Cookie Policy
PART II: REGIONAL ANNEXES
The following provisions apply exclusively to the named Controller and to its websites, mobile applications, and partner platforms.
Information on how to exercise your rights under the GDPR can be found in the Privacy Policy, under the "Your Rights" section.
Annex A1 – Tools and Technologies Used in Poland
Controller: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków
A. NECESSARY COOKIES
Necessary cookies are installed without the user's consent on the basis of Article 6(1)(f) GDPR (legitimate interest of the Controller – ensuring the smooth and secure operation of the services) or Article 6(1)(b) GDPR (performance of a contract / provision of a service).
Didomi (storing cookie decisions, managing IAB TCF consents, CMP consent management)
Cookie name(s): didomi_token, euconsent
Purpose: Stores your choices made in the cookie banner (which consents you granted and which you declined). Without this cookie, your preferences would be reset with every visit.
Legal basis: Article 6(1)(c) GDPR (legal obligation – compliance with GDPR requirements) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Didomi SAS, 117 rue de la Tour, 75116 Paris, France
Transfer outside EEA: EEA (FR) – no additional safeguards required.
Further information: https://www.didomi.io/privacy-policy
OneTrust (user consent management, CMP)
Cookie name(s): OptanonConsent, OptanonAlertBoxClosed
Purpose: Stores the user's consent preferences for individual cookie categories. The OptanonAlertBoxClosed cookie records the date on which the banner was closed.
Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR.
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: OneTrust LLC, 1200 Abernathy Rd NE, Atlanta, GA 30328, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.onetrust.com/privacy-notice/
Cloudflare (bot protection, security verification, session rate management)
Cookie name(s): __cf_bm, _cfuvid, cf_clearance, cf_chl_rc_ni
Purpose: Distinguishes human traffic from automated traffic (bots, DDoS attacks). Necessary for the secure operation of InPost services.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.cloudflare.com/privacypolicy/
Dynatrace – necessary (technical verification prior to initialisation of the monitoring agent)
Cookie name(s): dTValidationCookie
Purpose: A temporary check to verify that the browser supports cookies before the Dynatrace RUM monitoring agent is launched. Contains no behavioural user data – expires within a few minutes.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
Synerise – necessary (checking localStorage availability)
Cookie name(s): lsCheck
Purpose: A one-time test to verify whether the user's browser supports localStorage – a technical prerequisite for the correct initialisation of the Synerise SDK. The cookie expires immediately and contains no personal or behavioural data.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – ensuring the smooth operation of services).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
Google reCAPTCHA (form protection against bots)
Cookie name(s): rc::a, rc::c
Purpose: Verifies that a form is being completed by a human and not a bot. Analyses browser interactions to calculate a so-called bot score. Not used for advertising purposes.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – security and protection against abuse).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
CallPage – necessary (callback widget initialisation, telephone number storage, display rules management)
Cookie name(s): cp, cp_*, callpage-widget-version, cp_widget_session
Purpose: Operates the callback request widget: stores the telephone number (if provided in the form), controls the display of the widget during the session, manages the widget version, and ensures session security between the InPost website and CallPage infrastructure.
Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://www.callpage.io/privacy-policy
Revive Ad Server – InPost's proprietary ad server (storing user decisions regarding InPost's own advertising)
Cookie name(s): RVGDPR (ads.inpost.pl)
Purpose: Stores the user's decision regarding the display of InPost's own advertising materials (ads.inpost.pl). Necessary for respecting user preferences within InPost's proprietary advertising system.
Legal basis: Article 6(1)(f) GDPR (legitimate interest – giving effect to user preferences).
Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller in its own right.
Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://inpost.pl/polityka-prywatnosci
InPost Pay (InPost Pay payment processing, payment session management)
Cookie name(s): basket_binding_api_key, inpost_pay_currency_restore_uid
Purpose: Operates the InPost Pay payment widget: links the shopping basket to the payment session and manages the currency during the checkout process. Necessary for completing transactions.
Legal basis: Article 6(1)(b) GDPR (performance of a contract / provision of a service).
Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller in its own right.
Vendor: InPost sp. z o.o., ul. Pana Tadeusza 4, 30-727 Kraków
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://inpost.pl/polityka-prywatnosci
B. ANALYTICAL COOKIES
Analytical cookies are processed on the basis of your consent (Article 6(1)(a) GDPR). You may decline them or withdraw your consent at any time via the cookie banner.
Google Analytics 4 (traffic measurement, navigation path analysis, user segmentation, traffic source identification, conversion tracking)
Cookie name(s): _ga, _ga_*, _gid, _gat, FPID, FPLC
Purpose: Counts visits and sessions, analyses traffic sources and navigation paths, identifies the most frequently visited pages, and segments users by behaviour. Data are anonymised and aggregated – they do not permit identification of any specific individual.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Microsoft Bing UET – analytical (traffic source identification, time-on-site measurement, segmentation)
Cookie name(s): MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp
Purpose: Analyses traffic originating from the Microsoft network (Bing Search, MSN): identifies traffic sources, measures time spent on the website, and segments returning users. Data are aggregated.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Dynatrace – analytical (technical performance analysis, error and outage monitoring, navigation path analysis, time-on-site measurement)
Cookie name(s): dtCookie, rxVisitor, rxvisitid, dtPC, dtSa, rxvt
Purpose: Real-time front-end performance monitoring (Real User Monitoring): detects errors and outages, measures page load times and server response times, and analyses user navigation paths and correlations. Data are used exclusively for the technical optimisation of InPost services.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Dynatrace LLC, 1601 Trapelo Rd, Waltham, MA 02451, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.dynatrace.com/company/trust-center/privacy/
DataDog (error and outage monitoring, technical performance analysis)
Cookie name(s): _dd_s, dd_cookie_test_*
Purpose: Detects technical errors, outages, and performance issues affecting InPost services. Data are not used to identify users or for advertising purposes.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Datadog Inc., 620 8th Avenue, New York, NY 10018, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.datadoghq.com/legal/privacy/
CUX (navigation path analysis, time-on-site measurement, segmentation)
Cookie name(s): _cux_u, _cux_s, _cux_v, _cux_h, _cux_n, _cux_e, _cux_pr, _cux_pv, _cux_*_ttl
Purpose: Analyses how users navigate the website (clicks, scrolling, navigation paths, form completion depth). Enables identification and resolution of usability issues (UX).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: CUX Research Sp. z o.o., ul. Ruska 22, 50-079 Wrocław, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://cux.io/legal/privacy-policy/
HotJar (click heatmaps, anonymous session recording, content engagement measurement)
Cookie name(s): _hjid, _hjSession_*, _hjSessionUser_*, _hjTLDTest
Purpose: Records areas of clicking and scrolling on the website (heatmaps). Used to optimise the layout and usability of the website.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.hotjar.com/legal/policies/privacy/
Synerise – analytical (traffic source identification, traffic measurement, segmentation)
Cookie name(s): _snrs_params, _snrs_profile_config, synerise-traffic-storage_*
Purpose: Measures website traffic, identifies traffic sources (UTM campaign parameters), segments users, and analyses cross-domain navigation paths within the InPost group. Data are used to generate aggregated reports for the Controller.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
CallPage – analytical (content engagement measurement, sales funnel analysis, geographic user location)
Cookie name(s): cp_* (engagement and geolocation metrics)
Purpose: Measures the effectiveness of the callback widget: tracks page scroll depth and time spent on the page (behavioural scoring that determines whether the widget is displayed), analyses the effectiveness of conversion rules, and uses geolocation data to match geographic display rules.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: CallPage sp. z o.o., ul. Rynek Główny 28/3, 31-010 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://www.callpage.io/privacy-policy
Zowie (chatbot engagement measurement, conversation tree navigation path analysis)
Cookie name(s): zowie-tracking-id, zowie-tracking-session, herochat-last-visit-time
Purpose: Analyses user interactions with the chatbot: questions asked, points at which conversations terminate, and how users move between topics. Used to optimise the conversation tree and service quality. The cookie stores the time of the user's last visit to the chat widget.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Zowie sp. z o.o., ul. Domaniewska 37, 02-672 Warsaw, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://zowie.ai/privacy-policy/
C. MARKETING COOKIES
Marketing cookies are processed exclusively on the basis of your consent (Article 6(1)(a) GDPR in conjunction with Article 398 of the Polish Electronic Communications Act (PKE)). You may decline them or withdraw your consent at any time via the cookie banner.
C1. Advertising Platforms – Principal Vendors
Google Analytics 4 – marketing (cross-domain conversion attribution, synchronisation with advertising platforms)
Cookie name(s): FPID, FPLC
Purpose: Attributes conversions across the various domains of the InPost group and synchronises data with the Google Ads platform. The FPID (First-Party ID) cookie enables user tracking despite third-party cookie blocking. The FPLC (First-Party Linker Cookie) ensures consistent conversion measurement across domains. Data feed into the Google Ads campaign optimisation system.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Google Tag Manager (advertising conversion attribution)
Cookie name(s): _gcl_au, _gcl_ls
Purpose: Google Tag Manager (GTM) is an InPost tool used to manage analytical and marketing tags on InPost websites – it does not itself collect user data. In a marketing context, GTM generates its own _gcl_au cookie (Google Ads Conversion Linker), which links clicks on Google advertisements to conversions completed on the website. This enables correct attribution of conversions to campaigns and keywords, as well as bid optimisation. Disabling this cookie does not restrict access to content; however, it may result in incorrect conversion attribution in Google Ads reports.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: First party – an InPost sp. z o.o. tool; InPost acts as Controller in its own right. Data from the _gcl_au cookie are transferred to Google Ireland Limited, which acts as an independent controller.
Vendor: InPost sp. z o.o. / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Google Ads / Google Marketing Platform (remarketing, look-alike targeting, conversion attribution, dynamic product ads, creation of remarketing segments)
Cookie name(s): IDE, _gcl_au, _gcl_ls, test_cookie
Purpose: Displays personalised InPost advertisements in the Google Display Network and Google Search, remarketing (re-engaging users who have visited InPost services), campaign performance measurement, and conversion attribution. Includes Customer Match (matching hashed contact data to Google users) and Enhanced Conversions.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://policies.google.com/privacy?hl=en
Meta Pixel (building advertising profiles, remarketing, interest-based targeting, advertising conversion attribution)
Cookie name(s): _fbp, _fbc, lastExternalReferrer, lastExternalReferrerTime, topicsLastReferenceTime
Purpose: Displays InPost advertisements to users on Facebook and Instagram based on their activity on InPost services, measures advertising campaign performance, and creates lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – InPost and Meta Platforms Ireland Limited jointly determine the purposes and means of processing in respect of Page Insights statistics. Further information: Section C5 (Social Media Platforms).
Vendor: Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.facebook.com/about/privacy/update
TikTok Pixel (behavioural advertising, remarketing, TikTok Ads campaign measurement)
Cookie name(s): _ttp, tt_enable_cookie, ttcsid, ttcsid_*, tt_sessionId, tt_appInfo
Purpose: Displays InPost advertisements to users on the TikTok platform based on their activity on InPost services, measures TikTok Ads campaign conversions, and creates lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel. Further information: Section C5 (Social Media Platforms).
Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland
Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
LinkedIn Insight Tag (building advertising profiles, creation of B2B remarketing segments, conversion attribution, advertising budget optimisation)
Cookie name(s): bcookie, li_gc, lidc, li_fat_id
Purpose: Targets InPost advertisements to LinkedIn users by job title, industry, and company (B2B), measures LinkedIn Ads campaign conversions, and attributes advertising conversions.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.linkedin.com/legal/privacy-policy
Microsoft Advertising – Bing UET – marketing (building advertising profiles, remarketing, conversion attribution, campaign performance measurement)
Cookie name(s): MUID, _uetsid, _uetvid, _uetsid_exp, _uetvid_exp
Purpose: Remarketing and targeting of InPost advertisements in the Microsoft Advertising network (Bing, MSN), measures the effectiveness of Bing Ads campaigns, attributes advertising conversions, and builds remarketing lists and lookalike audience segments.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://privacy.microsoft.com/en-gb/privacystatement
Adform DSP (building advertising profiles, cross-device tracking, remarketing, DSP/SSP synchronisation, frequency capping)
Cookie name(s): uid, C, CM, CM14, DID, idt, cache0, permanent, cm_uid
Purpose: Displays personalised InPost advertisements in the Adform programmatic network, remarketing, limits the frequency with which advertisements are shown (frequency capping), and measures campaign performance. Includes identifier synchronisation with advertising partners (DSP/SSP) within the programmatic ecosystem.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Adform A/S, Silkegade 3B, 1113 Copenhagen, Denmark
Transfer outside EEA: EEA (DK) – no additional safeguards required.
Further information: https://site.adform.com/privacy-center/platform-privacy/
Synerise – marketing (building behavioural profiles, content personalisation, push notification personalisation, lifecycle marketing)
Cookie name(s): _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*, _snrs_params
Purpose: Builds a behavioural profile of the user (browsing history, clicks, product interests), personalises marketing content on the website, sends personalised push notifications, and runs remarketing and re-engagement campaigns.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
C2. Other Vendors – Advertising Profiles and Data Synchronisation
The vendors listed below participate in the programmatic advertising ecosystem (RTB – Real-Time Bidding). This may involve the sharing of a pseudonymised user identifier (e.g. a cookie ID) with multiple parties in the course of an advertising auction. Each of them processes such data as an independent controller, in accordance with their own privacy policy.
Adobe Experience Cloud / Audience Manager (building advertising profiles, DSP/SSP synchronisation, creation of lookalike segments)
Cookie name(s): demdex, dpm
Purpose: Builds a user's advertising profile through Adobe Audience Manager (DMP), creates audience segments, synchronises profiles with advertising platforms (DSP/SSP), and creates lookalike groups.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.adobe.com/privacy/experience-cloud.html
ADITION / Active Agent (cross-device tracking, building advertising profiles, DSP/SSP synchronisation, frequency capping)
Cookie name(s): ct_uid, ct_did, ct_idt, UserID1, block_reset, cookie_ver, cm_uid
Purpose: Synchronises advertising profiles with the Active Agent DSP platform (Virtual Minds), limits the frequency with which advertisements are shown (frequency capping), and carries out cross-device tracking in the Active Agent advertising network.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Virtual Minds GmbH, Osterbekstr. 90b, 22083 Hamburg, Germany
Transfer outside EEA: EEA (DE) – no additional safeguards required.
Further information: https://adsafety.net/privacy
Eyeota (demographic targeting, audience segmentation by interest)
Cookie name(s): SERVERID (eyeota.net)
Purpose: Targets InPost advertisements on the basis of demographic segments (predicted age, gender, interests) supplied by the Eyeota Data Marketplace. Operates on pseudonymised identifiers.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Eyeota Pte. Ltd., 1 Raffles Place, #21-61 One Raffles Place Tower 2, Singapore 048616
Transfer outside EEA: Singapore – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.eyeota.com/privacy-policy
Nielsen / eXelate (building advertising profiles, demographic targeting – age, gender, interests)
Cookie name(s): EE, ud (exelate.com)
Purpose: Enriches a user's advertising profile with Nielsen demographic segments (age, gender, income, interests) for the purpose of targeting InPost advertisements.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Nielsen Marketing Cloud, 85 Broad Street, New York, NY 10004, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.nielsen.com/us/en/legal/privacy-statement/
ID5 Technology (cookieless advertising identity, building advertising profiles, DSP/SSP synchronisation)
Cookie name(s): id5-sync.com (pixel sync), cf, car, gdpr, gpp, cip, cnac
Purpose: Creates a pseudonymised advertising identity that operates independently of third-party cookies (cookie-less identity), enabling advertisement targeting despite browser-level blocking.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: ID5 Technology Ltd, 6 rue de la Paix, 75002 Paris, France
Transfer outside EEA: EEA (FR) – no additional safeguards required.
Further information: https://id5.io/privacy/
LiveRamp (identity resolution, building advertising profiles, data synchronisation with advertising platforms)
Cookie name(s): pxrc, rlas3
Purpose: Pseudonymously links user data across advertising partners without disclosing personal data (LiveRamp IdentityLink). Used to target InPost advertisements within the LiveRamp and The Trade Desk networks.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: LiveRamp Netherlands B.V., Singel 250, 1016 AB Amsterdam, the Netherlands
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://liveramp.com/privacy/
OnAudience (building advertising profiles, audience segmentation, DSP/SSP synchronisation)
Cookie name(s): cookie (onaudience.com), done_redirects# (onaudience.com)
Purpose: Segments users and enriches advertising profiles through a Polish Data Management Platform. Synchronises identifiers with advertising partners (AppNexus, Yahoo, Bidberry).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Cloud Technologies S.A., ul. Złota 61, 00-819 Warsaw, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://www.onaudience.com/privacy-policy
Semasio (building advertising profiles, content-based targeting)
Cookie name(s): SEUNCY (semasio.net)
Purpose: Targets InPost advertisements using a semantic method – matching advertisements to content browsed by the user and to their interest profile, without reliance on personal data.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Semasio GmbH, Burchardstrasse 24, 20095 Hamburg, Germany
Transfer outside EEA: EEA (DE) – no additional safeguards required.
Further information: https://semasio.com/privacy-policy/
Weborama (building advertising profiles, behavioural and demographic targeting)
Cookie name(s): AFFICHE_W (weborama.fr)
Purpose: Targets InPost advertisements on the basis of Weborama's behavioural and demographic segments – a European advertising data management platform.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Weborama SA, 14 rue Crespin du Gast, 75011 Paris, France
Transfer outside EEA: EEA (FR) – no additional safeguards required.
Further information: https://weborama.com/politique-de-confidentialite-des-services-weborama/
Zeotap (identity resolution, building advertising profiles, data synchronisation)
Cookie name(s): zc, zc1, zsc (zeotap.com)
Purpose: Builds a unified advertising profile by combining data from multiple sources (online, offline, CRM) without reliance on third-party cookies (Zeotap ID+).
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Zeotap GmbH, Unter den Linden 32-34, 10117 Berlin, Germany
Transfer outside EEA: EEA (DE) – no additional safeguards required.
Further information: https://zeotap.com/privacy-policy/
Roku Advertising Services (cross-device tracking, cross-screen targeting, synchronisation)
Cookie name(s): matchadform, wfivefivec (w55c.net)
Purpose: Cross-screen targeting of InPost advertisements on Roku televisions and streaming platforms (TV + web + mobile). Synchronises the advertising profile with the Roku ecosystem.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Independent controller – processes data on its own behalf and under its own responsibility, in accordance with its own privacy policy.
Vendor: Roku, Inc., 1155 Coleman Ave, San Jose, CA 95110, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://docs.w55c.net/privacy.html
C3. SSP Platforms and Identifier Synchronisation in the Programmatic Ecosystem
The entities listed below operate as Supply-Side Platforms (SSPs) or advertising identifier synchronisation services within the RTB ecosystem. Their files and pixels are loaded via InPost services as part of campaigns run through Adform DSP. Each of them is an independent data controller.
AudienceProject – Registered office: Aarhus, Denmark (EEA). Transfer: EEA (DK). Privacy policy: https://audienceproject.com/privacy/
Audiencerate – Registered office: London, United Kingdom. Transfer: UK – SCCs. Privacy policy: https://audiencerate.com/privacy-policy/
BIDSWITCH (IPONWEB) – Registered office: London, United Kingdom. Transfer: UK – SCCs. Privacy policy: https://www.bidswitch.com/privacy-policy/
Equativ (SmartAdServer) – Registered office: Paris, France (EEA). Transfer: EEA (FR). Privacy policy: https://equativ.com/privacy-policy/
FreeWheel (NBCUniversal) – Registered office: New York, USA. Transfer: USA – SCCs. Privacy policy: https://www.nbcuniversal.com/privacy
Improve Digital / 360yield – Registered office: Amsterdam, the Netherlands (EEA). Transfer: EEA (NL). Privacy policy: https://www.improvedigital.com/platform-privacy-policy/
Index Exchange – Registered office: Toronto, Canada. Transfer: Canada – EC adequacy decision. Privacy policy: https://www.indexexchange.com/privacy/
OpenX – Registered office: Monrovia, USA. Transfer: USA – SCCs. Privacy policy: https://www.openx.com/legal/privacy-policy/
Teads – Registered office: Montpellier, France (EEA). Transfer: EEA (FR). Privacy policy: https://www.teads.com/privacy-policy/
The Trade Desk – Registered office: Ventura, USA. Transfer: USA – SCCs. Privacy policy: https://www.thetradedesk.com/general/privacy-policy
TripleLift – Registered office: New York, USA. Transfer: USA – SCCs. Privacy policy: https://triplelift.com/privacy/
C4. Tools Used in Mobile Applications
Google Firebase / Analytics for Firebase (in-app activity analysis, push notification personalisation, user segmentation, aggregated reporting)
Cookie name(s): rc::a, rc::c, firebase-heartbeat-database, firebase-installations-database
Purpose: Analyses usage of InPost mobile applications (events, navigation paths, errors), creates user segments, and sends personalised push notifications.
Legal basis: Article 6(1)(a) GDPR (consent) / Article 6(1)(f) GDPR (to the extent necessary for the operation of the service).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://firebase.google.com/support/privacy
Synerise – mobile application (building behavioural profiles, push communication personalisation, lifecycle marketing)
Cookie name(s): _snrs_p, _snrs_uuid, _snrs_puuid, _snrs_sa, _snrs_sb, snr-wp-state, synerise-traffic-storage_*
Purpose: Builds a behavioural profile of the application user, personalises marketing communications, and runs push and re-engagement campaigns within the InPost mobile application.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Synerise S.A., ul. Bobrzyńskiego 14, 30-348 Kraków, Poland
Transfer outside EEA: EEA (PL) – no additional safeguards required.
Further information: https://synerise.com/legal/privacy-policy/
Kochava (attribution, mobile campaign performance measurement, ad fraud detection)
Cookie name(s): (not included in the consolidated cookie register)
Purpose: Measures the effectiveness of campaigns acquiring InPost Fresh application users (install attribution), and detects and prevents advertising fraud (ad fraud).
Legal basis: Article 6(1)(a) GDPR (consent) / Article 6(1)(f) GDPR (security, fraud detection).
Vendor role: Data processor – processes data solely on behalf of InPost and in accordance with its instructions.
Vendor: Kochava Inc., 201 Church St, Sandpoint, ID 83864, USA
Transfer outside EEA: USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.kochava.com/website-visitor-privacy-policy/
TikTok Pixel – artinpost.pl (behavioural advertising, remarketing, TikTok Ads campaign measurement)
Cookie name(s): _ttp, tt_enable_cookie, ttcsid, ttcsid_*, tt_sessionId, tt_appInfo
Purpose: Conversion tracking, remarketing, and campaign performance measurement for TikTok Ads on the artinpost.pl website.
Legal basis: Article 6(1)(a) GDPR (consent).
Vendor role: Joint controller – InPost and TikTok Technology Limited jointly determine the purposes and means of processing in respect of data collected by the Pixel. Further information: Section C5 (Social Media Platforms).
Vendor: TikTok Technology Limited, 2 Cardiff Lane Grand Canal Dock, Dublin 2, D02 E395, Ireland
Transfer outside EEA: China and USA – Standard Contractual Clauses (SCCs) approved by the European Commission.
Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
C5. Social Media Platforms
Our websites and mobile application contain links to our profiles on social media platforms, displayed as buttons bearing the icons of those services. By clicking on a given icon, you are redirected to our profile – your information is transferred to the relevant platform only at the moment of that click. From that point onwards, we have no control over the scope of personal data collected by the platform in question.
We maintain profiles on the following platforms:
- Facebook – Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA
- YouTube – YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
- LinkedIn – LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
- X (formerly Twitter) – X Corporation, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
- Instagram – Instagram LLC., 1601 Willow Rd., Menlo Park, CA 94025, USA
- TikTok – TikTok Technology Ltd., 2 Cardiff Lane Grand Canal Dock, Dublin, D02 E395, Ireland
As a result of your use of our social media pages, we may process your personal data. Detailed information regarding the basis for such processing can be found at the links below (links to be inserted).