-mail address, phone number or via push messages (if such functionality is provided). You may give consent by ticking the relevant checkbox under the form available on the website or in the account settings. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We may use the data obtained from you to create your profile (user profile). This means that, thanks to automated data processing, we will be able to predict or assess various aspects related to you, e.g. your age, gender, interests, economic situation, location. This allows us to better match the displayed or communicated content to your preferences and interests, which will enable you to take advantage of better offers and save your time. Processing of personal data is carried out in connection with the performance of our legitimate interest (Article 6(1)(f) GDPR), consisting in directing marketing communications to persons interested in our services and conducting personalised marketing campaigns. Our trusted partners are also involved in the process of displaying personalised advertising to you.
We may process your personal data for marketing of our own services, including sending information about offers, promotions and new developments concerning the provided services and activities aimed at promoting our services and brand. The activities we undertake may also consist in repeating advertising messages to persons who use the mobile application, on websites and social media platforms. The processing of personal data then includes user profiling.
We may process users’ personal data, including personal data collected via cookies and other similar technologies, for marketing purposes, in connection with directing advertising to users.
On our websites we use cookies to make it easier for you to use our websites, e.g. to remember your settings and preferences and to simplify logging in to your account. For this purpose we use cookies. You may give consent to the use of cookies (technically, consent to storing information on an end device and obtaining information) via the so-called cookie banner, which is displayed after opening the mobile application. More information on this can be found in the cookie policy. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We process your personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products. The legal basis for processing personal data is our legitimate interest (Article 6(1)(f) GDPR), consisting in promoting our own brand.

Combining information obtained from different sources

If you give marketing consent, we will use information collected about you that we obtained from various sources, i.e. in connection with the performance of other processes (e.g. account maintenance), and we will use it for marketing purposes, pursuing our legitimate interest (Article 6(1)(f) GDPR). Such data may be used for user profiling.
With the personal data we collect from you in the mobile application, we may combine data obtained from public sources and from third parties:

data in the form of technical information and information resulting from the manner of use, which we obtained from providers of analytical services (e.g. Google Analytics);
address and contact data related to conducting business activity, which we obtained from information providers, such as business intelligence agencies and entities building databases of potential contractors, and from publicly available registers (e.g. CEIDG).

In the situation described in point 4.3.1 above, the purpose of processing is: (1) fulfilling a legal obligation incumbent on the controller (Article 6(1)(c) GDPR), consisting in fulfilling legal obligations in connection with the conclusion, performance and settlement of the agreement, including proper identification of persons authorised to represent and incur obligations on the contractor’s side at the time of signing the agreement, deliveries, issuing a VAT invoice or receipt, pursuing and defence of claims, as well as related to the obligation to keep accounting books and tax settlements; (2) the controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting activities aimed at concluding and performing the agreement, conducting correspondence and exchanging e-mails, contact related to the implementation and performance of contractual provisions.

Appendix A5 – Services provided in Portugal

MOBILE APPLICATION (INPOST MOBILE)

InPost Mobile– This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

analysis of user activity in InPost Mobile for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with the rules

own marketing

reviewing and handling complaints

legal basis for processing: legal obligation or the legitimate interest of the controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR;

pursuing claims and defence against claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims – Article 6(1)(f) GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, Tax Identification Number;

• device identifiers and other online identifiers;

• location data

Controller:

MONDIAL RELAY SUCURSAL EM PORTUGALRetention period:

The time necessary for proper fulfilment of the purpose, and thereafter – no longer than the limitation period for claims, which as a rule is up to 6 years. In exceptional situations, this period may be extended if provisions of law provide for suspension or interruption of the running of the limitation period.

MARKETING COMMUNICATION

Purposes and legal bases for processing:

1. sending offers and recommendations as part of providing services

legal basis for processing: the legitimate interest of the Controller consisting in conducting its own marketing towards clients – Article 6(1)(f) GDPR;

2. sending direct marketing communications via e-mail, push notifications, SMS, or telephone calls

legal basis for processing: consent – Article 6(1)(a) GDPR;

What personal data do we process?

• identification data, including in particular: phone number and e-mail address;

• information on user interactions;

• information about the user and their habits (e.g., purchasing habits).

More information:

By subscribing to the newsletter you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

Controller:

MONDIAL RELAY SUCURSAL EM PORTUGAL

Retention period:

The time necessary for proper fulfilment of the purpose, and thereafter – no longer than the limitation period for claims, which as a rule is up to 6 years. In exceptional situations, this period may be extended if provisions of law provide for suspension or interruption of the running of the limitation period.

Additional information

We process your personal data in order to carry out marketing activities, which may consist of:

displaying marketing content corresponding to your interests (behavioural advertising), as well as directing advertising messages to you on other websites and on social media platforms (remarketing);
displaying marketing content to you that is not tailored to your preferences (contextual advertising);
sending commercial information through various channels, including by e-mail (including in the form of a newsletter), by SMS/MMS, via push notifications or by phone, containing information about interesting offers or content concerning our products and services, companies from the Integer.pl Group and entities cooperating with those companies.

With regard to the activities referred to in point a) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR), consisting in conducting personalised advertising campaigns, and, to the extent required by law – on the basis of your consent.
With regard to the activities referred to in point b) above, we act on the basis of our legitimate interest (Article 6(1)(f) GDPR) consisting in increasing the scale of marketing campaigns conducted.
With regard to the activities referred to in point c) above, we act on the basis of your consent to send marketing content to your e-mail address, phone number or via push messages (if such functionality is provided). You may give consent by ticking the relevant checkbox under the form available on the website or in the account settings. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We may use the data obtained from you to create your profile (user profile). This means that, thanks to automated data processing, we will be able to predict or assess various aspects related to you, e.g. your age, gender, interests, economic situation, location. This allows us to better match the displayed or communicated content to your preferences and interests, which will enable you to take advantage of better offers and save your time. Processing of personal data is carried out in connection with the performance of our legitimate interest (Article 6(1)(f) GDPR), consisting in directing marketing communications to persons interested in our services and conducting personalised marketing campaigns. Our trusted partners are also involved in the process of displaying personalised advertising to you.
We may process your personal data for marketing of our own services, including sending information about offers, promotions and new developments concerning the provided services and activities aimed at promoting our services and brand. The activities we undertake may also consist in repeating advertising messages to persons who use the mobile application, on websites and social media platforms. The processing of personal data then includes user profiling.
We may process users’ personal data, including personal data collected via cookies and other similar technologies, for marketing purposes, in connection with directing advertising to users.
On our websites we use cookies to make it easier for you to use our websites, e.g. to remember your settings and preferences and to simplify logging in to your account. For this purpose we use cookies. You may give consent to the use of cookies (technically, consent to storing information on an end device and obtaining information) via the so-called cookie banner, which is displayed after opening the mobile application. More information on this can be found in the cookie policy. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.
We process your personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products. The legal basis for processing personal data is our legitimate interest (Article 6(1)(f) GDPR), consisting in promoting our own brand.

Combining information obtained from different sources

If you give marketing consent, we will use information collected about you that we obtained from various sources, i.e. in connection with the performance of other processes (e.g. account maintenance), and we will use it for marketing purposes, pursuing our legitimate interest (Article 6(1)(f) GDPR). Such data may be used for user profiling.
With the personal data we collect from you in the mobile application, we may combine data obtained from public sources and from third parties:

data in the form of technical information and information resulting from the manner of use, which we obtained from providers of analytical services (e.g. Google Analytics);
address and contact data related to conducting business activity, which we obtained from information providers.

In the situation described in point 4.3.1 above, the purpose of processing is: (1) fulfilling a legal obligation incumbent on the controller (Article 6(1)(c) GDPR), consisting in fulfilling legal obligations in connection with the conclusion, performance and settlement of the agreement, including proper identification of persons authorised to represent and incur obligations on the contractor’s side at the time of signing the agreement, deliveries, issuing a VAT invoice or receipt, pursuing and defence of claims, as well as related to the obligation to keep accounting books and tax settlements; (2) the controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting activities aimed at concluding and performing the agreement, conducting correspondence and exchanging e-mails, contact related to the implementation and performance of contractual provisions.

Appendix A6 – Services provided in United Kingdom

MOBILE APPLICATION (INPOST UK)

InPost UK – This is our mobile application, which you can use after creating an InPost Account.

Purposes and legal bases for processing:

analysis of user activity in our mobile application for purposes other than advertising, including for analytical and statistical purposes and to detect and resolve cases of non-compliance with our General Terms and Conditions of InPost Account Services ..

legal basis for processing: legitimate interest of the controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided, and for analytical and statistical purposes - Article 6(1)(f) UK GDPR

What personal data do we process?
For statistical analysis, service monitoring and improvement, we analyse information about how Users’ access and interact with our mobile app. This may include account identifiers (e.g. User ID, which is a random string or numbers and letters), device and technical information, app usage and interaction data and system log or event data. We may also monitor crash logs or error requests. Wherever possible, analysis is carried out using aggregated or statistical-level data, and identifiable information is removed, anonymised or aggregated.

reviewing, handling and resolving complaints

Legal basis for processing: (1) performance of a contract, where we have a direct contractual relationship with you; (2) our legitimate interests, where no direct contract exists between us; or (3) legal obligation, in cases where complaints relate to regulatory matters – Article 6(1)(b), Article 6(1)(f), or Article 6(1)(c) UK GDPR, respectively.

3. establishing, exercising or defending legal claims

legal basis for processing: the legitimate interest of the controller consisting in pursuing, establishing, or defending against claims – Article 6(1)(f) UK GDPR;

What personal data do we process?

• identification data, including in particular: first name, last name, phone number, e-mail address, home address, delivery address, delivery information, parcel barcode/identifiers and any other personal data you choose to provide to us when making a complaint, raising a concern, or pursuing a claim (including special category data, where relevant), as well as any additional personal data we reasonably need to investigate, respond to, or pursue or defend against a legal claim;

Retention period:

Personal data processed for the purpose of handling complaints and establishing, exercising or defending claims is retained for the time necessary to properly fulfil those purposes, and thereafter no longer than the applicable limitation period for claims, which as a rule is up to 6 years. In exceptional situations, this period may be extended if provisions of law provide for suspension or interruption of the running of the limitation period.

4. To determine your location within the app

legal basis for processing

consent – Article 6(1)(a) UK GDPR;

Your location data allows our App to find and display InPost stores and Parcel Locker machines located in your neighborhood. Please note, we will only determine your location if you allow this, and to the extent that you allow (e.g. ‘whilst using the app’ or on a one-off basis). You can stop allowing our app to determine your location at any time by updating your location permissions in your device settings.

What personal data do we process?

Location data: GPS, Wi-Fi access points and mobile network cellular towers

Controller:

InPost UK

Retention period:

Location data is used only in real time to identify nearby InPost lockers and stores while you are using the app. We do not retain this information beyond real-time usage.

Deploying and use of cookies

Cookies are small text files stored on your device that help a website recognise your browser and remember certain information. We use cookies that are strictly necessary for the operation and security of our website, such as those that enable you to log in, maintain your session, protect your account, and ensure the website functions as expected. We may also use analytical, marketing/advertising and performance cookies and other tracking technologies to help us understand how our website is used, to improve our services, and to assist our advertising efforts. These are non-essential, optional cookies. For more information, please visit our Cookie Policy.

Legal basis for processing:

Strictly necessary cookies: Legitimate interest of the controller in operating a secure and effective mobile application and website – Article 6(1)(f) UK GDPR

Non-essential (optional cookies): Consent – Article 6(1)(a) UK GDPR. You can freely reject the use of non-essential cookies, and where you have previously accepted non-essential cookies and wish to withdraw consent, you can manage your cookie preferences in the cookie banner or ‘cookie settings’ section of our website. You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.

What personal data do we process?

Depending on the nature of the cookies deployed, this can include: Device data (such as device type, browser type, operating system, IP address); app or website usage data (e.g. pages or screens viewed, features used); session data (session length, duration, frequency); crash or error data (error codes, performance metrics, diagnostics); security data (e.g. login attempts, unusual usage patterns) and unique identifiers (such as UUID, app instance ID, device ID). Marketing technologies may also gather data about how you arrived at our site or app, your interactions with content and inferred interests.

Controller:

InPost UK

Retention period:

Until the cookie’s individual lifespan expires, as described in our Cookie Policy, or for as long as they are required to provide the service you have requested. We retain non‑essential analytics or tracking technologies until you withdraw your consent (where applicable), where this occurs before the cookie’s normal expiry period.

Deploying notifications in mobile app linked to service delivery

Legal basis for processing

We process this data on the basis of performance of a contract (Article 6(1)(b) UK GDPR), where we have a direct contractual relationship with you and the notifications are necessary to provide delivery updates or related services. Where no direct contract exists, we rely on our legitimate interests (Article 6(1)(f) UK GDPR) in ensuring that delivery updates and essential service‑related information are provided reliably and effectively.

What personal data do we process?

We use your contact details (such as name, email address or phone number), device identifiers (such as a device token or app instance ID), and delivery‑related information needed to send the notification (such as parcel ID and delivery status).

Controller:

InPost UK

Retention period

We retain notification data only for as long as necessary to deliver the notification and support your app account.

Operating webchat in mobile app

Legal basis for processing

We process personal data through webchat on the basis of performance of a contract (Article 6(1)(b) UK GDPR) where you have a direct contractual relationship with us and the chat is necessary to provide support. Where no direct contract exists, we rely on our legitimate interests (Article 6(1)(f) UK GDPR) in offering customer service and resolving queries.

What personal data do we process?

When you use the webchat feature in our app, we process the personal data needed to respond to your enquiry, which may include your pick‑up code, email address, parcel tracking number, name, sender or recipient details, and any information you type into the chat about the nature of your query.

Retention period

We retain webchat transcripts and related technical logs only for as long as necessary to handle your enquiry and for internal quality, training or audit purposes, typically up to 24 months. If a chat relates to an incident, complaint or other matter that requires further investigation, we may retain it in line with our standard retention periods for those processes, which are typically up to 6 years.

Engaging with users on our social media platforms

We process your personal data when you visit our profiles on social media (e.g. Facebook, Instagram, X, LinkedIn, TikTok). Such data are processed in connection with running the profile, engaging with comments and interactions from you, and for the purpose of informing users about our activity and promoting various events, services and products. We may also engage with you on social media platforms (e.g. X) where you choose to contact our social media-based customer service team publicly or via direct message.

Legal basis for processing

Our legitimate interest (Article 6(1)(f) GDPR) in promoting our own brand and responding to customer interactions, engagement and queries.

What personal data do we process

Your username on social media platforms (which may contain your name), the nature and content of your interaction, your reactions to our content (e.g. like, repost)

Retention period

We will retain copies of any interaction you have with our social media for the time necessary to properly fulfil those purposes, and thereafter no longer than the applicable limitation period for claims, which as a rule is up to 6 years.

Interactions with us on our social media platforms will be retained for the duration the post is published on our social media page, or until you remove/undo this interaction.

MARKETING COMMUNICATION

Purposes and legal bases for processing:

1. Displaying generic, non-targeted offers and promotions in the InPost mobile app and website (contextual advertising).

legal basis for processing: the legitimate interest of the Controller in promoting its services to existing userbase by displaying non-targeted, non-specific marketing content within the InPost mobile application and on the InPost website (Article 6(1)(f) UK GDPR).

2. Sending direct marketing communications via e-mail, push notifications, and/or SMS.

legal basis for processing: consent – Article 6(1)(a) UK GDPR;

What personal data do we process?

• identification data, including in particular: phone number and e-mail address;

• Marketing preferences, including time and date of consent given.

Direct Marketing - additional information:

For direct marketing, InPost uses various forms and channels of communication, such as e-mail, SMS and push notifications. The content we send includes, among other things, offers, promotions and recommendations regarding InPost’s goods, services or initiatives (including joint initiatives with our carefully selected partners and retailers) which may be of interest to you.

By subscribing to the InPost UK newsletter, you consent to receiving messages by e-mail (Article 6(1)(a) GDPR).

Where we rely on your consent for our marketing activities, providing such consent is entirely voluntary and you may withdraw it at any time. You can manage and change your marketing consents easily within the InPost UK mobile application settings, or by contacting InPost UK at [email protected]. Where you receive direct marketing via email or SMS, you can unsubscribe from marketing communications by clicking on the ‘unsubscribe’ link contained within that correspondence. Where you withdraw consent, withdrawal does not affect the validity of actions taken before its withdrawal.

Controller:

InPost UK

Retention period:

We retain marketing‑related data until you withdraw your consent or opt out of marketing communications (whichever occurs first). Where data has been aggregated or anonymised so that it no longer identifies you, we may retain it for longer for reporting and trend analysis. Where you do not consent or withdraw prior consent (“opt out”) of marketing communications, we will retain a record of your marketing permissions to ensure that you do not receive direct marketing from us in the future, unless or until you consent again.

3. Profiling for Marketing

Legal basis for processing

We process data for profiling on the basis of our legitimate interests in understanding how our services are used and improving user experience (Article 6(1)(f) UK GDPR).

What personal data do we process?

We may use the data obtained from you to create a “profile” for you for marketing purposes. This means analysing information about how you use our services – such as the frequency of your app or locker use, your preferred locker location, parcel history, the locations where you typically collect or send parcels, and whether you have received or sent a parcel within the last 12 months - to understand your preferences, interests, or behaviour. This helps us tailor and improve our communications to make our marketing more relevant to you. This profiling does not involve making decisions that have a significant effect on you, and we do not send direct marketing unless we have your valid consent.

Retention period

We do not retain profiling information separately. Profiling is carried out using personal data we already hold for other purposes, and that data is retained in line with the relevant retention periods for those purposes. No additional data is stored specifically for profiling, and profiling outputs are not kept longer than the underlying data on which they are based.

4. Advertising on Social Media Platforms (retargeting)

Legal basis for processing

We process data for advertising on social media platforms (e.g. Facebook, Instagram, TikTok) on the basis of our legitimate interests in promoting our services (Article 6(1)(f) UK GDPR).

What personal data do we process

For this activity, we only process high‑level information such as the audience parameters we set for an advertising campaign (for example, general location, interests or age ranges) and aggregated, statistical-level performance data supplied by the platform. We do not share your personal data with social media platforms for targeting purposes; they use the information they already hold about their users to determine who sees our adverts. You can adjust your advertising and personalisation settings in your social media accounts at any time.

Retention period

We retain advertising audience parameters and campaign performance data only for as long as necessary to plan, review and optimise our marketing activity, which is usually the duration of the specific advertising campaign.

PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED VIA AUTOMATED PARCEL MACHINES (APMs)

Purposes and legal bases for processing:

- - 1. provision of postal services and transport services, including courier services and services provided via Automated Parcel Machine (APM)

legal basis for processing: contract – Article 6(1)(b) GDPR;

- - 1. What personal data do we process?
Parcel ID/Barcode;
Actions taken whilst visiting APM (e.g. opening compartment, storing parcel, completing on-screen journey);
CCTV footage (e.g. footage obtained from APM CCTV, where deployed)
the first name and surname of the sender (including the payer) and of the recipient (addressee) of the shipment;
the sender’s address (street, house number, apartment number, postal code, city);
the recipient’s address (street, house number, apartment number, postal code, city);
Location of sender and recipient’s chosen Automated Parcel Machine;
the e-mail address of the sender and the recipient of the shipment, processed in order to send messages regarding performance of the service, in particular information about the current shipment delivery status, or information enabling collection of the shipment from the relevant locker;
the phone number of the sender and the recipient of the shipment for direct contact or to send messages regarding performance of the service, in particular contact to agree on a different place of delivery of the shipment, or information enabling collection of the shipment from the relevant locker;
the IP address of persons using our systems.

Processing “Send a Parcel” orders made in mobile application

Legal basis for processing

Performance of a contract (Article 6(1)(b) UK GDPR)

What personal data do we process?

Parcel contents and item value (as declared by sender);
Full name, mobile number, email address, postcode and preferred locker location of recipient;
Full name, mobile number, email address, home address, return address of sender;
Confirmation of terms and conditions acceptance;
Payment method: e.g. Apple Pay or payment card details. Please note that payment card details are processed by our third-party payments processor, Stripe, who acts as an independent controller of your payment card data. Please note that your payment card details are not visible to InPost when making payments in the app.

Retention period

We do not store your payment card details when you make purchases in our app. We will retain a history of parcel deliveries, including the personal data of the sender and recipient as listed above, for a period of up to 6 years.

If you dispatch a shipment from UK to a country other than UK, your data will be processed by our partner – the courier company – in the destination country, acting as a separate controller of personal data – the list of these entities is available here.

If you dispatch a shipment from a country other than UK, your data will be processed by our local company in the dispatch country, acting as a separate controller of personal data – the list of these companies is provided in section 1.2 and is available here. Your data will also be processed by our partner – the courier company – in the destination country, which also acts as a separate controller of personal data – the list of these entities is available here.

Controller:

InPost UK

Retention period:

The time necessary to properly fulfil the purpose, and after that period – no longer than for the limitation period for claims, which as a rule is up to 6 years. In exceptional cases this period may be extended if provisions of law provide for suspension or interruption of the limitation period.

Appendix A7 – Services provided in Belgium

The categories of persons concerned by this section are as follows:

"Recipient":

Anyone receiving a parcel whose delivery has been entrusted to Mondial Relay.

"Shipper":

Any direct customer using the services and offers offered by Mondial Relay on the Belgian Website (" Direct Sender ");
Anyone sending a parcel via a direct Mondial Relay customer (in particular via the Vinted, Leboncoin, etc. platforms).

« Prospect » :

Any professional contacted by Mondial Relay in the context of its commercial activity.

"Visitor":

Any person visiting and using the Belgian Website.

"Third Parties":

Anyone likely to be filmed by the video surveillance system installed on our APMs.

Terms not defined in this Appendix refer to the definitions in Section 4 of the Privacy Policy.

BELGIAN WEBSITE

Belgian website

Refers to the mondialrelay.be site.

Purposes and legal bases of the processing
Analysis and operation

Compilation of statistics and analysis of the Belgian Website to assess the security and stability of the system.
Adaptation of the Belgian Website and/or our social networks in order to ensure an appropriate display as well as a smooth and secure navigation.
Conversation management from Timo, a chatbot using artificial intelligence to provide information and answers to asked questions.
Management of requests relating to the exercise of your rights.
Compliance with legal and regulatory obligations, including reports required by law or any request from a judicial authority.

Legal basis:

Legitimate interest of the Controller (Article 6(1)(f) GDPR)
Consent for location data and push notifications. Article 6(1)(a) GDPR
Legal obligation: Article 6(1) (c) of the GDPR.

Own Marketing

Purposes and legal bases:

Development of marketing statistics and analyses to understand the use of communication channels and improve the customer experience.
We contact potential customers through various channels (phone, email, social media, webinars, trade shows, etc.)

Legal basis:

legitimate interest: Article 6(1)(f) of the GDPR,
or consent: Article 6(1) (a) of the GDPR.

Handling Complaints and Disputes

Legal basis:

legal obligation: Article 6(1) (c) GDPR
or legitimate interest in Article 6(1)(f) of the GDPR),
contract where applicable, Article 6(1) (b) GDPR.

Processing your applications if you want to work with us

You may use the Belgian Website to apply, in order to collaborate with us, and in particular:

To become a Relay® Point,
To host an APM,
To become one of our carriers,
To become one of our employees.

Legal basis: legitimate interest, consisting of developing our network and business: Article 6(1)(f) of the GDPR.

What personal data do we process?

Depending on your situation, we may collect the following personal data:

Identification data :
- If you are an individual : title, first name, last name, telephone number, email, home address, delivery address, application data if applicable.
- If you are a professional : in addition to the Personal Data we collect for individuals, we may collect the following Personal Data: name and sector of activity of your company, its geographical area of activity, your function, postal address of your company, fax number, VAT number, SIREN/SIRET, link to your company's website.
Connection data relating to your use of the Belgian Website: we collect browsing data that may identify your preferred device (computer, phone, tablet). In this case, we may collect the IP address of your device, the type of browser and operating system used, the identity of your Internet service provider, the agent ID, the external identifier, the number of pages viewed, the time spent on each page, etc. This data is used, on the one hand, to ensure the proper functioning of the Belgian Website, in particular its performance and security, and on the other hand, to analyse their traffic, within the limits and conditions set out in this Privacy Policy.
Location data : geographical search area for Points Relais® or APMs, geolocation.

Controller and storage period

Data controller

Mondial Relay

Retention period

Duration necessary for the purpose, and for the legally permitted period (up to 10 years). In exceptional cases, this period may be extended under the legally applicable conditions.

COMMERCIAL COMMUNICATIONS

1. Purposes and legal bases of processing
  1. Sending commercial offers and recommendations

Legal basis: legitimate interest of the controller to carry out its own marketing actions to its customers – Article 6(1)(f) of the GDPR;

- 1. Sending direct marketing communications via email, SMS or phone calls

Legal basis: consent – Article 6(1)(a) GDPR.

- 1. Implementation of marketing operations

through advertising messages, competitions, prize draws, sponsorships, surveys, loyalty programs and any promotional activities.

Legal basis: consent – Article 6(1)(a) GDPR.

- 1. Social media data

We may also process your Personal Data when you visit our social media profiles (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). This data is processed solely for the purpose of managing the profile, in particular for the purpose of informing you about our activity and promoting various events, services and products.

Legal basis: legitimate interest (Article 6(1)(f) of the GDPR).

1. What personal data do we process?

Depending on your situation, we may process the following personal data:

Identification data: telephone, email address.
Information about your user interactions.
Information about your habits (e.g. buying habits).
1. Controller of storage period

Data controller : Mondial Relay

Retention period:

We retain your personal data collected under this section either until you tell us that you no longer wish to receive marketing communications or until we are required by law to erase it. In exceptional cases, this period may be extended if legal provisions provide for the suspension or interruption of the limitation period.

1. Additional information

We use a variety of communication methods and channels to contact you, including emails, text messages, and phone calls.

The content we send you includes, among other things, offers and recommendations about our services or products, or those of third parties, that may be of interest to you. We process this information using algorithms that analyze how you use our services.

By subscribing to our newsletter, you consent to receive messages by e-mail (Article 6(1)(a) of the GDPR).

If you do not agree with our marketing activities or if you do not want us to use certain means of communication with you, please contact us using the contact details mentioned in paragraph 2.3 of the body of this Privacy Policy.

We process your Personal Data in order to carry out marketing activities, which may consist of:

1. Displaying marketing content that is relevant to your interests (behavioural advertising) and sending advertising messages to you on other websites and social media platforms (remarketing);
2. Displaying marketing content that is not tailored to your preferences (contextual advertising);
3. sending commercial information through various channels, including email (including in the form of a newsletter), SMS/MMS, push notifications or telephone, containing information about interesting offers or content about our products and services, Integer.pl group companies and entities cooperating with these companies ;
4. Carrying out satisfaction surveys, in order to get to know you better and improve our services.

We may process your Personal Data for the purposes of marketing our own services, including to send you information about offers, promotions and news about the services provided, as well as in connection with activities to promote our services and brand. Our activities may also include advertising to you, on websites and on social media. We may process your Personal Data, including that collected through cookies and other similar technologies, for marketing purposes, including to deliver targeted advertisements to you.

On the Belgian Website, we use cookies to make it easier for you to navigate, for example to remember your settings and preferences and to simplify the connection to your account. You can find more information on this subject in our Cookie Policy, available by following this link: mondialrelay.be/fr-be/vos-preferences-pour-la-gestion-des-cookies. You may withdraw your consent at any time, and such withdrawal does not affect the validity of any actions taken prior to your consent.

Combining information from different sources

If you give your consent for marketing purposes, we will use the information about you that we have collected from various sources, i.e. in the context of carrying out other processes (e.g. account management), and we will use it for marketing purposes, within the scope of our legitimate interest (Article 6, paragraph 1 (f) GDPR). This data may be used to create user profiles.

PROVISION OF TRANSIT AUTHORITY SERVICES

1. Purposes and legal bases of processing:
  1. Shipping and Transportation Services

If you are a sender or recipient:

Provision of transport and shipping services.
Parcel tracking information.
Notifications about the arrival of the package at a Relay® Point or APM.

If you are a sender, a direct customer of Mondial Relay:

Sales management of Mondial Relay services and offers
Secure payment service for the purchase of Mondial Relay services and offers on the Belgian Website,
Printing and sending shipping labels via the Belgian Website,
Selection and/or search for the destination Relay® Point and/or APM from an address or geolocation
Management of shipments, requests for the collection of packages to be delivered to Recipients and returns to Senders, in particular in the case of unclaimed packages
Management of unpaid invoices, handling of disputes and litigation
Debt collection management, including through a third party.

If you are a carrier:

Performance of the contract of carriage,
Follow-up of the pick-up and delivery of packages.

Legal basis:

Contract – Article 6(1)(b) GDPR,
with respect to Carrier Personal Data: legitimate interest in preserving our material Article 6(1)(f) of the GDPR.
- 1. Customer relationship management:
Listening to and recording (not systematic) telephone conversations during customer service calls, for the purpose of training our staff and improving our customer service;
Customer relationship management, including managing the call center and responding to contact requests from you,
Processing of customer service complaints (disputes and damages), carrying out satisfaction surveys, cross-checking of undelivered parcels and wanted parcels, forwarding of files to the mediator,
Improvement of the quality of customer service by evaluating a sample of customer contacts during incoming and outgoing calls,
Improving the quality of service by sending surveys and polls related to parcel shipping and service delivery,
Chatbot and voicebot (chatbots): Timo's conversation management, designed to provide information and answers to your questions.

Legal bases:

legal obligation – Article 6 (1), c) of the GDPR;
consent: Article 6(1) (a) GDPR;
consent to the processing of special categories of Personal Data – Article 9(2)(a) of the GDPR;
legitimate interest, based on the improvement of our processes and the quality of our services, Article 6 (1) (f) GDPR.
1. Which Personal data do we process?

Depending on the type of contract and the ordering channel used, we may collect the following data:

- - - the first and last name of the sender (including the payer) and the recipient of the shipment; - the sender's address (street, street number, apartment number, zip code, city); - the recipient's address (street, house number, apartment number, zip code, city) as well as delivery information; - a new delivery address for the shipment, if, after shipment, the shipper requests us to deliver it to a new address or if we agree with the recipient, prior to delivery of the shipment, on a different delivery address; - the email address of the sender and recipient of the shipment, processed in order to send messages regarding the performance of the service, including information on the current status of the delivery of the shipment, or information allowing the collection of the shipment; - the telephone number of the sender and recipient of the shipment, for the purpose of direct contact or sending messages relating to the performance of the service, in particular to agree on an alternative place of delivery of the shipment, or information allowing the collection of the shipment; - the contents of the packages in some cases; - when the services are provided to professionals (B2B contract), or for transport companies, data relating to the activity carried out (company name, business address, contact details, VAT number, SIREN and SIRET numbers), including the data of contact persons or persons authorised to represent the company, as well as data relating to our collaboration; - for transport companies: transport licence, list of non-EU employees and other documents required by law, geolocation data of PDAs made available to carriers, - the IP address of individuals using our systems; information obtained from you in connection with the claims procedure and the claims settlement (loss settlement) procedure, if you choose to provide it, including the recording of telephone conversations with our customer service, when such recordings are made, - CCTV images from our APMs.
  1. Data controller and storage period

Data controller : Mondial Relay

Retention period:

Duration necessary for the purpose, and for the legally permitted period (up to 10 years). In exceptional cases, this period may be extended under the legally applicable conditions.

1. Additional information

As part of the processing of your payments, your data will be processed by a separate controller, which is, depending on the payment method you have chosen, ADYEN or PayPal.

If you wish to find out more about the processing of your personal data and/or exercise your rights related to the protection of your personal data processed by these providers, we invite you to contact them directly using the following links and contact details:

ADYEN:
- Privacy Policy: adyen.com/privacy-policy
- DPO contact details: [email protected]
PayPal:
- Privacy Policy:

paypal.com/fr/legalhub/paypal/privacy-full

- Contact details of the DPO:

paypal.com/us/smarthelp/contact-us/privacy ou

PayPal (Europe) S.à.r.l. et Cie, S.C.A.,

22-24 Boulevard Royal

L-2449, Luxembourg..

If you are shipping a parcel from a country other than Belgium, your data will be processed by our local company in the country of dispatch, acting as a separate controller of the Personal Data – the list of these companies is in section 1.2 and is available here. Your data will also be processed by our subcontractors, the transport companies transporting your parcels, in compliance with our strict instructions in application of Article 28 GDPR.

HOW DO WE COLLECT YOUR PERSONAL DATA?

We may collect your Personal Data directly or indirectly, as well as passively collect certain data when you browse the Belgian Website.

1. Direct collection
  1. Via the Belgian Website:

We collect data directly from you when you provide information through the Belgian Website. This is particularly the case when you create an account, when you contact us or when you fill out a form.

Some of the information requested may be mandatory (you will be informed at the time of collection by an asterisk or equivalent). If you do not provide the mandatory information, you will not be able to benefit from our services and offers.

Optional information is intended to help us get to know you better or to provide you with other services and/or offers. If you do not provide the optional information, you will still be able to benefit from our services and offers, but certain customization options will not be available.

It is your responsibility to ensure that the data you provide to us is accurate, complete and up-to-date. The transmission of inaccurate, false or incomplete data may result in a delay or non-delivery of a package. We invite you to notify us of any changes to your personal data.

- 1. Via the APMs' video surveillance system:

For the security of goods and people, we directly collect images of senders, recipients and third parties that may enter the field of view of the APMs' video surveillance cameras.

Please note that the data from the video surveillance will not be associated with the data in your customer account.

1. Indirect collection
  1. Through an external third party:

We collect Personal Data about you indirectly when it is provided to us by an external third party (e.g., senders). This third party already processes your data as a data controller in the context of its relationship with you (e.g. to enable an online purchase) and then passes it on to us in order to enable us to deliver the parcels.

In this case, we are not responsible for the processing of your Personal Data by third parties with whom you have an independent, upstream relationship. However, we are responsible for the processing of your personal data that we carry out on the basis of the data collected by these third parties and transmitted for the performance of the commercial service that binds us to said third parties, for the purpose of enabling the transport of packages.

- 1. As part of commercial prospecting:

We carry out commercial prospecting actions and we may collect your data indirectly in the same way, through an external third party, or through other channels (social networks, trade shows, events, webinars).

1. Passive collection

In addition, information about your use of our communication channels is automatically collected when you interact with their features. To do this, we use "cookies" to collect information about you. To learn more about our cookie policy, click here: mondialrelay.be/fr-be/vos-preferences-pour-la-gestion-des-cookies

TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

We are committed to maintaining the confidentiality of your Personal Data, and to complying with all legal requirements regarding the sharing and disclosure of your data. As a matter of principle, only persons and organisations that need access to your data to enable us to achieve the purposes for which it was processed may do so.

The information we collect is intended for our internal departments (marketing department, IT department, customer service, security department, etc.), which only process the data necessary to perform their tasks.

Your Personal Data may also be communicated to third parties, in Belgium or abroad. In this regard, we invite you to refer to section 6 of the main body of this Privacy Policy.

These partners will have access to your information to the extent strictly necessary for the performance of their missions, and undertake not to use it for any purpose other than that which we have set for them.

Appendix A8 – Services provided to the Grand Dutchy of Luxembourg

The categories of persons concerned by this Annex are as follows:

"Recipient":

Anyone receiving a parcel whose delivery has been entrusted to Mondial Relay.

"Shipper":

Any direct customer using the services and offers offered by Mondial Relay on the Belgian and Luxembourg Website (" Direct Sender ");
Anyone sending a parcel via a direct Mondial Relay customer (in particular via the Vinted, Leboncoin, etc. platforms).

« Prospects » :

Any professional contacted by Mondial Relay in the context of its commercial activity.

"Visitor":

Any person visiting and using the Belgian and Luxembourg Website.

"Third Parties":

Anyone likely to be filmed by the video surveillance system installed on our APMs.

Terms not defined in this Appendix refer to the definitions in Section 4 of the Privacy Policy.

BELGIAN AND LUXEMBOURG WEBSITE

Belgian and Luxembourg website

Refers to the www.mondialrelay.be site

Purposes and legal bases of the processing
Analysis and operation

Compilation of statistics and analysis of the Belgian and Luxembourg Website to assess the security and stability of the system.
Adaptation of the Belgian and Luxembourg Website and/or our social networks in order to ensure an appropriate display as well as a smooth and secure browsing.
Conversation management from Timo, a conversational agent using artificial intelligence, intended to provide information and answers to asked questions.
Management of requests relating to the exercise of your rights.
Compliance with legal and regulatory obligations, including reports required by law or any request from a judicial authority.

Legal basis:

Legitimate interest of the Data Controller: (Article 6(1)(f) GDPR)
Consent for location data and push notifications: Article 6(1)(a) GDPR
Legal obligation: Article 6(1) (c) GDPR.

Own Marketing

Preparation of marketing statistics and analyses aimed at understanding the use of the Belgian and Luxembourg Website and improving the customer experience.
We contact potential customers through various channels (phone, email, social media, webinars, trade shows, etc.)

Legal basis: legitimate interest: Article 6(1)(f) or consent: Article 6(1)(a) GDPR.

Handling Complaints and Disputes

Legal basis: legal obligation or legitimate interest (Articles 6(1)(c) and 6(1)(f) GDPR), contract where applicable: Article 6(1) (b) GDPR.

Processing your applications if you want to work with us

You can use the Belgian and Luxembourg Website to apply, in order to collaborate with us, and in particular:

To become a Relay® Point,
To host a APM,
To become one of our carriers,
To become one of our employees.

Legal basis: legitimate interest, consisting of developing our network and business: Article 6(1)(f) of the GDPR.

What Personal Data do we process?

Depending on your situation, we may collect the following Personal Data:

Identification data :
- If you are an individual : title, first name, last name, telephone number, email, home address, delivery address, application data, if applicable.
- If you are a professional : in addition to the Personal Data we collect for individuals, we may collect the following Personal Data: name and sector of activity of your company, geographical area of activity, your job title, postal address of your company, VAT number, identification number of your company, link to your company's website.
Connection data relating to your use of the Belgian and Luxembourg Website: we collect browsing data that may identify your preferred device (computer, phone, tablet). In this case, we may collect the IP address of your device, the type of browser and operating system used, the identity of your Internet service provider, the agent ID, the external identifier, the number of pages viewed, the time spent on each page, etc. This data is used, on the one hand, to ensure the proper functioning of the Belgian and Luxembourg Website, in particular its performance and security, and on the other hand, to analyse their traffic, within the limits and conditions set out in this Privacy Policy.
Location data : geographical search area for Relay® Points or APMs, geolocation.

Controller and storage period

Data controller

Mondial Relay

Retention period

The period necessary for the purpose, and for the legally permitted period (up to 30 years). In exceptional cases, this period may be extended under the legally applicable conditions.

COMMERCIAL COMMUNICATIONS

1. Purposes and legal bases of processing
  1. Sending commercial offers and recommendations

Legal basis: legitimate interest of the controller to carry out its own marketing actions to its customers: Article 6, (1) (f), GDPR;

- 1. Sending direct marketing communications via email, SMS or phone calls

Legal basis: consent: Article 6(1)(a) GDPR.

- 1. Implementation of marketing operations

through advertising messages, competitions, prize draws, sponsorships, surveys, loyalty programs and any promotional activities.

Legal basis: consent – Article 6(1)(a) GDPR.

- 1. Social media data

Legal basis: legitimate interest: Article 6 (1) (f) GDPR),

1. What personal data do we process?

Depending on your situation, we may process the following personal data:

Identification data: telephone, email address.
Information about your user interactions.
Information about your habits (e.g. buying habits).
1. Controller of storage period

Data controller : Mondial Relay

Retention period:

1. Additional information

We use a variety of communication methods and channels to contact you, including emails, text messages, and phone calls.

By subscribing to our newsletter, you consent to receive email messages. Article 6 (1)(a) GDPR).

If you do not agree to our marketing activities or if you do not want us to use certain means of communication with you, please contact us using the contact details mentioned in paragraph 2.3 of the body of this Privacy Policy.We process your Personal Data in order to carry out marketing activities, which may consist of:

1. Displaying marketing content that is relevant to your interests (behavioural advertising) and sending advertising messages to you on other websites and social media platforms (remarketing);
2. Displaying marketing content that is not tailored to your preferences (contextual advertising);
3. sending commercial information through various channels, including email (including in the form of a newsletter), SMS/MMS, or telephone, containing information about interesting offers or content about our products and services, Integer.pl Group companies and entities cooperating with them,
4. Carrying out satisfaction surveys, in order to get to know you better and improve our services.

On the Belgian and Luxembourg Website, we use cookies to facilitate your navigation, for example to remember your settings and preferences and to simplify the login to your account. You can find more information on this subject in our Cookie Policy, available by following this link: mondialrelay.be/fr-be/vos-preferences-pour-la-gestion-des-cookies. You may withdraw your consent at any time, and such withdrawal does not affect the validity of any actions taken prior to your consent.

Combining information from different sources

If you give your consent for marketing purposes, we will use the information about you that we have collected from various sources, i.e. in the context of carrying out other processes (e.g. account management), and we will use it for marketing purposes, within the scope of our legitimate interest (Article 6, (1),(f) GDPR). This data may be used to create user profiles.

PROVISION OF TRANSIT COMMISSION SERVICES

1. Purposes and legal bases of processing:
  1. Shipping and Transportation Services
If you are a sender or recipient:
Provision of transport and forwarding services,
Parcel tracking information,
Notifications about the arrival of the package at a Relay® Point or APM.
If you are a sender, a direct customer of Mondial Relay:
Sales management of Mondial Relay services and offers,
Secure payment service for the purchase of Mondial Relay services and offers on the Belgian and Luxembourg Website,
Printing and sending of shipping labels via the Belgian and Luxembourg website,
Selection and/or search for the destination Relay® Point and/or APM from an address or geolocation,
Management of shipments, requests for the collection of parcels to be delivered to Recipients and returns to Senders, in particular in the event of unclaimed parcels,
, Management of unpaid invoices, handling of disputes and litigation,
Debt collection management, including through a third party.
If you are a carrier:
Performance of the contract of carriage,
Follow-up of the pick-up and delivery of packages.

Legal basis:

Contract – Article 6(1)(b) GDPR
with respect to Carrier Personal Data: legitimate interest in preserving our material Article 6(1)(f) of the GDPR.
- 1. Customer relationship management:
Listening to and recording (non-systematic) telephone conversations during customer service calls for the purpose of training our staff and improving our customer service.
Customer relationship management, including managing the call center and responding to contact requests from you,
Processing of customer service complaints (disputes and damages), carrying out satisfaction surveys, cross-checking of undelivered parcels and wanted parcels, forwarding of files to the mediator,
Improvement of the quality of customer service by evaluating a sample of customer contacts during incoming and outgoing calls,
Improving the quality of service by sending surveys and polls related to parcel shipping and service delivery,
Chatbot and voicebot (conversational agents): conversation management by Theo, designed to provide information and answers to your questions.

Legal bases:

legal obligation: Article 6, (1)(c)GDPR;
consent: Article 6(1) (a) GDPR;
consent to the processing of special categories of Personal Data: Article 9, (2), (a) GDPR;
legitimate interest, based on the improvement of our processes and the quality of our services: Article 6 (1) (f) GDPR.
1. Which Personal data do we process?

Depending on the type of contract and the ordering channel used, we may collect the following data:

- - - the first and last name of the sender (including the payer) and the recipient of the shipment; - the sender's address (street, street number, apartment number, zip code, city); - the recipient's address (street, house number, apartment number, zip code, city) as well as delivery information; - a new delivery address for the shipment, if, after shipment, the shipper requests us to deliver it to a new address or if we agree with the recipient, prior to delivery of the shipment, on a different delivery address; - the email address of the sender and recipient of the shipment, processed in order to send messages regarding the performance of the service, including information on the current status of the delivery of the shipment, or information allowing the collection of the shipment; - the telephone number of the sender and recipient of the shipment, for the purpose of direct contact or sending messages relating to the performance of the service, in particular to agree on an alternative place of delivery of the shipment, or information allowing the collection of the shipment; - the contents of the packages in some cases; - when the services are provided to professionals (B2B contract), or for transport companies, data relating to the activity carried out (company name, business address, contact details, VAT number, RCS numbers and ), including the data of contact persons or persons authorised to represent the company, as well as data relating to our collaboration; - for transport companies: transport licence, list of non-EU employees and other documents required by law, geolocation data of PDAs made available to carriers, IP address of persons using our systems; information obtained from you in connection with the claims procedure and the claims settlement procedure (loss settlement); if you decide to provide it, including the recording of telephone conversations with our customer service, when such recordings are made, - CCTV images from our APMs.
  1. Data controller and retention period

Data controller : Mondial Relay

Retention period:

Duration necessary for the purpose, and for the legally permitted period (up to 10 years). In exceptional cases, this period may be extended under the legally applicable conditions.

1. Additional information

As part of the processing of your payments, your data will be processed by a separate controller, which is, depending on the payment method you have chosen, ADYEN or PayPal.

ADYEN:
- - Privacy Policy: adyen.com/privacy-policy
    - DPO contact details: [email protected]
PayPal:
- - Privacy Policy: paypal.com/fr/legalhub/paypal/privacy-full
    - Contact details of the DPO: paypal.com/us/smarthelp/contact-us/privacy or

PayPal (Europe) S.à.r.l. et Cie, S.C.A.,

22-24 Boulevard Royal

L-2449, Luxembourg.

If you are shipping a parcel from a country other than Luxembourg, your data will be processed by our local company in the country of shipment, acting as a separate controller of the Personal Data – the list of these companies is in section 1.2 and is available here. Your data will also be processed by our subcontractors, the transport companies transporting your parcels, in compliance with our strict instructions in application of Article 28 GDPR.

HOW DO WE COLLECT YOUR PERSONAL DATA?

We may collect your Personal Data directly or indirectly, as well as passively collect certain data when you browse the Belgian and Luxembourg Website.

1. Direct collection
  1. Via the Belgian and Luxembourg website:

We collect data directly from you when you provide information through the Belgian and Luxembourg Website. This is particularly the case when you create an account, when you contact us or when you fill out a form.

- 1. Via the APMs' video surveillance system:

For the security of goods and people, we directly collect images of senders, recipients and third parties that may enter the field of view of the APMs' video surveillance cameras.

Please note that the data from the video surveillance will not be associated with the data in your customer account and will not be kept beyond the limits necessary for the security of goods and people.

1. Indirect collection
  1. Through an external third party:

In this case, we are not responsible for the processing of your Personal Data by third parties with whom you have an independent, upstream relationship. However, we are responsible for the processing of your Personal Data that we carry out on the basis of the data collected by these third parties and transmitted for the performance of the commercial service that binds us to said third parties, for the purpose of enabling the transport of packages.

- 1. As part of commercial prospecting:

1. Passive collection

V. TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

Your personal data may also be communicated to third parties, in France or abroad. In this regard, we invite you to refer to section 6 of the main body of this Privacy Policy.

Appendix A9 – Services provided in the Netherlands

The following categories of persons are concerned by this section:

‘Senders’:
- - Any direct customer who uses the services and offers provided by us on our Dutch website (‘Direct Sender’); or
    - Any person who sends a parcel through one of our direct customer (in particular via the Vinted, Leboncoin platforms, etc.).
‘Recipients’: any person who receives a parcel whose delivery has been entrusted to us
‘Prospects’: any professional who is contacted by us in the course of its commercial activity;
‘Visitor’ : any person visiting our Dutch website.
‘Third Parties’: any person who may be filmed by the CCTV system installed on our APM.

DUTCH WEBSITE

By “Dutch website”, we refer to the website mondialrelay.nl .

Terms not defined in this Appendix shall have the meanings ascribed to them in Section 4 of the Privacy Policy.

Purposes and legal bases for processing:
Analysis and functioning

Compilation of statistics and analysis of the Dutch website to assess system security and stability.
Adjustment of the Dutch website and/or our social networks to ensure proper display and smooth, secure navigation.
Management of conversations generated through Timo, a conversational agent using artificial intelligence designed to provide information and answers to questions posed.
Management of requests relating to the exercise of your rights.
Compliance with legal and regulatory obligations, including legally required reports or any request from a judicial authority.

Legal basis :

Legitimate interest of the Controller consisting in conducting analyses of users' activity and using the results of such analysis to improve the quality of services provided and for analytical and statistical purposes - Article 6(1)(f) of the GDPR
Consent for location data, and push notifications Article 6(1)(a) of the GDPR;
Legal obligation - Article 6(1) c) of the GDPR.

Own marketing

Compiling statistics and conducting marketing analyses to understand the use of the Dutch website and improve the customer experience.
Contacting prospects through various channels (telephone, email, social media, webinars, trade shows, etc.)

Legal basis: legitimate interest Article 6(1)(f) GDPR or consent Article 6(1)(a) GDPR.

Reviewing and handling complaints and litigations

Legal basis : legal obligation or the legitimate interest of the Controller consisting in handling complaints – Article 6(1)(c) or Article 6(1)(f) GDPR; contract if applicable, pursuing claims and defence against claims

Processing your application to become a PUDO

Legal basis: legitimate interest consisting in developing our network - Article 6(1)(f) GDPR.

Which personal data do we process?

Depending on situation, we may collect the following data:

Identification data :
- if you are an individual : first name, last name, phone number, e-mail address, home address, delivery address,
- if you are a professional : in addition to the Personal Data we collect for individuals, we may collect the following Personal Data : your company name, postal address, VAT number, company identification number, link to your company’s website.
Connection data relating to your use of the Dutch website: browsing data that may identify your preferred device (computer, phone, tablet).

We may collect your device IP address, browser type, operating system, internet service provider, agent ID, external identifier, number of pages viewed, time spent on each page, etc.

These data are used to ensure the proper functioning, performance, and security of the Dutch website, as well as to analyze traffic under the terms of this Privacy Policy.

Location data : geographical search area for Points Relais® or APM and geolocation

Controller and retention period

Controller: Mondial Relay

Retention period:

Not longer than the time necessary for the purpose, and for the legally authorized duration.

MARKETING COMMUNICATION

Purposes and legal bases for processing:
Sending offers and recommendations as part of providing services

Legal basis for processing: the legitimate interest of the Controller consisting in conducting its own marketing towards clients – Article 6(1)(f) GDPR;

Sending direct marketing communications via e-mail, SMS, or telephone calls

Legal basis for processing: consent – Article 6(1)(a) GDPR;

Carrying out marketing operations

through advertising messages, draws, prize competitions, sponsorship, surveys, loyalty schemes and all promotional activities.

Legal basis for processing: consent – Article 6(1)(a) GDPR;

Data from Social Network

We may process your Personal data when you visit our profiles on social media (e.g. Facebook, YouTube, Instagram, Twitter, LinkedIn, Pinterest). Such data are processed solely in connection with running the profile, including for the purpose of informing users about our activity and promoting various events, services and products.

Legal basis : Legitimate interest (Article 6(1)(f) GDPR).

Which Personal data do we process?

Depending on situation, we may process the following data:

• identification data, including in particular: phone number and e-mail address;

• information on your interactions;

• information about your habits (e.g., purchasing habits).

Data controller and retention period

Data controller: Mondial Relay

Retention period:

We retain your personal data collected under this section either until you indicate that you no longer wish to receive marketing communications or until the law requires us to erase them. In exceptional cases, this period may be extended where legal provisions suspend or interrupt the statute of limitations.

Additional information:

We use various channels to contact you, including email, SMS, and telephone calls.

The content we send may include offers and recommendations concerning our services or products, or those of third parties that may interest you. We create these communications using algorithms analysing your use of our services.

By subscribing to our newsletter, you consent to receiving email messages (Article 6(1)(a) GDPR).

If you do not accept our marketing activities or do not want us to use certain communication channels, please contact us using the details in section 2.3 of this Privacy Policy.

We process your personal data for marketing activities, which may include:

Display of marketing content matching your interests (behavioural advertising) and delivery of advertising messages on other websites and social platforms (remarketing)
Display of marketing content not tailored to you (contextual advertising)
Sending commercial information via email (including newsletters), SMS/MMS, push notifications, or telephone calls concerning offers or content about our products and services, those of the Integer.pl group, and cooperating entities.

d) Carrying out satisfaction surveys, in order to get to know you better and improve our Services.

We may process your Personal data for the purpose of marketing our own services, including to send you information about offers, promotions and new developments relating to the services we provide, as well as in connection with activities designed to promote our services and our brand. The activities we carry out may also involve displaying advertising messages to you on websites and on social media. We may process your personal data, including data collected via cookies and other similar technologies, for marketing purposes, including to display targeted advertisements to you.

On the Dutch website, we use cookies to facilitate navigation, remember settings and preferences, and simplify login to your account. More information is available in our Cookie Policy here: https://www.mondialrelay.nl/instellingen-lijst-met-cookies/.

You may withdraw your consent at any time, and its withdrawal does not affect the validity of actions taken before its withdrawal.

Combining information obtained from different sources

If you give your consent for marketing purposes, we will use the information we have collected about you from various sources – that is, in the course of carrying out other processes (such as account management) – and use it for marketing purposes, based on our legitimate interest (Article 6(1)(f) of the GDPR). This data may be used to create user profiles.

PROVISION OF FREIGHT FORWARDING AND TRANSPORT SERVICES

Purposes and legal bases for processing:
Provision of freight forwarding services and transport services,
If you are a sender or a recipient:

Provision of transport and delivery services.
Information on parcel tracking.
Notifications regarding the arrival of the parcel at a Point Relais® and/or APM.

If you are a direct shipper:

Management of sales of Mondial Relay services and offers
Secure payment service for purchasing our services and offers on the Dutch website
Printing and sending shipping labels via the Dutch website
Choosing and/or searching for the destination Point Relais® and/or APM based on an address or geolocation
Management of shipments, requests for collection of parcels to be delivered to Recipients, and returns to Senders, particularly in the case of unclaimed parcels
Dispute handling Management of unpaid bills, disputes and litigation
Management of debt collection, including through a third party

If you are a carrier:

Performance of the carriage contract,
Monitoring of the collection and delivery of parcels.

Legal basis for processing:

contract – Article 6(1)(b) GDPR;

–with regard to the Personal Data of carriers: legitimate interest consisting in the protection of our equipment, pursuant to Article 6(1)(f) of the GDPR.

Reviewing and handling complaints
Listening to and recording (non-automatic) telephone conversations during calls with customer service, for the purpose of training our personnel and improving our customer service ;
Customer relationship management, including call centre management and responding to contact requests sent to us ;
Handling customer service complaints (disputes and damage), conducting satisfaction surveys, reconciling undelivered items and items sought, referring cases to the ombudsman ;
Improving service quality by evaluating a sample of customer contacts during incoming and outgoing calls ;
Improving service quality by sending out surveys and polls related to parcel shipping and service delivery ;
Chatbot and voicebot (conversational agent) Conversation management from Timo designed to provide information and answers to your questions.

Legal basis for processing:

legal obligation – Article 6(1)(c) of the GDPR;
consent – Article 6(1)(a) GDPR;
consent to the processing of special categories of personal data – Article 9(2)(a) of the GDPR;
legitimate interest, based on the improvement of our processes and the quality of our services, Article 6(1)(f) GDPR.

Which personal data do we process?

Depending on the contract type and the ordering channel used, we may collect the following data:

the first name and surname of the sender (including the payer) and of the recipient (addressee) of the shipment;
the sender’s address (street, house number, apartment number, postal code, city);
the recipient’s address (street, house number, apartment number, postal code, city) as well as delivery information ;
a new delivery address of the shipment, if after dispatch the sender instructs us to deliver it to a new address or we agree with the recipient, before delivery of the shipment, on a different delivery address;
the e-mail address of the sender and the recipient of the shipment, processed in order to send messages regarding performance of the service, in particular information about the current shipment delivery status, or information enabling collection of the shipment ;
the phone number of the sender and the recipient of the shipment for direct contact or to send messages regarding performance of the service, in particular contact to agree on a different place of delivery of the shipment, or information enabling collection of the shipment ;
contents of parcels in certain cases;
where services are provided to professionnals customers (B2B agreement), or for carriers companies : data regarding the business activity conducted (company name, business address, contact details, VAT number, company identification number), including data of contact persons or persons authorized to represent, and data regarding cooperation with us;
for carriers companies: transport license and other documents required by law, geolocation data of the PDAs made available to transport operators;
the IP address of persons using our systems; information obtained from you in the course of the complaint procedure and in the course of the claims settlement procedure (loss settlement), if you decide to provide it, including recording telephone conversations with our Customer Service department, where such recordings are made,
CCTV footage from our APMs.
Data controller and retention period

Data Controller: Mondial Relay

Retention period:

Additional information

In connection with processing your payment, your data will be processed by a separate controller, “which is, depending on the payment method you have chosen, ADYEN or PAYPAL.

If you wish to learn more about the processing of your personal data and/or to exercise your rights relating to the protection of your personal data processed by these service providers, we invite you to contact them directly using the following links and contact details:

ADYEN:

DPO contact details: [email protected]

PAYPAL:

DPO contact details:

paypal.com/us/smarthelp/contact-us/privacy or

PayPal (Europe) S.à.r.l. et Cie, S.C.A.,

22–24 Boulevard Royal

L‑2449, Luxembourg.

If you dispatch a shipment from a country other than the Netherlands, your data will be processed by our local company in the dispatch country, acting as a separate controller of personal data – the list of these companies is provided in section 1.2 and is available here. Your data will also be processed by our subcontractors – the carrier companies, in compliance with our strict instructions pursuant to Article 28 of the GDPR.

HOW DO WE COLLECT YOUR PERSONAL DATA?

We may collect your personal data directly or indirectly, as well as passively collect certain data when you browse our Dutch website.

Direct collection
- - 1. From our Dutch website:

We collect data directly from you when you provide information via our Dutch website. This is particularly the case when you create an account, when you contact us or when you fill in a form.

- - 1. From the APM CCTV system:

Indirect collection
From an external third party:

In the context of commercial prospecting:

Passive collection

In addition, information relating to your use of our Dutch website is automatically collected when you interact with their features. To do this, we use ‘cookies’ to collect information aboutyour. To find out more about our cookie policy, click here :mondialrelay.nl/instellingen-lijst-met-cookies .

TO WHOM WE MAY DISCLOSE YOUR PERSONAL DATA ?

We are committed to maintain the confidentiality of your Personal Data, and to comply with all legal requirements regarding the sharing and disclosure of your Personal Data. As a matter of principle, only persons and organizations that need access to your Personal Data in order to enable us to achieve the purposes for which it was processed may do so.

Your Personal Data may also be communicated to third parties, in France or abroad. We invite you to refer to section 6 of the main body of this Privacy Policy for further details.

Archivos para descargar:

InPost Account Privacy Policy effective from 18.05.2026

Open (EN)Open (PL)Open (IT)Open (FR)Open (PT)Open (ES)

Current InPost Account Privacy Policy

Open (EN)Open (PL)Open (IT)

privacy policy inpost accountprivacypolicyinpost account

InPost Account Privacy Policy

PART I

1. WE RESPECT YOUR PRIVACY AND CARE ABOUT THE PROTECTION OF YOUR DATA

2. WHO PROCESSES YOUR DATA?

3. WHEN MAY WE PROCESS YOUR PERSONAL DATA?

4. WHAT PERSONAL DATA DO WE PROCESS AND FOR WHAT PURPOSE?

4.1. INPOST ACCOUNT

4.2. SECURITY

4.3. ANALYTICAL PURPOSES AND IMPROVING THE QUALITY OF THE INPOST ACCOUNT SERVICE

5. ADDITIONAL INFORMATION ON PROCESSING

6. TO WHOM DO WE DISCLOSE YOUR DATA?

7. YOUR RIGHTS

8. CHANGES TO THE PRIVACY POLICY

PART II

Appendix A1 – Services provided in Poland

I. MOBILE APPLICATION (INPOST MOBILE)

II. MARKETING AND MARKETING COMMUNICATION

PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED VIA PARCEL LOCKER

LOYALTY PROGRAMME

INPOST AI ASSISTANT

INPOST PAY

Appendix A2 – Services provided in France

MONDIAL RELAY’S APPLICATION) and MONDIAL RELAY’S WEBSITE

MARKETING COMMUNICATION

PROVISION OF FREIGHT FORWARDING AND TRANSPORT SERVICES

HOW DO WE COLLECT YOUR PERSONAL DATA?

TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

Appendix A3 – Services provided in Italy

MOBILE APPLICATION (INPOST MOBILE)

II. MARKETING COMMUNICATION

CHAT SERVICE

Appendix A4 – Services provided in Spain

MOBILE APPLICATION (INPOST MOBILE)

MARKETING COMMUNICATION

Appendix A5 – Services provided in Portugal

MOBILE APPLICATION (INPOST MOBILE)

MARKETING COMMUNICATION

Appendix A6 – Services provided in United Kingdom

MOBILE APPLICATION (INPOST UK)

MARKETING COMMUNICATION

PROVISION OF POSTAL AND TRANSPORT SERVICES, INCLUDING COURIER SERVICES AND SERVICES PROVIDED VIA AUTOMATED PARCEL MACHINES (APMs)

Appendix A7 – Services provided in Belgium

BELGIAN WEBSITE

COMMERCIAL COMMUNICATIONS

PROVISION OF TRANSIT AUTHORITY SERVICES

HOW DO WE COLLECT YOUR PERSONAL DATA?

TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

Appendix A8 – Services provided to the Grand Dutchy of Luxembourg

BELGIAN AND LUXEMBOURG WEBSITE

COMMERCIAL COMMUNICATIONS

PROVISION OF TRANSIT COMMISSION SERVICES

HOW DO WE COLLECT YOUR PERSONAL DATA?

V. TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED?

Appendix A9 – Services provided in the Netherlands

DUTCH WEBSITE

MARKETING COMMUNICATION

PROVISION OF FREIGHT FORWARDING AND TRANSPORT SERVICES

HOW DO WE COLLECT YOUR PERSONAL DATA?

TO WHOM WE MAY DISCLOSE YOUR PERSONAL DATA ?

Archivos para descargar:

InPost Account Privacy Policy effective from 18.05.2026

Current InPost Account Privacy Policy

privacy policy inpost account