Cookie Policy

PART II: REGIONAL ANNEXES

The following provisions apply exclusively to the named Controller and to its websites, mobile applications, and partner platforms.

Information on how to exercise your rights under the GDPR can be found in the Privacy Policy.

ANNEX A1 – TOOLS AND TECHNOLOGIES USED IN POLAND

Controller: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.

How we collect and manage your consent

InPost uses a Consent Management Platform (CMP) to collect, manage and record your preferences regarding cookies and similar technologies. The CMP allows you to grant or refuse consent separately for each category of processing – such as analytics, behavioural advertising or audience profiling.

When you make your choices, the CMP records the date and time of your decision and your specific selections. This allows InPost to demonstrate at any time on what basis your data are being processed.

You can withdraw or change your consent at any time. On the InPost website, click the "Cookie settings" link at the bottom of every page. In the InPost mobile application, open the privacy settings menu. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

Until you have given your consent in the CMP, none of the analytical or marketing cookies, pixels, scripts or tags described in sections B and C below will be loaded or activated. Strictly necessary cookies (section A) operate without consent on the basis of Article 6(1)(b) and 6(1)(f) GDPR and the exemption set out in Article 399 of the Polish Electronic Communications Act (PKE).

A. Necessary cookies

Necessary cookies are installed without your consent on the basis of Article 6(1)(f) GDPR (the legitimate interest of the Controller in ensuring the smooth and secure operation of its services) or Article 6(1)(b) GDPR (performance of a contract or provision of a service).

Didomi – consent management platform

Didomi is the main CMP we use across InPost websites in Poland. It saves the cookie choices you make in the consent banner and manages consents under the IAB TCF framework, so that your preferences are remembered between visits and applied consistently across InPost services.

Cookie names: didomi_token, euconsent.

Purpose: Stores the cookie choices you have made (which consents you granted and which you declined) so that your preferences are not reset every time you visit our website.

Legal basis: Article 6(1)(c) GDPR (legal obligation – compliance with GDPR requirements) and Article 6(1)(f) GDPR.

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Didomi SAS, 117 rue de la Tour, 75116 Paris, France.

Transfer outside EEA: EEA (France) – no additional safeguards required.

Further information: https://www.didomi.io/privacy-policy

OneTrust – consent management for selected services only

OneTrust is used as the CMP only on selected InPost services (urzad24.inpost.pl and merchant.inpost.pl). For all other InPost services, consent is managed by Didomi (see above).

Cookie names: OptanonConsent, OptanonAlertBoxClosed.

Purpose: Stores your consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date you closed the consent banner.

Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR.

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.onetrust.com/privacy-notice/

Cloudflare – bot protection and security

Cloudflare protects InPost websites against bots, DDoS attacks and abuse. It distinguishes human visitors from automated traffic and manages session limits per user.

Cookie names: __cf_bm, _cfuvid, cf_clearance, cf_chl_rc_ni.

Purpose: Tells human traffic apart from bots and automated attacks. Necessary for the secure operation of InPost services.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.cloudflare.com/privacypolicy/

Dynatrace – technical check before monitoring starts

A short, one-time check that the browser supports cookies before the Dynatrace performance-monitoring agent is launched.

Cookie name: dTValidationCookie.

Purpose: Checks whether your browser supports cookies before the Dynatrace monitoring agent is started. Contains no behavioural data and expires within a few minutes.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.dynatrace.com/company/trust-center/privacy/

Synerise – technical check (localStorage availability)

A one-time check whether your browser supports localStorage – a technical prerequisite for the Synerise SDK to start correctly.

Cookie name: lsCheck.

Purpose: Tests whether your browser supports localStorage so that the Synerise SDK can start. Expires immediately and contains no personal or behavioural data.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://synerise.com/legal/privacy-policy/

Google reCAPTCHA – form protection against bots

Verifies that an InPost form is being completed by a human and not a bot. Analyses browser interactions to calculate a "bot score". Not used for advertising.

Cookie names: rc::a, rc::c.

Purpose: Confirms that a form is being completed by a human, not a bot.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and protection against abuse).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

CallPage – callback widget (technical operation)

Operates the callback request widget. Stores the phone number you typed (so you do not have to enter it again), controls how the widget is displayed during your session, and secures the connection between the InPost website and CallPage.

Cookie names: cp, cp_*, callpage-widget-version, cp_widget_session.

Purpose: Runs the callback widget: remembers the phone number you provided, manages how often the widget is shown, controls the widget version and secures the session.

Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://www.callpage.io/privacy-policy

Revive Ad Server – InPost's own ad server

Stores your decision regarding the display of InPost's own advertising materials on ads.inpost.pl. Necessary so that we can respect your preferences within InPost's own advertising system.

Cookie name: RVGDPR (set on ads.inpost.pl).

Purpose: Stores your decision about whether to display InPost's own ads.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – giving effect to your preferences).

Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller.

Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://inpost.pl/polityka-prywatnosci

InPost Pay – payment session management

Operates the InPost Pay payment widget: links the shopping basket to the payment session and manages the currency during checkout. Necessary for completing transactions.

Cookie names: basket_binding_api_key, inpost_pay_currency_restore_uid.

Purpose: Connects your shopping basket with the payment session and manages the currency at checkout.

Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).

Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller.

Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://inpost.pl/polityka-prywatnosci

B. Analytical cookies

Analytical cookies are activated only on the basis of your consent (Article 6(1)(a) GDPR). You can decline them or withdraw your consent at any time via the cookie banner.

Some of the analytical tools described below – in particular Microsoft Clarity, CUX and Hotjar – record user sessions and generate heatmaps. Session recordings are pseudonymised and configured to mask sensitive form fields (passwords, payment details, contact data). They are activated only after you have granted consent to the analytics category in the cookie banner; consent can be withdrawn at any time. InPost periodically reviews the masking configuration to make sure that sensitive data are not captured.

Google Analytics 4 – website traffic analysis

Counts visits and sessions, looks at where traffic comes from and how visitors move through our pages, identifies the most popular content, and groups users by behaviour. Data are pseudonymised and aggregated – they cannot be used to identify a specific person.

Cookie names: _ga, _ga_*, _gid, _gat, FPID, FPLC.

Purpose: Measures website traffic, analyses where visitors come from and how they navigate, and segments users by behaviour.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Microsoft Bing UET – analysis of traffic from the Microsoft network

Analyses traffic that reaches us through Microsoft's network (Bing Search, MSN). Identifies traffic sources, measures time spent on the website and segments returning users. Data are aggregated.

Cookie names: MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp.

Purpose: Analyses where Microsoft-network traffic comes from, measures time on site, and identifies returning users.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Dynatrace – performance monitoring and error detection

Real-time monitoring of how InPost websites perform on your device. Detects errors, measures page load and server response times, and analyses navigation patterns. Used only to optimise the technical operation of our services.

Cookie names: dtCookie, rxVisitor, rxvisitid, dtPC, dtSa, rxvt.

Purpose: Monitors front-end performance, detects errors and outages, measures load and response times, and analyses navigation paths – for technical optimisation of InPost services only.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.dynatrace.com/company/trust-center/privacy/

DataDog – error and performance monitoring

Detects technical errors, outages and performance issues affecting InPost services. Data are not used to identify users and are not used for advertising.

Cookie names: _dd_s, dd_cookie_test_*.

Purpose: Detects technical errors, outages and performance issues affecting InPost services.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.datadoghq.com/legal/privacy/

CUX – navigation analysis and usability research

Analyses how visitors navigate the website (clicks, scrolling, navigation paths, how far they get with filling in forms). Helps us identify and fix usability problems. CUX records sessions; sensitive form fields are masked and the recordings are activated only after you give consent for analytics.

Cookie names: _cux_u, _cux_s, _cux_v, _cux_h, _cux_n, _cux_e, _cux_pr, _cux_pv, _cux_*_ttl.

Purpose: Analyses how visitors navigate, scroll and interact with forms in order to fix usability problems.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://cux.io/legal/privacy-policy/

Microsoft Clarity – session recording and heatmaps

Records and analyses how visitors navigate InPost websites: clicks, scroll depth, navigation paths and form completion patterns. Generates session recordings and heatmaps. Microsoft Clarity automatically masks sensitive form fields (passwords, payment details) and anonymises IP addresses; InPost is responsible for verifying that this masking is effective on InPost forms.

Cookie names: _clck, _clsk, CLID, ANONCHK, MR, MUID, SM.

Purpose: Generates session recordings and heatmaps to identify and fix usability problems.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – Microsoft processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission. Microsoft Ireland Operations Limited has entered into an SCC-based agreement with Microsoft Corporation (USA); Microsoft is also certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission in July 2023).

Further information: https://clarity.microsoft.com/privacy and https://www.microsoft.com/privacy/privacystatement. Note: data may also be processed by Microsoft for service-improvement and AI-development purposes.

Hotjar – heatmaps and anonymous session recording

Records areas of clicks and scrolling on our pages (heatmaps). Used to optimise the layout and usability of the website. Sensitive form fields are masked.

Cookie names: _hjid, _hjSession_*, _hjSessionUser_*, _hjTLDTest.

Purpose: Records click and scroll areas to help us improve the layout and usability of our pages.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.hotjar.com/legal/policies/privacy/

Synerise – traffic analysis and segmentation

Measures website traffic, identifies traffic sources (UTM campaign parameters), groups users into segments and analyses navigation paths across InPost domains. Data are used to generate aggregated reports for InPost.

Cookie names: _snrs_params, _snrs_profile_config, synerise-traffic-storage_*.

Purpose: Measures traffic and traffic sources, segments users and analyses navigation paths across InPost domains.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://synerise.com/legal/privacy-policy/

CallPage – effectiveness of the callback widget

Measures how effective the callback widget is: tracks scroll depth and time on the page (a behavioural score that decides when the widget is shown), analyses how well conversion rules work, and uses geolocation to apply geographic display rules.

Cookie names: cp_* (engagement and geolocation metrics).

Purpose: Measures the effectiveness of the callback widget and applies geographic display rules.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://www.callpage.io/privacy-policy

Zowie – chatbot interaction analysis

Analyses how visitors interact with our chatbot: questions asked, points where conversations end, how users move between topics. Used to improve the conversation flow and the quality of the service. Stores the time of your last visit to the chat widget.

Cookie names: zowie-tracking-id, zowie-tracking-session, herochat-last-visit-time.

Purpose: Analyses chatbot interactions to improve conversation flow and service quality.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Zowie sp. z o.o., ul. Domaniewska 37, 02-672 Warsaw, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://zowie.ai/privacy-policy/

C. Marketing cookies

Marketing cookies are activated only on the basis of your consent (Article 6(1)(a) GDPR in conjunction with Article 398 of the Polish Electronic Communications Act – PKE). You can decline them or withdraw your consent at any time via the cookie banner.

C1. Advertising platforms – principal vendors

Google Analytics 4 – cross-domain conversion attribution

Attributes conversions across the various domains of the InPost group and synchronises data with Google Ads. The FPID cookie (First-Party ID) lets us measure conversions consistently even when third-party cookies are blocked. The FPLC cookie (First-Party Linker Cookie) keeps conversion measurement consistent across domains. These data feed into Google Ads campaign optimisation.

Cookie names: FPID, FPLC.

Purpose: Attributes conversions across InPost domains and feeds Google Ads campaign optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Google Tag Manager – tag orchestration and conversion linking

Google Tag Manager (GTM) is the InPost tool used to manage analytical and marketing tags on InPost websites. Google – as the operator of the GTM service – processes HTTP request logs (IP address, user agent, timestamp) and the diagnostic data needed to operate the service. In a marketing context, GTM generates the _gcl_au cookie (Google Ads Conversion Linker), which links clicks on Google ads to conversions completed on the website. This makes it possible to attribute conversions correctly to campaigns and keywords and to optimise bids.

Tags managed via GTM are activated only after you have granted the relevant category of consent in the CMP. Disabling the _gcl_au cookie does not restrict access to content; it may, however, lead to incorrect conversion attribution in Google Ads reports.

Cookie names: _gcl_au, _gcl_ls.

Purpose: Manages analytical and marketing tags on InPost websites; links Google ad clicks to conversions.

Legal basis: For HTTP logs and operational diagnostics – Article 6(1)(f) GDPR (legitimate interest of Google in operating the service securely). For the _gcl_au cookie (conversion linking) – Article 6(1)(a) GDPR (consent).

Vendor role: For tag orchestration: data processor on InPost's behalf. For the operation of GTM itself (HTTP logs, diagnostics): Google Ireland Limited acts in its own right. For _gcl_au cookie data: Google Ireland Limited acts as an independent controller.

Vendor: InPost sp. z o.o. / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy?hl=en

Google Advertising Products (Google Ads / DoubleClick, Google Marketing Platform)

Displays personalised InPost ads on the Google Display Network and in Google Search results, runs remarketing (re-engaging visitors who previously used InPost services), measures advertising performance and attributes conversions. Through Google Ads, InPost may also use Customer Match (matching pseudonymised contact data to Google users), look-alike targeting (reaching new users with a profile similar to existing InPost customers) and dynamic product ads (ads tailored to products or services you previously browsed).

Cookie names: IDE, _gcl_au, _gcl_ls, test_cookie.

Purpose: Personalised advertising in Google networks, remarketing, performance measurement and conversion attribution.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Display & Video 360 (DV360) – programmatic media buying, remarketing, audience targeting, frequency capping and conversion attribution

Display & Video 360 is Google's demand-side platform (DSP) for programmatic media buying. InPost uses it to purchase and serve display, video, audio, Connected TV and Digital Out-of-Home advertising inventory through automated real-time bidding (RTB). The platform enables precise audience targeting, frequency capping, remarketing, cross-channel campaign measurement and conversion attribution via Floodlight tags. Within Google's programmatic ecosystem, advertising identifiers are synchronised with supply-side and demand-side partners (SSPs and DSPs).

Cookie name(s): IDE, DSID, FLC, AID, TAID, id (doubleclick.net), NID, _gcl_au.

Purpose: Programmatic purchase and delivery of InPost advertisements across display, video, audio, Connected TV and Digital Out-of-Home inventory; audience targeting; frequency capping; remarketing; cross-channel measurement and conversion attribution via Floodlight tags; identifier synchronisation with advertising partners (DSPs/SSPs) within the Google programmatic ecosystem.

Legal basis: Article 6(1)(a) UK GDPR (consent).

Vendor role: processor – processes data on behalf of InPost under the Google Ads Data Processing Terms; for certain functions Google acts as joint controller under the Google Controller-Controller Data Protection Terms.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy?hl=en

Campaign Manager 360 (CM360) – ad serving and centralised conversion measurement (Floodlight)

Campaign Manager 360 is the ad server within Google Marketing Platform. It handles the delivery of InPost advertising creatives across channels, centralised conversion measurement via Floodlight tags, multi-touch attribution, ad delivery verification, and campaign performance reporting – covering both activity run through Google Marketing Platform and inventory purchased from third-party media owners.

Cookie name(s): id (doubleclick.net), IDE, Floodlight cookies (domain .fls.doubleclick.net), test_cookie.

Purpose: Delivery of InPost advertising creatives (ad serving), centralised conversion measurement via Floodlight tags, cross-channel attribution, ad delivery verification, and campaign performance reporting across Google Marketing Platform and third-party media buys.

Legal basis: Article 6(1)(a) UK GDPR (consent).

Vendor role: Processor – processes data on behalf of InPost under the Google Ads Data Processing Terms.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy?hl=en

Search Ads 360 (SA360) – cross-engine paid search campaign management

Search Ads 360 is Google's platform for managing paid search campaigns across multiple search engines from a single interface. InPost uses it to plan, run and optimise campaigns on Google, Microsoft Bing and Yahoo simultaneously. The platform automates bid management, attributes search conversions to the correct queries and keywords, and produces unified performance reports across all engines.

Cookie name(s): _gcl_aw, _gcl_dc, _gcl_au, _gac_*, IDE.

Purpose: Management and optimisation of InPost paid search campaigns across multiple search engines (Google, Microsoft Bing, Yahoo), automated bid management, attribution of search conversions, and cross-engine performance reporting.

Legal basis: Article 6(1)(a) UK GDPR (consent).

Vendor role: Processor – processes data on behalf of InPost under the Google Ads Data Processing Terms.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside UK/EEA: USA – International Data Transfer Agreement (IDTA) approved by the UK ICO and/or Standard Contractual Clauses (SCCs) approved by the European Commission, together with the EU–US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy?hl=en

Meta Pixel – Facebook and Instagram advertising

Displays InPost ads to users on Facebook and Instagram based on their activity on InPost services, measures advertising performance and creates lookalike audience segments.

Cookie names: _fbp, _fbc, lastExternalReferrer, lastExternalReferrerTime, topicsLastReferenceTime.

Purpose: Targets InPost ads to Facebook and Instagram users, measures performance and builds lookalike audiences.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: joint controller – InPost and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of Page Insights statistics. See section C5 (Social Media Platforms) for further information.

Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.facebook.com/about/privacy/update and https://www.facebook.com/legal/terms/page_controller_addendum.

TikTok Pixel – TikTok advertising

Displays InPost ads to users on TikTok based on their activity on InPost services, measures TikTok Ads performance and creates lookalike audience segments.

Cookie names: _ttp, tt_enable_cookie, ttcsid, ttcsid_*, tt_sessionId, tt_appInfo.

Purpose: Targets InPost ads to TikTok users, measures TikTok Ads performance and builds lookalike audiences.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel. See section C5 (Social Media Platforms) for further information.

Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland.

Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en

LinkedIn Insight Tag – B2B advertising

Targets InPost ads to LinkedIn users by job title, industry and company (B2B), measures LinkedIn Ads performance and attributes advertising conversions.

Cookie names: bcookie, li_gc, lidc, li_fat_id.

Purpose: B2B targeting and conversion measurement on LinkedIn.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.linkedin.com/legal/privacy-policy

Microsoft Advertising / Bing UET – marketing

Remarketing and targeting of InPost ads in the Microsoft Advertising network (Bing, MSN), measurement of Bing Ads performance, conversion attribution, and building of remarketing and lookalike segments.

Cookie names: MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp.

Purpose: Remarketing and targeting in Microsoft's advertising network and measurement of Bing Ads campaigns.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Adform DSP – programmatic advertising network

Displays personalised InPost ads in the Adform programmatic network, runs remarketing, limits how often the same ad is shown (frequency capping) and measures campaign performance. Synchronises advertising identifiers with partners (DSP/SSP) within the programmatic ecosystem.

Cookie names: uid, C, CM, CM14, DID, idt, cache0, permanent, cm_uid.

Purpose: Personalised programmatic advertising, remarketing, frequency capping and campaign measurement.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, following its own privacy policy.

Vendor: Adform A/S, Silkegade 3B, 1113 Copenhagen, Denmark.

Transfer outside EEA: EEA (Denmark) – no additional safeguards required.

Further information: https://site.adform.com/privacy-center/platform-privacy/

Synerise – marketing personalisation and audience building

Builds a behavioural profile based on your activity (browsing history, clicks, interest in particular products and services, parcel locker preferences). Personalises marketing content on the website and in the mobile application. Sends personalised push notifications. Powers lifecycle marketing campaigns. Inside Synerise (a Customer Data Platform), InPost prepares pseudonymised audience lists which may then be transferred to advertising platforms (Google Ads, Meta, TikTok, LinkedIn) for targeting purposes – for details and the legal basis for that subsequent transfer, see section C6 below.

Profiling: Synerise generates user segments and behavioural scoring. Profiling does not result in decisions producing legal effects or similarly significant effects on you (Article 22 GDPR does not apply). You have the right to object to profiling-based processing.

Cookie names: _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*, _snrs_params.

Purpose: Builds behavioural profiles, personalises content and push notifications, powers lifecycle and remarketing campaigns.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required at the level of Synerise itself.

Further information: https://synerise.com/legal/privacy-policy/

C2. Other vendors – advertising profiles and data synchronisation

The vendors listed below participate in the programmatic advertising ecosystem (Real-Time Bidding). This may involve sharing a pseudonymised user identifier (such as a cookie ID) with multiple parties during an advertising auction. Each of them processes such data as an independent controller, in accordance with its own privacy policy.

Adobe Experience Cloud / Audience Manager

Builds a user advertising profile using Adobe Audience Manager (DMP), creates audience segments, synchronises profiles with advertising platforms (DSP/SSP) and creates lookalike groups.

Cookie names: demdex, dpm.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.adobe.com/privacy/experience-cloud.html

ADITION / Active Agent

Synchronises advertising profiles with the Active Agent DSP platform (Virtual Minds), limits how often the same ad is shown (frequency capping) and runs cross-device tracking inside the Active Agent network.

Cookie names: ct_uid, ct_did, ct_idt, UserID1, block_reset, cookie_ver, cm_uid.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Virtual Minds GmbH, Osterbekstr. 90b, 22083 Hamburg, Germany.

Transfer outside EEA: EEA (Germany) – no additional safeguards required.

Further information: https://adsafety.net/privacy

Eyeota

Targets InPost ads using demographic segments (predicted age, gender, interests) supplied by the Eyeota Data Marketplace. Operates on pseudonymised identifiers.

Cookie name: SERVERID (eyeota.net).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Eyeota Pte. Ltd., 1 Raffles Place, #21-61 One Raffles Place Tower 2, Singapore 048616.

Transfer outside EEA: Singapore – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.eyeota.com/privacy-policy

Nielsen / eXelate

Enriches a user's advertising profile with Nielsen demographic segments (age, gender, income, interests) for targeting InPost ads.

Cookie names: EE, ud (exelate.com).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Nielsen Marketing Cloud, 85 Broad Street, New York, NY 10004, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.nielsen.com/us/en/legal/privacy-statement/

ID5 Technology

Creates a pseudonymised advertising identity that works independently of third-party cookies (cookie-less identity), so that ads can still be targeted even when third-party cookies are blocked at browser level.

Cookie names: id5-sync.com (pixel sync), cf, car, gdpr, gpp, cip, cnac.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: ID5 Technology Ltd, 6 rue de la Paix, 75002 Paris, France.

Transfer outside EEA: EEA (France) – no additional safeguards required.

Further information: https://id5.io/privacy/

LiveRamp

Pseudonymously links user data across advertising partners without disclosing personal data (LiveRamp IdentityLink). Used to target InPost ads inside the LiveRamp and The Trade Desk networks.

Cookie names: pxrc, rlas3.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: LiveRamp Netherlands B.V., Singel 250, 1016 AB Amsterdam, the Netherlands.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://liveramp.com/privacy/

OnAudience

Segments users and enriches advertising profiles through a Polish Data Management Platform. Synchronises identifiers with advertising partners (AppNexus, Yahoo, Bidberry).

Cookie names: cookie (onaudience.com), done_redirects# (onaudience.com).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Cloud Technologies S.A., ul. Złota 61, 00-819 Warsaw, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://www.onaudience.com/privacy-policy

Semasio

Targets InPost ads using a semantic method – matching ads to the content you browse and to your interest profile, without relying on personal data.

Cookie name: SEUNCY (semasio.net).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Semasio GmbH, Burchardstrasse 24, 20095 Hamburg, Germany.

Transfer outside EEA: EEA (Germany) – no additional safeguards required.

Further information: https://semasio.com/privacy-policy/

Weborama

Targets InPost ads using Weborama's behavioural and demographic segments – a European advertising data management platform.

Cookie name: AFFICHE_W (weborama.fr).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Weborama SA, 14 rue Crespin du Gast, 75011 Paris, France.

Transfer outside EEA: EEA (France) – no additional safeguards required.

Further information: https://weborama.com/politique-de-confidentialite-des-services-weborama/

Zeotap

Builds a unified advertising profile by combining data from several sources (online, offline, CRM) without relying on third-party cookies (Zeotap ID+).

Cookie names: zc, zc1, zsc (zeotap.com).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Zeotap GmbH, Unter den Linden 32-34, 10117 Berlin, Germany.

Transfer outside EEA: EEA (Germany) – no additional safeguards required.

Further information: https://zeotap.com/privacy-policy/

Roku Advertising Services

Cross-screen targeting of InPost ads on Roku TVs and streaming platforms (TV + web + mobile). Synchronises the advertising profile with the Roku ecosystem.

Cookie names: matchadform, wfivefivec (w55c.net).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller.

Vendor: Roku, Inc., 1155 Coleman Ave, San Jose, CA 95110, USA.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://docs.w55c.net/privacy.html

C3. SSP platforms and identifier synchronisation in the programmatic ecosystem

The entities listed below operate as Supply-Side Platforms (SSPs) or advertising identifier synchronisation services in the Real-Time Bidding ecosystem. Their files and pixels are loaded via InPost services as part of campaigns run through Adform DSP. Each of them is an independent data controller.

AudienceProject (Aarhus, Denmark; EEA – DK): https://audienceproject.com/privacy/

Audiencerate (London, United Kingdom; UK – SCCs): https://audiencerate.com/privacy-policy/

BIDSWITCH / IPONWEB (London, United Kingdom; UK – SCCs): https://www.bidswitch.com/privacy-policy/

Equativ / SmartAdServer (Paris, France; EEA – FR): https://equativ.com/privacy-policy/

FreeWheel / NBCUniversal (New York, USA; USA – SCCs): https://www.nbcuniversal.com/privacy

Improve Digital / 360yield (Amsterdam, the Netherlands; EEA – NL): https://www.improvedigital.com/platform-privacy-policy/

Index Exchange (Toronto, Canada; Canada – EC adequacy decision): https://www.indexexchange.com/privacy/

OpenX (Monrovia, USA; USA – SCCs): https://www.openx.com/legal/privacy-policy/

Teads (Montpellier, France; EEA – FR): https://www.teads.com/privacy-policy/

The Trade Desk (Ventura, USA; USA – SCCs): https://www.thetradedesk.com/general/privacy-policy

TripleLift (New York, USA; USA – SCCs): https://triplelift.com/privacy/

C4. Tools used in InPost mobile applications

Google Firebase – necessary services and security

Ensures the technical operation of the InPost mobile application, including SDK instance management and service-integrity monitoring. Verifies that interactions inside the application come from a human user and not an automated script, protecting the application and its users against fraud, abuse and automated attacks. Without these functions the application cannot operate correctly and securely.

Cookie names: rc::a, rc::c, firebase-heartbeat-database, firebase-installations-database.

Purpose: Operates the mobile app and protects it against fraud and automated abuse.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in ensuring the technical operation and security of the application and protecting users against fraudulent activity).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://firebase.google.com/support/privacy

Synerise – mobile application

Builds a behavioural profile of the application user, personalises marketing communications and runs push and re-engagement campaigns inside the InPost mobile application.

Cookie names: _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*.

Purpose: Behavioural profiling, content personalisation, push and re-engagement campaigns inside the mobile app.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on InPost's behalf and following its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland.

Transfer outside EEA: EEA (Poland) – no additional safeguards required.

Further information: https://synerise.com/legal/privacy-policy/

C5. Social media platforms

Our websites and mobile applications contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.

We maintain profiles on the following platforms: Facebook (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA); YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA); LinkedIn (LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA); X – formerly Twitter (X Corporation, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA); Instagram (Instagram LLC, 1601 Willow Rd., Menlo Park, CA 94025, USA); TikTok (TikTok Technology Ltd., 2 Cardiff Lane Grand Canal Dock, Dublin, D02 E395, Ireland).

As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing on Facebook, TikTok and YouTube can be found at: [link to be inserted].

C6. Transfers of first-party data to advertising platforms

In addition to the cookies and pixels described in sections C1–C5, InPost may transfer pseudonymised first-party data (hashed using the SHA-256 algorithm) to selected advertising platforms in order to: (i) target advertisements to specific groups of existing customers ("matched audiences" / "customer match"); (ii) build look-alike audience segments composed of users whose behaviour is similar to that of existing InPost customers ("look-alike audiences"); (iii) exclude existing customers from acquisition campaigns to avoid showing them irrelevant advertising; and (iv) improve the attribution of advertising conversions to specific clicks and ad interactions ("enhanced conversions").

The data transferred is limited to the minimum required for matching: typically a hashed e-mail address, optionally accompanied by a hashed telephone number. Hashing is performed before transmission. InPost does not transfer plain-text identifiers, parcel data, parcel locker history or the content of communications under these functionalities. The source data for matched audiences is taken primarily from the Synerise CDP (see card above), based on the consent recorded by the user.

Each advertising platform receiving data acts as an independent controller (or, where applicable, a joint controller within the meaning of Article 26 GDPR – see the cards for Meta Pixel and TikTok Pixel in section C1) and processes the data received in accordance with its own privacy policy and the terms of its data processing agreement with InPost.

You can withdraw consent for these data transfers at any time via the CMP (cookie banner – marketing category) or by contacting InPost using the contact details set out in the Privacy Policy. The right to object to processing based on legitimate interest applies and will be respected without the need to give reasons.

Google Customer Match and Enhanced Conversions (Google Ads)

Targets ads to existing InPost customers (Customer Match), builds look-alike audience segments, excludes existing customers from acquisition campaigns and attributes online conversions completed by users signed in to a Google account (Enhanced Conversions). Ads may be displayed on Google's own properties (Google Search, YouTube, Gmail, Discover) and on the Google Display Network (third-party websites and apps using Google's ad-serving technology). InPost may target ads using Google demographic, geographic and interest segments derived from Google's third-party data.

Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number. Hashing performed client-side or by the Synerise CDP before transmission.

Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.

Vendor role: Independent controller – Google Ireland Limited determines the means and purposes of processing in connection with matching, profiling and ad delivery within the Google ecosystem.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Transfer outside EEA: USA (Google LLC) – EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).

Further information: https://policies.google.com/privacy?hl=en

Meta Custom Audience and Lookalike Audience (Facebook / Instagram)

Targets ads to existing InPost customers on Facebook and Instagram (Custom Audience), builds look-alike audiences composed of users whose behaviour resembles that of existing InPost customers (Lookalike Audience), and excludes existing customers from acquisition campaigns. A minimum audience size enforced by Meta prevents the re-identification of any single user.

Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number.

Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.

Vendor role: for Custom Audience based on customer lists, data processor under Meta's Custom Audience Terms. For Lookalike Audience – independent controller, since Meta uses its own user data to build the look-alike segment.

Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland.

Transfer outside EEA: USA (Meta Platforms Inc.) – Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF).

Further information: https://www.facebook.com/about/privacy/update and https://www.facebook.com/legal/terms/customaudience.

TikTok Custom Audience and Lookalike Audience

Targets ads to existing InPost customers on the TikTok platform, builds look-alike audiences and measures conversions.

Data transferred: Hashed e-mail address (SHA-256), optionally hashed telephone number or hashed mobile advertising identifier (MAID).

Legal basis: Article 6(1)(a) GDPR (consent), granted via the CMP for the marketing category.

Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel and matched audiences.

Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland.

Transfer outside EEA: USA and potentially China – Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards. InPost has assessed the transfer risk and applies enhanced contractual and technical measures (data minimisation and hashing).

Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en

C7. Other tools used in InPost's marketing ecosystem (no cookies on InPost websites)

For the sake of complete transparency, InPost informs you that the following tools form part of its marketing measurement ecosystem but do not use cookies, pixels or similar technologies on InPost websites. They are listed here for information purposes; they do not require cookie consent.

Adverity – aggregation and analytics of marketing data

Adverity aggregates anonymised statistical performance data from advertising platforms on which InPost runs campaigns (Meta, TikTok, Microsoft Bing, Google Ads, LinkedIn and similar). This allows InPost to measure the overall reach and effectiveness of its campaigns (such as the number of impressions and click-through rates).

Data scope: aggregated, anonymised statistical data only (e.g. "how many users saw or clicked on a given campaign"). Adverity does NOT receive any data about InPost users, parcels, user identifiers (user_id), telephone numbers or e-mail addresses. Because no personal data of website users is processed by Adverity in this configuration, no GDPR legal basis specific to Adverity applies. The legal bases relevant to the underlying advertising platforms remain as set out in sections C1–C6.

Vendor: Adverity GmbH, Vienna, Austria.

Transfer outside EEA: EEA (Austria) – no additional safeguards required.

Further information: https://www.adverity.com/privacy-policy

Adjust – mobile application attribution

Adjust acts as a measurement layer between mobile advertising platforms (Google Ads, Meta/Facebook, TikTok Ads) and the InPost mobile application. The Adjust SDK is embedded in the InPost mobile application and records events (such as install, login, purchase) which are then attributed to specific advertising campaigns and channels. Detailed information on processing inside the InPost mobile application is set out in section C4.

Data scope: in-app event data and pseudonymised mobile advertising identifiers; no website cookies are involved. Legal basis: in the mobile application, Article 6(1)(a) GDPR (consent) collected via the in-app consent mechanism for marketing purposes.

Vendor: Adjust GmbH (acquired by AppLovin), Berlin, Germany.

Transfer outside EEA: Possible transfer to USA – Standard Contractual Clauses (SCCs).

Further information: https://www.adjust.com/privacy-policy/

How to withdraw consent or exercise your rights

You can withdraw your consent or change your cookie preferences at any time. There are several ways to do this.

On the InPost website, click the "Cookie settings" link at the bottom of every page. This opens the CMP (Didomi or, on selected services, OneTrust) and lets you grant or refuse consent on a per-purpose and per-vendor basis.

In the InPost mobile application, open the privacy settings menu.

Directly in your web browser, you can delete or block cookies. Note that this may also disable cookies necessary for InPost services to work properly.

You can also use external opt-out tools provided by industry associations, such as www.youronlinechoices.com (European Interactive Digital Advertising Alliance).

Finally, you can contact InPost directly using the contact details set out in the Privacy Policy.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Where processing is based on legitimate interest (Article 6(1)(f) GDPR), you may at any time object to such processing on grounds relating to your particular situation; for direct marketing purposes (including profiling for direct marketing), the right to object applies absolutely and does not require justification.

Annex A3 – Tools and Technologies Used in Italy

Controller: Locker InPost Italia s.r.l., Viale Cassala numero 30, 20143, Milan, Italy.

Cookie inventory

resi.inpost.it

OptanonAlertBoxClosed

Cookie ID: d725c871-74d5-4ed7-b1bd-15937623488e

Source: SCAN

Duration: PERSISTENT

Hostname: resi.inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.

_ga_xxxxxxxxxx

Cookie ID: a5934e73-2ac7-493e-a6e5-3ba2d016e70d

Source: SCAN

Duration: PERSISTENT

Hostname: inpost.it

Category: Performance cookies

OptanonConsent

Cookie ID: 9bf35347-9af1-4579-b7ee-5226d3d7fb9a

Source: SCAN

Duration: PERSISTENT

Hostname: resi.inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.

_ga

Cookie ID: 92ae3a3d-9c87-43d0-8768-767fbad0c39f

Source: SCAN

Duration: PERSISTENT (730 days)

Hostname: inpost.it

Category: Performance cookies

Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.

_ga

Cookie ID: d8d39cd2-7c84-4c08-87d8-f77923b7acaf

Source: MANUAL

Duration: PERSISTENT (730 days)

Hostname: resi.inpost.it

Category: Performance cookies

Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.

inpost.it

__cf_bm

Cookie ID: 73a7a6d0-ea0f-4f03-91d4-0648aa727ba0

Source: SCAN

Duration: PERSISTENT

Hostname: pipedriveassets.com

Category: Strictly necessary and functional cookies

Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.

_fbp

Cookie ID: af6f7860-d89c-4a4b-a845-0cd61b822632

Source: SCAN

Duration: PERSISTENT (89 days)

Hostname: inpost.it

Category: Advertising cookies

Description: Used by Facebook to deliver a range of advertising products, including real-time bidding from third-party advertisers.

IDE

Cookie ID: daca17be-fe12-4c89-bf24-0dda8d037366

Source: SCAN

Duration: PERSISTENT (389 days)

Hostname: doubleclick.net

Category: Advertising cookies

Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.

OptanonAlertBoxClosed

Cookie ID: d725c871-74d5-4ed7-b1bd-15937623488e

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: resi.inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.

OptanonAlertBoxClosed

Cookie ID: 375f9686-a960-4375-81d5-43d0f5891a5d

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by websites that use certain versions of the OneTrust cookie compliance solution. It is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It prevents the website from showing the message to the user more than once. The cookie lasts for one year and contains no personal information.

__cf_bm

Cookie ID: 3f8f5f3a-6711-4e7c-8894-3ad4a8ac83b6

Source: SCAN

Duration: PERSISTENT

Hostname: hubspot.com

Category: Advertising cookies

Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.

_ga_xxxxxxxxxx

Cookie ID: a5934e73-2ac7-493e-a6e5-3ba2d016e70d

Source: SCAN

Duration: PERSISTENT (729 days)

Hostname: inpost.it

Category: Performance cookies

YSC

Cookie ID: 31b27ab1-fb46-4aa3-92fb-4914d1c42ba1

Source: SCAN

Duration: SESSION

Hostname: youtube.com

Category: Performance cookies

Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.

OptanonConsent

Cookie ID: 9bf35347-9af1-4579-b7ee-5226d3d7fb9a

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: resi.inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.

OptanonConsent

Cookie ID: 28e3a4d2-823b-4dd6-ad23-8af83b08130c

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.

OptanonConsent

Cookie ID: fa92f2b2-6312-4c4c-9610-bc4466749dc3

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: resi.inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.

OptanonConsent

Cookie ID: dd8a61fb-fcec-4a62-9d42-d70100ead713

Source: SCAN

Duration: PERSISTENT (364 days)

Hostname: inpost.it

Category: Strictly necessary and functional cookies

Description: This cookie is set by the OneTrust cookie compliance solution. It stores information about the categories of cookies used on the site and whether visitors have given or withdrawn consent for the use of each category. This allows site owners to prevent cookies in each category from being set in the user's browser where consent has not been given. The cookie normally lasts for one year so that returning visitors find their preferences remembered. It contains no information that could identify the site visitor.

_ga

Cookie ID: 92ae3a3d-9c87-43d0-8768-767fbad0c39f

Source: SCAN

Duration: PERSISTENT (729 days)

Hostname: inpost.it

Category: Performance cookies

Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.

_ga

Cookie ID: fbb76678-1ffa-4fe0-ba66-85d5df417e1a

Source: SCAN

Duration: PERSISTENT (729 days)

Hostname: inpost.it

Category: Performance cookies

Description: This cookie is associated with Google Universal Analytics, a significant upgrade to Google's most widely used analytics service. It is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in every page request on the site and used to calculate visitor, session and campaign data in site analytics reports. By default it expires after two years, although this is customisable by site owners.

_cfuvid

Cookie ID: cbf707c7-9c3e-4019-bed3-7db7eb32b471

Source: SCAN

Duration: SESSION

Hostname: hubspot.com

Category: Advertising cookies

_cfuvid

Cookie ID: 5ce059b5-350d-46b7-9fa6-4883f63d5307

Source: SCAN

Duration: SESSION

Hostname: hubspot.com

Category: Advertising cookies

Description: This domain is owned by HubSpot. The company provides a range of technologies and services for online marketing and sales.

(unnamed)

Cookie ID: 610cf45f-7ad0-49e8-b436-7e40769d7d32

Source: SCAN

Duration: SESSION

Hostname: www.facebook.com

Category: Advertising cookies

Description: This domain is owned by Facebook, the world's largest social networking service. As a third-party hosting provider, it primarily collects data on users' interests through widgets such as the 'Like' button found on many websites. This data is used to serve targeted advertising to its own users when they are logged into its services. Since 2014 it has also delivered targeted behavioural advertising on third-party sites, similarly to most dedicated online marketing companies.

(unnamed)

Cookie ID: c6e5d2dc-cb4f-4824-aefe-14ffdfabe3b2

Source: SCAN

Duration: SESSION

Hostname: www.facebook.com

Category: Advertising cookies

Description: This domain is owned by Facebook, the world's largest social networking service. As a third-party hosting provider, it primarily collects data on users' interests through widgets such as the 'Like' button found on many websites. This data is used to serve targeted advertising to its own users when they are logged into its services. Since 2014 it has also delivered targeted behavioural advertising on third-party sites, similarly to most dedicated online marketing companies.

f5avraaaaaaaaaaaaaaaa_session_

Cookie ID: ba6486e9-1e4d-4edf-8821-8beef071adc0

Source: SCAN

Duration: SESSION

Hostname: geowidget.easypack24.net

Category: Strictly necessary and functional cookies

Description: This cookie is associated with the F5 BIG-IP product suite and is an integral part of load balancing. It is used to store the user's session in order to identify it within the application's traffic.

f5avraaaaaaaaaaaaaaaa_session_

Cookie ID: 52071743-a179-458a-8aba-a4241aff8137

Source: SCAN

Duration: SESSION

Hostname: geowidget.easypack24.net

Category: Strictly necessary and functional cookies

Description: This cookie is associated with the F5 BIG-IP product suite and is an integral part of load balancing. It is used to store the user's session in order to identify it within the application's traffic.

_dd_s

Cookie ID: 0d2ba18f-db01-4168-8664-950918211473

Source: SCAN

Duration: PERSISTENT

Hostname: inpost.it

Category: Performance cookies

_dd_s

Cookie ID: 60bbf704-d8c6-41a4-9580-f7b6e3800237

Source: SCAN

Duration: PERSISTENT

Hostname: inpost.it

Category: Performance cookies

test_cookie

Cookie ID: e6098c6d-1b04-4269-821a-97d44d97fe6f

Source: SCAN

Duration: PERSISTENT

Hostname: doubleclick.net

Category: Advertising cookies

Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.

test_cookie

Cookie ID: 62a18356-b872-4427-a97e-8e68689495cc

Source: SCAN

Duration: PERSISTENT

Hostname: doubleclick.net

Category: Advertising cookies

Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.

CONSENT

Cookie ID: 6e1ccb19-7467-4404-9a7c-b34523c0ae45

Source: SCAN

Duration: PERSISTENT (6,105 days)

Hostname: youtube.com

Category: Performance cookies

Description: This cookie collects information on how the end user uses the website and on any advertising the end user may have seen prior to visiting the site.

CONSENT

Cookie ID: cd7cd423-f856-40d2-b55d-729bdc696ea5

Source: SCAN

Duration: PERSISTENT (6,105 days)

Hostname: youtube.com

Category: Performance cookies

Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.

__cf_bm

Cookie ID: 9d2a3c84-5adf-4176-9558-b58d6662b7e8

Source: SCAN

Duration: PERSISTENT

Hostname: pipedrive.com

Category: Strictly necessary and functional cookies

Description: The __cf_bm cookie is necessary to support Cloudflare's Bot Management service, currently in private beta. As part of our bot management service, this cookie helps to manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie.

__cf_bm

Cookie ID: 02005092-6c93-4629-9017-aeb09e411e5c

Source: SCAN

Duration: PERSISTENT

Hostname: pipedriveassets.com

Category: Strictly necessary and functional cookies

Description: This is a CloudFoundry cookie.

__cf_bm

Cookie ID: 029eabc5-5242-4c74-8606-18a3c8342dad

Source: SCAN

Duration: PERSISTENT

Hostname: hubspot.com

Category: Advertising cookies

Description: This is a CloudFoundry cookie.

__cf_bm

Cookie ID: aa6d8e37-f3e6-445a-966d-da98376b81e1

Source: SCAN

Duration: PERSISTENT

Hostname: pipedrive.com

Category: Strictly necessary and functional cookies

Description: This is a CloudFoundry cookie.

dd_cookie_test_

Cookie ID: 93c99e1c-acb5-4c4d-826d-cf30b78bd4a9

Source: SCAN

Duration: PERSISTENT

Hostname: inpost.it

Category: Strictly necessary and functional cookies

Description: dd_cookie_test

dd_cookie_test_

Cookie ID: 4b77f01a-c27f-4833-87ea-cb742be4350c

Source: SCAN

Duration: PERSISTENT

Hostname: inpost.it

Category: Strictly necessary and functional cookies

Description: dd_cookie_test

IDE

Cookie ID: 0941d8f2-2f90-407d-87f7-3ac1b3acbb49

Source: SCAN

Duration: PERSISTENT (389 days)

Hostname: doubleclick.net

Category: Advertising cookies

Description: This domain is owned by Doubleclick (Google). Its main activity is: Doubleclick is Google's real-time advertising exchange platform.

VISITOR_INFO1_LIVE

Cookie ID: 14404251-5d43-42f1-9dda-d80002135de4

Source: SCAN

Duration: PERSISTENT

Hostname: youtube.com

Category: Performance cookies

Description: This cookie is used as a unique identifier to track the viewing of videos.

VISITOR_INFO1_LIVE

Cookie ID: 19e4bbd9-6624-409a-bdff-9abfe086f166

Source: SCAN

Duration: PERSISTENT (180 days)

Hostname: youtube.com

Category: Performance cookies

Description: This cookie is used as a unique identifier to track the viewing of videos.

VISITOR_PRIVACY_METADATA

Cookie ID: bb47c22d-804a-4e8b-9974-f4439e5572e9

Source: SCAN

Duration: PERSISTENT (179 days)

Hostname: youtube.com

Category: Advertising cookies

VISITOR_PRIVACY_METADATA

Cookie ID: cbabd688-32a7-4181-858f-08f605713187

Source: SCAN

Duration: PERSISTENT (179 days)

Hostname: youtube.com

Category: Advertising cookies

Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.

_fbp

Cookie ID: 6abe391f-e09e-4218-840f-d6a435274cae

Source: SCAN

Duration: PERSISTENT (89 days)

Hostname: inpost.it

Category: Advertising cookies

Description: Used by Facebook to deliver a range of advertising products, including real-time bidding from third-party advertisers.

YSC

Cookie ID: 3f374013-b988-48ce-b02c-7480d60b29c9

Source: SCAN

Duration: SESSION

Hostname: youtube.com

Category: Performance cookies

Description: YouTube is a platform owned by Google for hosting and sharing videos. YouTube collects user data through videos embedded in websites; this data is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a wide range of Google's own and third-party sites.

Tools Used in Mobile Application

Google Firebase / Analytics for Firebase (in-app activity analysis, push notification personalisation, user segmentation, aggregated reporting)

Cookie name(s): rc::a, rc::c, firebase-heartbeat-database, firebase-installations-database

Purpose: Analyses the usage of InPost mobile applications (events, navigation paths, errors), creates user segments, and sends personalised push notifications.

Legal basis: Article 6(1)(a) GDPR (consent) / Article 6(1)(f) GDPR (to the extent necessary for the operation of the service).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://firebase.google.com/support/privacy

Synerise – mobile application (building behavioural profiles, push communication personalisation, lifecycle marketing)

Cookie name(s): _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage

Purpose: Builds a behavioural profile of the application user, personalises marketing communications, and runs push and re-engagement campaigns within the InPost mobile application.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Social media platforms

Our websites and mobile application contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon you will be redirected to our profile: your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the volume of personal data collected by the platform in question.

We maintain profiles on the following platforms:

• Facebook – Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA
• YouTube – YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
• LinkedIn – LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
• X (formerly Twitter) – X Corporation, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
• Instagram – Instagram LLC., 1601 Willow Rd., Menlo Park, CA 94025, USA
• TikTok – TikTok Technology Ltd., 2 Cardiff Lane Grand Canal Dock, Dublin, D02 E395, Ireland

As a result of your use of our social media pages, we may process your personal data. Detailed information on the legal basis for such processing is available at the following links:

• Facebook: [link to be inserted]

• TikTok: [link to be inserted]

• YouTube: [link to be inserted]

Annex A2 – Tools and Technologies Used in France

Annex A3 – Tools and Technologies Used in Italy

Annex A4 – Tools and Technologies Used in Spain

Annex A5 – Tools and Technologies Used in Portugal

Annex A6 – Tools and Technologies Used in the United Kingdom

Annex A7 – Tools and Technologies Used in Belgium

Annex A8 – Tools and Technologies Used in Luxembourg

Annex A9 – Tools and Technologies Used in the Netherlands

Annex A4 – Tools and Technologies Used in Spain

Controller: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA, Camí de les Oliveres, 1, 08800 Vilanova i la Geltrú, Spain (hereinafter referred to as "InPost").

A. Necessary cookies

Necessary cookies are installed without the user's consent on the basis of Article 6(1)(f) GDPR (legitimate interest of the Controller – ensuring the smooth and secure operation of the services) or Article 6(1)(b) GDPR (performance of a contract / provision of a service).

OneTrust – user consent management (CMP)

Cookie name(s): OptanonConsent, OptanonAlertBoxClosed

Purpose: Stores the user's consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date on which the banner was closed.

Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR.

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.onetrust.com/privacy-notice/

Cloudflare – bot protection, security verification, session rate management

Cookie name(s): __cf_bm, _cfuvid, cf_chl_rc_ni

Purpose: Distinguishes human traffic from automated traffic (bots and malicious traffic), supports website security and protects forms and endpoints against abuse.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.cloudflare.com/privacypolicy/

ASP.NET / website security tokens – session management, anti-forgery protection

Cookie name(s): ASP.NET_SessionId, __RequestVerificationToken, cookietest

Purpose: Maintains the user session, protects forms against unauthorised submissions and verifies browser support for cookies required for the correct operation of the website.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – secure and correct operation of the service).

Vendor role: First party – website technology used by InPost.

Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA, Camí de les Oliveres, 1, 08800 Vilanova i la Geltrú, Spain

Transfer outside EEA: EEA – no additional safeguards required.

Further information: https://www.inpost.es/politica-de-cookies/

Technical / security support cookies – request validation and anti-bot support

Cookie name(s): csrftoken, datadome, JSESSIONID, eael_screen, dicbo_id, mr.returning.visitor

Purpose: Support security validation, bot mitigation, session continuity and technical operation of certain embedded services or site components.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and technical integrity of the service).

Vendor role: First party and service-provider cookies, depending on the specific tool.

Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA and relevant service providers used on the website

Transfer outside EEA: EEA / third countries depending on the provider – appropriate safeguards apply where required.

Further information: https://www.inpost.es/politica-de-cookies/

B. Analytical cookies

Analytical cookies are processed on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.

The use of analytical cookies does not involve automated decision-making within the meaning of Article 22 GDPR.

Google Analytics 4 – traffic measurement, navigation path analysis, user segmentation, traffic source identification, conversion tracking

Cookie name(s): _ga, _gid, _ga_*, _gat_gtag_*

Purpose: Counts visits and sessions, analyses traffic sources and navigation paths, identifies the most frequently visited pages, and segments users by behaviour. Data are used for aggregated analytics and service optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Microsoft Bing UET / Microsoft Clarity – analytical (traffic source identification, time-on-site measurement, behaviour analysis)

Cookie name(s): MUID, CLID, ANONCHK, SRM_B, MR, _clck, _clsk

Purpose: Measures traffic from Microsoft services and supports behavioural analytics, session reconstruction and on-site performance insights used to improve website usability and conversion performance.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Dynatrace – analytical (technical performance analysis, error and outage monitoring, navigation path analysis, time-on-site measurement)

Cookie name(s): dtCookie, dtPC, dtSa, rxVisitor, rxvt

Purpose: Real-time front-end performance monitoring (Real User Monitoring): detects errors and outages, measures page load times and server response times, and analyses user navigation paths and correlations.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.dynatrace.com/company/trust-center/privacy/

DataDog – error and outage monitoring, technical performance analysis

Cookie name(s): _dd_s, dd_cookie_test_*

Purpose: Detects technical errors, outages, and performance issues affecting InPost services. Data are used for monitoring and technical optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.datadoghq.com/legal/privacy/

CUX – navigation path analysis, time-on-site measurement, segmentation

Cookie name(s): _cux_e, _cux_e_ttl, _cux_n, _cux_n_ttl, _cux_u, _cux_v, _cux_v_ttl

Purpose: Analyses how users navigate the website (clicks, scrolling, navigation paths, form completion depth). Enables identification and resolution of usability issues (UX).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://cux.io/legal/privacy-policy/

Hotjar – click heatmaps, anonymous session recording, content engagement measurement

Cookie name(s): _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInSessionSample_*, _hjSession_*, _hjSessionUser_*, _hjTLDTest

Purpose: Records areas of clicking and scrolling on the website (heatmaps), measures engagement and supports UX optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.hotjar.com/legal/policies/privacy/

Synerise – analytical (traffic source identification, traffic measurement, segmentation)

Cookie name(s): _snrs_3d3d57f81449e8759f4b2da884091381, _snrs_4f8ae797f4d11c3734fee52b0d398d12, _snrs_params, _snrs_puuid, _snrs_sa, _snrs_sb, _snrs_uuid

Purpose: Measures website traffic, identifies traffic sources, segments users, and analyses navigation paths. Data are used to generate aggregated reports for the Controller.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://synerise.com/legal/privacy-policy/

HubSpot – analytical / CRM support

Cookie name(s): __hstc, __hssc, __hssrc, hubspotutk

Purpose: Supports analytics and CRM-related attribution, helps measure website visits and distinguish sessions for marketing and lead-management purposes.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: HubSpot, Inc., 2nd Floor 30 North Wall Quay, Dublin 1, Ireland / Cambridge, Massachusetts, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://legal.hubspot.com/privacy-policy

CallPage – analytical (content engagement measurement, sales funnel analysis, geographic user location)

Cookie name(s): cp_*

Purpose: Measures the effectiveness of the callback widget: tracks page scroll depth and time spent on the page, analyses the effectiveness of conversion rules, and uses geolocation data to match display rules.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://www.callpage.io/privacy-policy

Zowie – chatbot engagement measurement, conversation tree navigation path analysis

Cookie name(s): zowie-tracking-id

Purpose: Analyses user interactions with the chatbot and helps optimise support flows and the quality of automated conversations.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Zowie sp. z o.o., ul. Domaniewska 37, 02-672 Warsaw, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://zowie.ai/privacy-policy/

C. Marketing cookies

Marketing cookies are processed exclusively on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.

C1. Advertising platforms – principal vendors

Google Analytics 4 – marketing (cross-domain conversion attribution, synchronisation with advertising platforms)

Cookie name(s): FPID, FPLC

Purpose: Attributes conversions across domains and synchronises data with advertising platforms to support optimisation and measurement.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Google Tag Manager – advertising conversion attribution

Cookie name(s): _gcl_au, _gcl_aw, _gcl_gs, GCL_AW_P

Purpose: Supports attribution of ad clicks to conversions and the management of advertising-related tags on the website.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: First party – an InPost tool used to manage analytical and marketing tags; data may be transferred to Google Ireland Limited where applicable.

Vendor: MONDIAL RELAY SASU SUCURSAL EN ESPAÑA / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Google Ads / Google Marketing Platform / YouTube advertising – remarketing, conversion attribution, embedded video advertising support

Cookie name(s): IDE, test_cookie, CONSENT, VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC, __Secure-BUCKET, __Secure-ROLLOUT_TOKEN, __Secure-YEC, __Secure-YNID

Purpose: Displays personalised advertisements in Google and YouTube environments, supports remarketing, campaign performance measurement, embedded video interactions and conversion attribution.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Google Ireland Limited / YouTube LLC, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Meta Pixel – building advertising profiles, remarketing, interest-based targeting, advertising conversion attribution

Cookie name(s): _fbp, _fbc

Purpose: Displays InPost advertisements to users on Facebook and Instagram based on their activity on InPost services, measures advertising campaign performance, and creates lookalike audience segments.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Joint controller – InPost and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.

Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.facebook.com/about/privacy/update

TikTok Pixel – behavioural advertising, remarketing, TikTok Ads campaign measurement

Cookie name(s): _ttp, _tt_enable_cookie, _tt_session, ttcsid, ttcsid_*

Purpose: Displays InPost advertisements to users on the TikTok platform based on their activity on InPost services, measures TikTok Ads campaign conversions, and creates lookalike audience segments.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.

Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland

Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en

LinkedIn Insight Tag – building advertising profiles, creation of B2B remarketing segments, conversion attribution, advertising budget optimisation

Cookie name(s): bcookie, li_gc, lidc, li_sugr

Purpose: Targets InPost advertisements to LinkedIn users by company and profile-based characteristics, measures LinkedIn Ads campaign conversions, and attributes advertising conversions.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.linkedin.com/legal/privacy-policy

Microsoft Advertising / Bing UET – marketing (building advertising profiles, remarketing, conversion attribution, campaign performance measurement)

Cookie name(s): MUID, _uetsid, _uetvid

Purpose: Remarketing and targeting of InPost advertisements in the Microsoft Advertising network, campaign effectiveness measurement, and advertising conversion attribution.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Pinterest – advertising and conversion tracking

Cookie name(s): _pin_unauth, _pinterest_ct_ua, ar_debug

Purpose: Supports advertising measurement, conversion tracking and audience building in the Pinterest ecosystem.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policy.pinterest.com/en/privacy-policy

C2. Other vendors – advertising profiles and data synchronisation

The vendors listed below participate in the programmatic advertising ecosystem (RTB – Real-Time Bidding). This may involve the sharing of a pseudonymised user identifier (e.g. a cookie ID) with multiple parties in the course of an advertising auction. Each of them processes such data as an independent controller, in accordance with their own privacy policy.

Taboola – native advertising, recommendation and tracking ecosystem

Cookie name(s): t_gid, t_pt_gid, taboola_session_id, datadome

Purpose: Supports native advertising, recommendation widgets, audience measurement and related campaign performance tracking.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.

Vendor: Taboola, Inc., 16 Madison Square West, 7th Floor, New York, NY 10010, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.taboola.com/policies/privacy-policy

StackAdapt – programmatic advertising, identity resolution and campaign optimisation

Cookie name(s): sa-user-id, sa-user-id-v2, sa-user-id-v3, sa-user-id-v4

Purpose: Supports programmatic advertising, campaign optimisation and user recognition across programmatic environments.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.

Vendor: StackAdapt, 700-111 Peter Street, Toronto, Ontario M5V 2H1, Canada

Transfer outside EEA: Canada / third countries – appropriate safeguards as required.

Further information: https://www.stackadapt.com/privacy-policy

TradeTracker – affiliate tracking and attribution

Cookie name(s): uf

Purpose: Supports affiliate attribution and commission measurement when users reach the website through affiliate referral links.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility.

Vendor: TradeTracker.com, De Ruijterkade 112, 1011 AB Amsterdam, the Netherlands

Transfer outside EEA: EEA (NL) – no additional safeguards required.

Further information: https://tradetracker.com/privacy-policy/

C3. SSP platforms and identifier synchronisation in the programmatic ecosystem

The vendors listed in section C2 (in particular Taboola and StackAdapt) may operate within the Real-Time Bidding (RTB) ecosystem and may involve identifier synchronisation between platforms. This process may include the sharing of pseudonymised identifiers (e.g. cookie IDs) with multiple participants in the course of programmatic advertising auctions. Each of these entities acts as an independent controller and processes such data in accordance with its own privacy policy.

C4. Tools used in mobile applications

InPost mobile applications may use SDK-based technologies (including analytics, attribution and engagement tools) that enable measurement of application performance, user behaviour and marketing effectiveness. These technologies may include tools supporting install attribution, push notifications, in-app analytics and user segmentation. Such processing is carried out on the basis of user consent where required, or on the basis of legitimate interest in the case of strictly necessary functionalities. Detailed information regarding mobile application technologies is provided within the mobile application environment and relevant privacy notices.

C5. Social media platforms

Our websites may contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon, you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.

Each platform acts as an independent controller of personal data once the user is redirected to its services.

We maintain profiles on the following social media platforms:

1. Facebook – Meta Platforms Ireland Limited
2. YouTube – Google Ireland Limited
3. LinkedIn – LinkedIn Ireland Unlimited Company
4. Instagram – Meta Platforms Ireland Limited
5. TikTok – TikTok Technology Limited

As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing can be found at the links below:

• Facebook: https://www.facebook.com/about/privacy/update

• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

• YouTube: https://policies.google.com/privacy?hl=en

Annex A5 – Tools and Technologies Used in Portugal

Controller: MONDIAL RELAY SUCURSAL EM PORTUGAL

A. Necessary cookies

Necessary cookies are installed without the user's consent on the basis of Article 6(1)(f) GDPR (legitimate interest of the Controller – ensuring the smooth and secure operation of the services) or Article 6(1)(b) GDPR (performance of a contract / provision of a service).

OneTrust – user consent management (CMP)

Cookie name(s): OptanonConsent, OptanonAlertBoxClosed

Purpose: Stores the user's consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date on which the banner was closed.

Legal basis: Article 6(1)(c) GDPR (legal obligation – compliance with GDPR requirements) and Article 6(1)(f) GDPR.

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.onetrust.com/privacy-notice/

Cloudflare – bot protection, security verification, session rate management

Cookie name(s): __cf_bm, _cfuvid, cf_chl_rc_ni

Purpose: Distinguishes human traffic from automated traffic (bots and malicious traffic), supports website security and protects forms and endpoints against abuse.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.cloudflare.com/privacypolicy/

ASP.NET / website security tokens – session management, anti-forgery protection

Cookie name(s): ASP.NET_SessionId, __RequestVerificationToken, cookietest

Purpose: Maintains the user session, protects forms against unauthorised submissions and verifies browser support for cookies required for the correct operation of the website.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – secure and correct operation of the service).

Vendor role: First party – website technology used by Mondial Relay.

Vendor: MONDIAL RELAY SUCURSAL EM PORTUGAL

Transfer outside EEA: EEA – no additional safeguards required.

Further information: https://www.inpost.pt/politica-de-cookies/

CUX – necessary (technical initialisation required before analytical tools are activated)

Cookie name(s): _cux_n, _cux_n_ttl

Purpose: Technical cookies used to initialise the CUX environment and maintain the technical state required for subsequent UX measurement tools.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://cux.io/legal/privacy-policy/

Technical / security support cookies – request validation and anti-bot support

Cookie name(s): JSESSIONID, eael_screen, mr.returning.visitor

Purpose: Support security validation, session continuity and the technical operation of certain embedded services or site components.

Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and technical integrity of the service).

Vendor role: First party and service-provider cookies, depending on the specific tool.

Vendor: MONDIAL RELAY SUCURSAL EM PORTUGAL and relevant service providers used on the website

Transfer outside EEA: EEA / third countries depending on the provider – appropriate safeguards apply where required.

Further information: https://www.inpost.pt/politica-de-cookies/

B. Analytical cookies

Analytical cookies are processed on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.

The use of analytical cookies does not involve automated decision-making within the meaning of Article 22 GDPR.

Google Analytics 4 – traffic measurement, navigation path analysis, user segmentation, traffic source identification, conversion tracking

Cookie name(s): _ga, _ga_xxxxxxxxxx

Purpose: Counts visits and sessions, analyses traffic sources and navigation paths, identifies the most frequently visited pages, and segments users by behaviour. Data are used for aggregated analytics and service optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Microsoft Bing UET / Microsoft Clarity – analytical (traffic source identification, time-on-site measurement, behaviour analysis)

Cookie name(s): _uetvid, _clck, _clsk

Purpose: Measures traffic from Microsoft services and supports behavioural analytics, session reconstruction and on-site performance insights used to improve website usability and conversion performance.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Dynatrace – analytical (technical performance analysis, error and outage monitoring, navigation path analysis, time-on-site measurement)

Cookie name(s): dtCookie, dtPC, dtSa, rxVisitor, rxvt

Purpose: Real-time front-end performance monitoring (Real User Monitoring): detects errors and outages, measures page load times and server response times, and analyses user navigation paths and correlations.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.dynatrace.com/company/trust-center/privacy/

DataDog – error and outage monitoring, technical performance analysis

Cookie name(s): _dd_s, dd_cookie_test_*

Purpose: Detects technical errors, outages, and performance issues affecting the services. Data are used for monitoring and technical optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.datadoghq.com/legal/privacy/

CUX – navigation path analysis, time-on-site measurement, segmentation

Cookie name(s): _cux_e, _cux_e_ttl, _cux_u, _cux_v, _cux_v_ttl

Purpose: Analyses how users navigate the website (clicks, scrolling, navigation paths, form completion depth). Enables identification and resolution of usability issues (UX).

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://cux.io/legal/privacy-policy/

Hotjar – click heatmaps, anonymous session recording, content engagement measurement

Cookie name(s): _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInSessionSample_*, _hjSession_*, _hjSessionUser_*, _hjTLDTest

Purpose: Records areas of clicking and scrolling on the website (heatmaps), measures engagement and supports UX optimisation.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.hotjar.com/legal/policies/privacy/

Synerise – analytical (traffic source identification, traffic measurement, segmentation)

Cookie name(s): _snrs_8e1ba456442593f1c87dc22a03be52c1, _snrs_puuid, _snrs_sa, _snrs_sb, _snrs_uuid

Purpose: Measures website traffic, identifies traffic sources, segments users, and analyses navigation paths. Data are used to generate aggregated reports for the Controller.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland

Transfer outside EEA: EEA (PL) – no additional safeguards required.

Further information: https://synerise.com/legal/privacy-policy/

HubSpot – analytical / CRM support

Cookie name(s): __hstc, __hssc, __hssrc, hubspotutk

Purpose: Supports analytics and CRM-related attribution, helps measure website visits and distinguish sessions for marketing and lead-management purposes.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Data processor – processes data solely on behalf of Mondial Relay and in accordance with its instructions.

Vendor: HubSpot, Inc., 2nd Floor, 30 North Wall Quay, Dublin 1, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://legal.hubspot.com/privacy-policy

C. Marketing cookies

Marketing cookies are processed exclusively on the basis of your consent (Article 6(1)(a) GDPR) in conjunction with Article 126 of the Portuguese Electronic Communications Law. You may decline them or withdraw your consent at any time via the cookie banner.

C1. Advertising platforms – principal vendors

Google Tag Manager / Google Ads / Google Marketing Platform / YouTube advertising – remarketing, conversion attribution, embedded video advertising support

Cookie name(s): _gcl_au, IDE, test_cookie, VISITOR_INFO1_LIVE, VISITOR_PRIVACY_METADATA, YSC, __Secure-BUCKET, __Secure-ROLLOUT_TOKEN, __Secure-YEC, __Secure-YNID

Purpose: Supports attribution of ad clicks to conversions, displays personalised advertisements in Google and YouTube environments, supports remarketing, campaign performance measurement, and embedded video interactions.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policies.google.com/privacy?hl=en

Meta Pixel – building advertising profiles, remarketing, interest-based targeting, advertising conversion attribution

Cookie name(s): _fbp

Purpose: Displays advertisements to users on Facebook and Instagram based on their activity on the services, measures advertising campaign performance, and creates lookalike audience segments.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Joint controller – Mondial Relay and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of data collected through the Pixel.

Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.facebook.com/about/privacy/update

LinkedIn Insight Tag – building advertising profiles, creation of B2B remarketing segments, conversion attribution, advertising budget optimisation

Cookie name(s): AnalyticsSyncHistory, UserMatchHistory, bcookie, bscookie, li_gc, li_sugr, lidc

Purpose: Targets advertisements to LinkedIn users by company and profile-based characteristics, measures LinkedIn Ads campaign conversions, and attributes advertising conversions.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://www.linkedin.com/legal/privacy-policy

Microsoft Advertising / Bing UET – marketing (building advertising profiles, remarketing, conversion attribution, campaign performance measurement)

Cookie name(s): MUID, MSPTC, _uetsid

Purpose: Remarketing and targeting of advertisements in the Microsoft Advertising network, campaign effectiveness measurement, and advertising conversion attribution.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://privacy.microsoft.com/en-gb/privacystatement

Pinterest – advertising and conversion tracking

Cookie name(s): _pin_unauth, ar_debug

Purpose: Supports advertising measurement, conversion tracking and audience building in the Pinterest ecosystem.

Legal basis: Article 6(1)(a) GDPR (consent).

Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.

Vendor: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland

Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.

Further information: https://policy.pinterest.com/en/privacy-policy

C2. Other vendors – advertising profiles and data synchronisation

Based on the current OneTrust scan for the Portuguese website environment, no additional named RTB / programmatic vendors beyond the principal advertising platforms listed in section C1 were identified as separate cookies requiring individual disclosure in this Annex.

C3. SSP platforms and identifier synchronisation in the programmatic ecosystem

At present, no SSP platforms or identifier synchronisation services are actively identified as separate named technologies in the Portuguese website scan.

C4. Tools used in mobile applications

The current OneTrust scan provided relates to the website environment. It does not constitute a complete mobile application SDK inventory. Where mobile application tools such as analytics SDKs, attribution platforms or in-app engagement technologies are used, they should be documented separately on the basis of the mobile SDK inventory and application-specific scan results.

C5. Social media platforms

Our websites may contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon, you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.

Each platform acts as an independent controller of personal data once the user is redirected to its services.

We maintain profiles on the following social media platforms:

1. Facebook – Meta Platforms Ireland Limited
2. YouTube – Google Ireland Limited
3. LinkedIn – LinkedIn Ireland Unlimited Company
4. Instagram – Meta Platforms Ireland Limited
5. TikTok – TikTok Technology Limited

As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing can be found at the links below:

• Facebook: https://www.facebook.com/about/privacy/update

• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

• YouTube: https://policies.google.com/privacy?hl=en