valid from June 14, 2018 (as version No. 1.1)
The protection of your personal data is very important to us. When providing postal services, we are required to maintain postal secrecy, which includes, among others things, information provided in postal items, data on entities using postal services, and data on the fact and circumstances of providing postal services or using these services. In addition, information or data covered by postal secrecy may be collected, recorded, stored, developed, changed, deleted, or made available only if these activities relate to the postal service provided or are necessary for its performance or if separate provisions provide otherwise.
In many cases, your personal data within the meaning of generally applicable law is also covered by postal secrecy. This document is intended to provide you with the necessary information on how we process your personal data and what your rights are in relation to the processing of your personal data.
Who is the administrator of your personal data?
The administrator of your data is, depending on the type of service performed, a relevant company with capital links to Integer.pl S.A. (a list of these entities is available at: https://integer.pl/pl/grupa-kapitalowa-integer-pl/profil-dzialalnosci - hereinafter we will refer to these entities collectively as "InPost") or an external entity who provided data to InPost for the purpose of having the service performed, in particular:
- If you are a natural person sending your parcel as part of the postal or transport services provided through InPost parcel lockers - the administrator of your data is InPost Paczkomaty sp. z o.o., with its registered office at ul. Wielicka 28, 30-552 Kraków.
- If you are a natural person sending your parcel as part of courier services provided by InPost - the administrator of your data is InPost sp. z o.o., with its registered office at ul. Wielicka 28, 30-552 Kraków.
- In the event that you commission an external entity to perform services on a parcel to be sent via the courier network of InPost sp. z o.o. or Parcel Lockers belonging to InPost Paczkomaty Sp. z o.o. (e.g. if you order goods in an on-line store, providing your data for delivery) - the administrator of your personal data is this external entity (e.g. on-line store), which commissioned InPost to perform the service on the shipment as its sender.
Whenever you consent to the processing of your personal data, you will be informed before expressing that consent which company among InPost companies is the administrator of your personal data.
What personal data do we process?
As part of the services provided by InPost, we process the following personal data:
- name and surname of the sender (including the payer) and the recipient (addressee) of the shipment,
- the sender's address (street, house number, apartment number, zip/postal code, city),
- the recipient's address (street, house number, apartment number, zip/postal code, city),
- a new delivery address if, after posting, the sender asks InPost to deliver it to a new address, or InPost establishes a different delivery address with the recipient before delivery (the new address includes data in the form of street address, house number, apartment number, zip/postal code, and city),
- the e-mail address of the sender and recipient of the shipment, which is processed to send messages regarding the performance of the service, in particular information on the current delivery status of the parcel, or information enabling collection of the parcel from a Parcel Locker,
- the telephone number of the sender and recipient of the parcel for direct contact or sending messages regarding the performance of the service, in particular contact to determine another place of delivery of the parcel, or information enabling collection of the parcel from a Parcel Locker,
- depending on the service, we can also process the bank account number necessary to transfer the collected cash (as part of the collection service, so-called cash on delivery) to the person indicated by the sender, as well as information enabling to identify payments or top-ups of accounts related to services we offer as pre-paid,
- the IP addresses of people using our systems to purchase the services we provide.
We process the above data for the purpose and scope necessary to perform the services provided by InPost and to comply with InPost's legal obligations, including consideration of complaints submitted in relation to these services.
In addition, as part of marketing communications or to process your questions and requests, e.g. business inquiries (with your prior consent), we may process your personal data that you provided to us when expressing the above consent.
Providing personal data is voluntary, but necessary for the performance of services provided by InPost or for the consideration and possible implementation of the applications you send to us. The requirement to provide this data is a contractual requirement, while for data provided as part of complaints submitted to us for non-performance or improper performance of postal and transport services, this is also a statutory requirement (specified in the implementing provisions of Postal Law and Transport Law).
In addition, due to the fact that - for the purposes of security and protection of you and your parcels, in particular against theft and vandalism - we use InPost parcel locker monitoring, which may record your image, we also process this type of personal data. This processing of your data is therefore necessary not only to protect our legitimate interests, but also to protect your interests, and in the event that such a recording captured a crime being committed, this processing is also necessary to fulfill our obligation, which arises in particular from art. 81 of the Postal Law Act (Dz.U.2017.1481 i.e. ze zm.) and art. 304 of the Code of Criminal Procedure (Dz.U.2017.1904 t.j. ze zm.). We store recordings in a manner that ensures the security of their processing (we cover how we secure your personal data below in the chapter "How do we process your personal data?"), for up to one month from the date of recording.
How do we receive your personal data?
We receive your personal data directly from you or the sender (including the payer) of the parcel which is sent by ordering InPost to perform the service on such a parcel. Data can therefore be received by InPost in the following circumstances:
- if you give us your Shipment to be delivered to a person indicated by you or to the place indicated,
- when our clients (e.g. on-line stores) provide us with your data to allow delivery of shipments to you,
- in the event that you lodge a complaint with us for failure to perform or improper performance of the services we provide, or when your data is provided by a person authorized to make such a complaint, for example our customer who sent you a parcel and then lodged a complaint with InPost for non-performance or improper performance of the service regarding this shipment,
- if you submit to us another inquiry regarding the services provided by InPost or InPost's activities,
- if you provide InPost with your data to receive an InPost commercial offer,
- if you provide InPost with your data to create an account in the InPost IT system, which allows you to purchase the services we offer,
- if you provide your data - only with your consent - for the purpose of processing them for the purposes of marketing InPost products and services, as well as those offered by entities cooperating with InPost, which will be done by InPost or independently by these entities.
For what purposes do we process your personal data?
The purpose of processing your personal data is specified in particular in the relevant contract or InPost Terms and Conditions, on the basis of which we provide services to you or have access to your personal data, or directly when you consent to the processing of your personal data. These purposes may include:
- providing postal or transport services to you, as well as services accompanying these services, including delivery of a shipment you have sent or delivery to you,
- the need to fulfill tax, legal, and accounting obligations by InPost,
- providing you with marketing information and materials for the purpose of providing you with our offer (this is optional and requires your consent to receiving this type of information).
- analysis, including personalization, solely for the purposes of optimizing processes in the provision of our services and improving them.
How long do we store your personal data?
We store your personal data no longer than necessary. In particular, we store this data for the time necessary for the proper performance of the services we provide, and after this period no longer than until the expiry of the limitation period for claims that may be raised in connection with the provision of these services. The duration of storing personal data is specified in our Terms and Conditions for the provision of services, data processing entrustment agreements (then this time is binding to the Parties to these contracts), the content of your consents to the processing of your personal data, and if it is not specified in these Terms and Conditions or contracts, we store your personal data for the following periods:
- if you have an account in our systems that allow you to purchase the services we provide, and you order these services as the sender (including the payer), as well as if you do not have such an account, but use our services as the sender (including the payer), we store your personal data for a maximum period of 6 years from the day you sent the parcel,
- if you are the recipient of a shipment, we store your personal data for a maximum period of 18 months, counting from the date of posting the shipment, and after this time we can store this data for no longer than the period of limitation of any claims relating to the provision of services, resulting from commonly applicable law,
- if you file a complaint about the services provided by InPost, we process your personal data contained in the complaint for the time necessary to consider the complaint, and after this time we can store it for no longer than the period of limitation of any claims relating to the complaint arising from generally applicable law,
- if you submit another application or inquiry to us, we store your personal data for the period of service and possible implementation of your application, and after this period we can store it for a period not exceeding the period of possible limitation of claims resulting from generally applicable law,
- if the period of storage of your personal data results from mandatory provisions of law, we store your personal data for the period specified in these provisions.
Why do we store your data for such a period of time?
Because InPost has to comply with obligations arising from the provisions of generally applicable law, in particular in the field of:
- implementation of postal law, transport law, tax and accounting regulations,
- to the extent that the processing of personal data is necessary for purposes arising from legitimate interests pursued by InPost, in the form of matters related to the pursuit of claims arising from the provision of services by InPost,
- continuous improvement of security, including in particular the prevention of fraud,
- other legal obligations imposed on InPost.
How do we process your personal data?
In the field of postal and transport services provided by InPost, we process your personal data:
- in electronic form in InPost IT systems and those of InPost subcontractors, to the extent necessary for the proper performance of services provided by InPost, also in an automated manner,
- in physical form (e.g. in written form), to the extent necessary for the proper performance of the services provided by InPost, in particular as printouts on shipping labels generated from InPost's IT systems, which are attached to the parcel.
When processing your personal data, we use safeguards appropriate to the type, amount, and scope of personal data processed, as well as appropriate organizational and technical measures to best protect your personal data against unauthorized activities.
Realizing the importance of protecting your personal data, we use, among others:
- encrypting your data using SSL (Secure Sockets Layer) during transmission,
- in certain cases, anonymisation, pseudonymisation, and encryption of your personal data
- other hardware, network, and system security, such as: firewalls, licensed hardware, and network anti-virus software, controlled access through a secured VPN, and many other IT security measures,
- electronic and physical mechanisms for controlling access of people to buildings and rooms in which your personal data is processed (e.g. magnetic and electronic keys, security locks, monitoring),
- other safeguards that are designed to protect your personal data.
What are the contact details of the Personal Data Administrator and the person responsible for the protection of personal data?
InPost's contact details: ul. Wielicka 28, 30-552 Kraków. Contact with the person responsible for the protection of personal data at InPost is possible at the following e-mail address: email@example.com, or by traditional correspondence to the above address.
If you have any questions or concerns regarding the protection of your personal data, you can contact us via the email address: firstname.lastname@example.org.
What are the legal grounds for processing your personal data by InPost?
InPost processes your personal data in particular to perform the postal and transport services it offers. These services are performed on the basis of contracts, including contracts concluded with senders. We cannot perform these services without processing personal data (e.g. without knowing the delivery address for a parcel and its addressee, we are not able to deliver it), nor other services to which we have committed. The processing of your personal data is also necessary to fulfill our legal obligations. One of these obligations is the one specified in art. 81 of the Postal Law Act (Dz.U.2017.1481 i.e. z późn. zm.) - in accordance with this law, InPost, acting as a postal operator, is obliged to perform tasks and obligations for defence, state security, as well as public safety and order in the scope and under the conditions specified in the Postal Law Act and separate provisions.
We also process your personal data for purposes arising from our legitimate interests - by 'legitimate interest' we understand the lawful and rational purpose of data processing (e.g. direct marketing of our products or services, or pursuing claims arising from business operations). Whenever we want to process your personal data on the basis of a legitimate interest, we examine and assess whether such processing of personal data will affect you and your rights. We will not process your personal data on the basis of our "legitimate interest", if your interest or your rights and freedoms override it.
For other purposes of processing your personal data, you may withdraw your consent to the processing of your personal data for these purposes without affecting the validity of the processing of personal data before the consent is withdrawn. We obtain your consent especially for the use of your personal data for marketing purposes.
Who is the recipient of your personal data?
Pursuant to the provisions of the GDPR, the "recipient" of personal data is a natural or legal person, public authority, or other entity to whom personal data is disclosed, regardless of whether it is a third party. Your personal data is not processed exclusively by InPost and its staff. We provide our services with the help of many subcontractors, ranging from transport companies to entities that run post offices for us and issue shipments to you. Your data is therefore processed by such categories of recipients as:
- InPost employees and associates,
- InPost subcontractors, providing services on our behalf for receiving, moving, sorting, and delivery of shipments,
- insurer dealing with damage to shipments,
- subcontractors operating our IT networks and databases, creating IT solutions for us, and providing marketing services to us,
- subcontractors servicing the InPost helpline and customer service department,
- companies related by capital to Integer.pl S.A. (a list of these entities is available at: https://integer.pl/pl/grupa-kapitalowa-integer-pl/profil-dzialalnosci),
- professional entities providing InPost with tax, legal, auditing, and settlement consultancy.
Is your personal data transferred to third countries, i.e. countries that do not belong to the European Economic Area?
Your personal data is transferred to third countries in the event that the services provided by InPost are also to be performed in the territory of a third country. This is the situation for example if you send a parcel via InPost to such a country. Your personal data may also be transferred to our subcontractors (e.g. entities that deliver your parcel in a third country) and entities providing InPost with tax, legal, audit, and billing advice if they operate in a third country. In each of the above cases, we secure the processing of your personal data, in particular by entering into confidentiality agreements and contracts for the processing of personal data in a manner that complies with the provisions of the law generally applicable in the European Union and Poland in the field of personal data protection, as well as on conditions that ensure the security of processing your personal data. We do not transfer your personal data to international organizations. We do not transfer your personal data to third countries if such transfer is not possible on the basis of or is excluded by generally applicable law.
If you use our websites and systems available through these websites (in particular enabling the generation of shipping orders and other activities related to ordering postal and transport services), when browsing these pages, so-called "cookies" are created. These are small text files that are stored on your device, which you use to browse websites. They are commonly used to ensure the functioning of websites and other services provided via the Internet, and to improve and develop these pages, which is based on reading the content of these files.
InPost collects information contained in "cookies", such as the date of connection to the website or the IP address of the device from which the connection to the website takes place - this is data showing how you use our websites. This information is used for administrative and statistical purposes and to improve these pages and improve your user experience. In addition, this data, processed automatically, can be used to analyse the behaviour of these pages' content recipients (e.g. time spent on the website) or to personalize the content of websites, in particular by providing on-line advertisements.
You do not have to accept cookies (you can accept their use by selecting the appropriate button on our website, as well as by selecting the appropriate settings in your web browser), but this may cause the website to function improperly.
What are your rights regarding access to your personal data?
You have the right to demand from InPost, as the administrator of your personal data, access to your personal data, rectification, deletion, or limitation of processing, as well as the right to object to its processing, and the right to transfer the data and receive a copy.
If you have consented to the processing of your data by InPost, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing on the basis of your consent before its withdrawal.
You can exercise the above rights by submitting a relevant statement to InPost, in particular via the email address: email@example.com.
You also have the right to lodge a complaint with a supervisory body (the President of the Personal Data Office or another state office obliged by law to supervise the rules of processing personal data) if you feel that we have not properly addressed our obligations.
This policy may change, in particular if it is necessary due to a change in generally applicable law or a change in the scope of services offered by InPost. The current version of the policy is available at: https://inpost.pl/en/policy.
- 1.2 Mobile application – InPost Fresh and InPost Mobile.
- 1.3 Personal Data – all information on an identified person or person identifiable by means of one or several particular factors describing the physical, physiological, genetic, emotional, economic, cultural, or social identity, including device IP, location details, internet identifier, or information gathered by means of cookie files and similar technology.
- 1.4 InPost Fresh - Mobile application - an application for mobile devices (smartphones, tablets) that can be downloaded from https://inpostfresh.pl/, which allows users to make purchases in accordance with the General Terms and Conditions for using Applications and concluding contracts (further: "General Terms and Conditions"), available at https://inpostfresh.pl/.
- 1.5 InPost Mobile – an application for mobile devices (smartphones, tablets), which can be downloaded using the links available on the website https://inpost.pl/aplikacja, that supports Users in the processes related to the handling of parcel delivery.
- 1.6 Business Customer – a natural or legal person or an organization with no legal personality with which one of the companies of the Integer.pl Group has concluded a separate written contract for the provision of services.
- 1.7 Retail Client – a natural or legal person or an organizational unit without legal personality, with which one of the companies of the Integer.pl Group has concluded a contract for the provision of services other than in writing.
- 1.9 GDPR – Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
- 1.10 Website – the website and internet service at www.inpost.pl.
- 1.11 User any natural person visiting the Website, using the Mobile Applications, or using one or more of the services or functionalities described in the Policy.
Capital group INTEGER.PL consists of the following companies:
- 2.1 Inpost sp. z o.o. (formerly as InPost Express sp. z o. o.) – the main activity of the company is the delivery of parcels via an innovative system of automatic postal lockers, courier services for both business and retail customers, cooperation with the allegro.pl on-line service, handling the complaint process, conducting marketing activities on behalf of the Integer.pl Group, including sending out a newsletter.
- 2.2. InPost Paczkomaty sp. z o.o. with headquarters in Kraków (30-552), at ul. Wielicka 28 – the main activity of the company is the lease, rental, and management of a network of devices intended for parcel pickup (InPost Parcel Lockers), including ensuring their security.
- 2.3. Integer.pl S.A. with headquarters in Kraków (30-552), at ul. Wielicka 28 – the main activity of the company is the production and sale of devices for collecting parcels, including Parcel Lockers, providing Fulfillment and Refrigerated Parcel Locker services, research and development, Internet portals, data processing, website management (hosting); it is also a holding company, which manages the Integer.pl Group;
- 2.4. Integer Group Services sp. z o.o. with headquarters in Kraków (30-552), at ul. Wielicka 28 – provides consulting services, supports the activities of the subsidiaries of Integer.pl SA Capital Group, adapting its activities to the current needs resulting from the development of companies belonging to the Integer.pl Capital Group, including recruitment and employment.
- 4.1 The administrator of personal data of the Users of the Application is Inpost sp. z o.o. with headquarters in Kraków (30-552, at ul. Wielicka 28. Personal data of the Users of InPost Fresh (including telephone number, e-mail address, delivery address, geolocation data, information about purchases) is processed by the Administrator:
- 4.1.1 in order to provide electronic services that are made available to the User in the InPost Fresh Mobile Application - the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b GDPR);
- 4.1.2 for analytical and statistical purposes - in this case the legal basis for processing is the justified interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the analysis of User activity and preferences in order to improve the functionalities and services provided;
- 4.1.3 in order to possibly set and enforce claims or defend against them - the legal basis for processing is the legitimate interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the protection of their rights;
- 4.1.4 sending commercial information by electronic means in the form of a newsletter, containing information about interesting offers or products and services offered by InPost sp. z o. o., companies from the Integer.pl Group and entities cooperating with the above-mentioned companies - the rules for processing Personal Data for this purpose are detailed in point 5.4. and 5.5. and in the subsection "ELECTRONIC TRANSMISSION OF COMMERCIAL INFORMATION" below.
- 4.2 In addition to the processing purposes indicated above, personal data is also processed for the purpose of placing an order via InPost Fresh. For this purpose, personal data data is processed by the Administrator's partner in whose store the purchases are made. Detailed information information on the processing of personal data for this purpose are set out in the partner's document (direct link in point 4.5. below). Providing data marked as mandatory in the Application is required to receive and manage orders, and failure to do so results in the inability to complete an order. Providing other data is voluntary.
- 4.3 In this case, Personal data is processed by the Administrator:
- 4.3.1. in order to complete the order and to ensure delivery of the ordered products - the legal basis for processing is the necessity of processing to fulfil the contract (art. 6 paragraph 1 letter b GDPR); as for optional data - the legal basis for processing is consent (art. 6 paragraph 1 letter a GDPR);
- 4.3.2. allow the Administrator's partners to settle accounts with the Users making purchases via InPost Fresh - the legal basis for processing data is the Administrator's legitimate interest (art. 6 paragraph 1 letter f GDPR), consisting in providing the partner with information necessary for documenting the sale to the User;
- 4.3.3. in order to possibly set and enforce claims or defend against them - the legal basis for processing is the legitimate interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the protection of their rights;
- 4.4 The contract for the sale of goods purchased via InPost Fresh is concluded by the User with the Administrator's partner (Makro Cash and Carry Polska SA with its registered office in Warsaw). Therefore, for the purpose of completing an order and concluding the accompanying sales contract, including settling the payment, User's personal data including: name, surname, address, e-mail address, telephone number, information about the purchased goods, and the amount of payment, will be made available to the Administrator's partner in order to enable them to issue a sales document. Further information on the terms of handling orders and personal data processing can be found in Makro's Terms and Conditions available at https://www.makro.pl/~/media/PL-Makro/document/regulamin-makro-online-rodo/Regulamin_Sklepu_Internetowego_Makro.pdf.
- 4.5 If payments for services are made via the Application, the User's personal data will be transferred to payment services providers. Each payment services provider will be processing Users' Personal Data as an administrator in order to provide a one-off payment service and to perform statutory obligations related to counteracting money laundering and financing terrorism.
- 4.6 The administrator of personal data of the Users of the Application is Inpost sp. z o.o. with headquarters in Kraków (30-552, at ul. Wielicka 28. Personal data of the Users of the Mobile Application (including telephone number, geolocation data, device ID or other identifiers, and information collected via tracking technologies) are processed by the Administrator:
- 4.6.1 in order to provide electronic services that are made available to the User in the Mobile Application - the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b GDPR);
- 4.6.2 for analytical and statistical purposes - in this case the legal basis for processing is the justified interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the analysis of User activity and preferences in order to improve the functionalities and services provided;
- 4.6.3 in order to possibly set and enforce claims or defend against them - the legal basis for processing is the legitimate interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the protection of their rights;
- 4.6.4 for marketing purposes of the Administrator and other entities, in particular those related to the presentation of behavioural advertising - the principles of processing personal data for marketing purposes are described in the "MARKETING" section.
- 4.7 The Users' personal data in the form of information about the mobile device and the ways of using the Application may be processed in order to ensure its proper functioning, conduct analyses, and adapt the displayed advertising content to the Users' interests. Access to this information may also be granted to the Administrator's partners. Activities undertaken by the Administrator for analytical and marketing purposes, which are only undertaken with the User's consent, which can be revoked at any time, and information about the Users' rights are described in the COOKIES AND SIMILAR TECHNOLOGIES section.
- 4.8 If payments for services are made via the Application, the User's personal data will be transferred to DotPay sp. z o.o. with headquarters in Kraków. DotPay sp. z o.o. will be processing Users' Personal Data as an administrator in order to provide a one-off payment service and to perform statutory obligations related to counteracting money laundering and financing terrorism. Further information at: https://www.dotpay.pl/storage/app/media/dokumenty/Polityka%20prywatno%C5%9Bci%20oraz%20polityka%20cookies%20Dotpay_19082019.pdf.
- 5.1 The administrator of personal data for marketing purposes is Inpost sp. z o.o. with headquarters in Kraków (30-552, at ul. Wielicka 28. The Administrator processes Users' personal data in order to carry out marketing activities, which may comprise of:
- 5.1.1 displaying marketing content corresponding to the User's interests (behavioural advertising) on the Website and in the Mobile Application, as well as directing advertising messages to Users who have visited the Website or Mobile Application (remarketing) on other websites and social networks;
- 5.1.2 sending commercial information by electronic means, including in the form of a newsletter or SMS/MMS, containing information about interesting offers or products and services offered by InPost sp. z o. o., companies from the Integer.pl Group and entities cooperating with the above-mentioned companies.
- 5.2 The Administrator shall undertake the actions referred to above after receiving the relevant consent (hereinafter referred to as: "marketing consent").
- 5.3 For the activities described in 5.1.1 The administrator receives the consent to store information in end devices and obtain such information from the User via the so called cookie banner that displays after opening the Website. More information about this subject can be found in chapter 7. Cookies and similar technologies
- 5.4 For the activities described in 5.1.2 The Users give consent to the Administrator, to send marketing content to the indicated communication channel, by checking the appropriate checkbox located under the place on the Website or in the Mobile Application where the User provides data regarding communication channels.
- 5.5 If the marketing consent is given, the Administrator may start processing the collected personal data of the User in connection with the implementation of other data processing processes (account management, order handling, provision of services in the mobile application, etc.), for marketing purposes, and to secure justified interests (art. 6 paragraph 1 letter f GDPR). This data may be used to profile the User. This means that the Administrator evaluates selected factors concerning natural persons with automatic data processing in order to analyse their behaviour or create a forecast for the future. This allows for a better adjustment of the displayed or transmitted content to the individual preferences and interests of the User. The way the profiles are used depends on the content of the marketing consent given by the User (e.g. if a user has agreed to display behavioural advertisement on the Administrator's website, the profile will be used to adjust the content of the advertisement to their preferences, and if they asked to receive the newsletter, the commercial information sent in the newsletter will be appropriately matched to their interests).
- 5.7 The Administrator's trusted partners are also involved in displaying personalized advertising to the User.
- 5.8 The User's personal data may also be used by the Administrator to send marketing content through various channels, i.e. by e-mail, by MMS / SMS. Such actions are taken by the Administrator only with the User's consent, which can be withdrawn at any time.
- 5.9 Personal data is processed:
- 5.9.1 for sending requested commercial information - the legal basis for processing Personal Data, including the use of profiling, is the legitimate interest of the Administrator (art. 6 paragraph 1 letter f GDPR) following from the consent given;
- 5.9.2 for analytical and statistical purposes - in this case the legal basis for processing is the legitimate interest of the Administrator (Art. 6 paragraph 1 letter f GDPR), consisting in analysing User activity on the Website in order to improve its functionality;
- 5.9.3 in order to possibly set and enforce claims or defend against them - the legal basis for processing is the legitimate interest of the Administrator (Art. 6 paragraph 1 letter f GDPR) involving the protection of their rights;
- 6.1 The Administrator of personal data is Inpost sp. z o.o. with headquarters in Kraków (30-552, at ul. Wielicka 28. The administrator processes personal data of Users visiting the Administrator's profiles on social media (such as Facebook, YouTube, Instagram, Twitter). Data is processed only for the purpose of maintaining the profile, including to inform Users about the activity of the Administrator and to promote events, services, and products. The legal basis for the processing of personal data by the Administrator for this purpose is their legitimate interest (art. 6 paragraph 1 letter f GDPR) consisting in promoting their own brand.
- 7.3Below there is detailed information concerning the cookies that the Administrator uses on the Website. The Administrator uses the Website's scanning tools on a regular basis to determine what cookies are stored on the Users' devices, so that the list of cookies used is as accurate as possible. The administrator uses the following categories of files: necessary and functional, analytical, advertising, and social media cookies.
- 7.4 The Administrator's use of necessary cookies is essential for the proper functioning of the website. These files are installed in particular for the purpose of recording login sessions or filling out forms, as well as for setting privacy options. Functional cookies remember and adapt the website to the user's choices, e.g. language preferences. The User may set the browser to block or warn about necessary and functional cookies, but this may prevent some parts of the website from functioning properly.
For more information about the individual files in this category, i.e. the names of individual cookies, description of their operation, period of validity and origin, click on the "Adjust settings" button, which can be found in chapter 9 "Managing cookie settings". When the cookie banner appears, select the "Manage cookies" button and then expand the "Necessary and functional cookies" list.
- 7.5 Analytical cookies make it possible to check the number of visits and traffic sources on the Administrator's website. They help the Administrator establish which pages are more and less popular and understand how visitors navigate the Website. Thanks to this, the Administrator can examine statistics and improve the performance of the Website. Information collected by these cookies is aggregated so it is not intended to identify Users. If the User does not allow the use of these cookies, the Administrator will not know when they visited the website.
For more information about the individual files in this category, i.e. the names of individual cookies, description of their operation, period of validity and origin, click on the "Adjust settings" button, which can be found in chapter 9 "Managing cookie settings". When the cookie banner appears, select the "Manage cookies" button and then expand the "Analytical cookies" list.
- 7.6 Advertising cookies allow us to adjust the displayed advertising content to the Users' interests, not only on our website, but also outside of it. They can be installed by advertising partners through our website. An interest profile is built based on the information from these cookies and activity on other websites. Advertising cookies do not directly store personal data, but identify the web browser and hardware. If a User does not allow the use of these cookies, it will still be possible to display advertisements, but they will not be adjusted to User preferences.
For more information about the individual files in this category, i.e. the names of individual cookies, description of their operation, period of validity and origin, click on the "Adjust settings" button, which can be found in chapter 9 "Managing cookie settings". After the cookie banner appears, select the "Manage cookies" button and then expand the "Advertising cookies" list.
- 7.7 These cookies are installed by our partners to match advertising content on the User's social media. An interest profile is built based on the information from these cookies and activity on other websites or in social media. As a result, the displayed content is tailored to individual needs. Social media cookies do not directly store personal information, but identify the web browser and hardware. If the User does not allow the use of these cookies, the Administrator will not be able to prevent displaying the same advertisement or enable liking and sharing of our content on social media.
For more information about the individual files in this category, i.e. the names of individual cookies, description of their operation, period of validity and origin, click on the "Adjust settings" button, which can be found in chapter 9 "Managing cookie settings". When the cookie banner appears, select the "Manage Cookies" button and then expand the "Social Media Cookies" list.
- 7.8 InPost Mobile uses tracking technologies that make use of information about the mobile device and the way the Application is used. The Administrator may use this information to ensure the proper functioning of InPost Mobile, analyse data, and adjust advertising content to the User's interests. Access to this information may also be granted to the Administrator's partners supplying analytical and marketing tools used by the Administrator in the InPost Mobile Application. Activities for marketing and analytical purposes are undertaken only with the User's consent, expressed using the banner displayed after opening the Application.
- 8.2 Google Analytics cookie files are used by Google to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website. Google does not use the collected data to identify the User and does not combine this information to enable identification for the Administrator's or its own needs. Detailed information on the scope and principles of data collection in connection with this service can be found https://www.google.com/intl/pl/policies/privacy/partners. and here: https://support.google.com/analytics/answer/6004245.
In addition, the Administrator uses Google Firebase Analytics tools provided by Google for the mobile application. Firebase is used to collect analytical data using identifiers of mobile devices and to create statistics and reports. Information from Firebase Analitycs may be used to display interest-based advertising. Firebase Analytics does not identify individual users. Detailed information on the scope and principles of data collection in connection with this service can be found at: https://firebase.google.com/policies/analytics.
- 8.3 Google Ads is a tool that allows for measuring the effectiveness of advertising campaigns carried out by the Administrator, allowing for the analysis of data such as e.g. keywords or the number of unique users. The Google Ads platform also allows us to display our advertisements to people who have visited the Website in the past. Information on data processing by Google for this service is available at https://policies.google.com/technologies/ads?hl=en.
- 8.4 Facebook Pixels is a tool that allows us to measure the effectiveness of advertising campaigns carried out by the Administrator on Facebook. The tool allows for advanced data analytics in order to optimize the Administrator's activities, also using other tools offered by Facebook. The Pixel collects the following data: http headers (IP address, information about the web browser, page location, document, redirect sources, people using the site), pixel data (pixel ID, Facebook cookie data), button clicks, optional values, form field names. Detailed information on data processing by Facebook can be found at: https://www.facebook.com/help/443357099140264?helpref=about_content.
- 8.8 HotJar is a tool that allows the Administrator to analyse User activity on the Website, e.g. through questionnaires or satisfaction surveys and by collecting anonymous information about clicks on individual parts of the Website. The tool does not identify the User. Detailed information on data collected via HotJar and how to deactivate User monitoring is available at: https://www.hotjar.com/privacy/.
- 8.9 Oracle DMP is a platform for managing User data. The Administrator uses this solution to conduct measurements supporting marketing programs over all channels and devices, including mobile devices. Content submitted to Oracle may include: (a) unique identifiers collected from web browsers, mobile devices, and vendor data, as well as (b) IP addresses or data about users' on-line behaviour and interests. More information on data processing by Oracle: https://www.oracle.com/legal/privacy/privacy-policy.html.
- 8.10 Salesmanago solutions are used to store customer data in one place and use it to select target groups and personalize campaigns using personal, transactional, and behavioral data. Salesmenago uses Machine Learning and AI to build customer profiles. Further information at: https://www.salesmanago.com/info/gdpr.htm.
- 8.11 The administrator uses Pushpush go solutions to create, target, and send web push notifications on the Website. Notifications are used by the Administrator to inform about the current Inpost offer, companies from the Integer.pl capital group, and cooperating entities. In order to send the notification to the user, only the User's IP address is processed (https://pushpushgo.com/pl/faq/jakie-dane-zbiera-ppg). More information about the tool: https://pushpushgo.com/en/pages/privacy/.
- 8.12 The Website uses plugins from social networks (Facebook, Google+, LinkedIn, Twitter). Plugins allow Users to share content published on the Website in the selected social network. The use of these plugins on the Website means that the given social network receives information about the use of the Website by the User and can connect it with a User profile created in a given social network. With regard to the use of social media plugins, data is jointly controlled by the Administrator and the respective providers of social media plugins. Detailed information on this can be found at the following links:
- 8.12.1 Facebook: https://www.facebook.com/policy.php
- 8.12.2 Google: https://policies.google.com/technologies/product-privacy?hl=en
- 8.12.3 LinkedIn: https://www.linkedin.com/legal/privacy-policy?trk=%7Berror-page%7D-privacy-policy
- 8.12.4 Twitter: https://twitter.com/en/privacy
- 9.2 Consent is not required only for cookies, the use of which is necessary to provide a telecommunications service (data transmission to display content).
- 9.3 In order to receive advertising tailored to the User's preferences, in addition to consenting to the installation of cookies via the banner, it is necessary to maintain have browser settings, allowing cookies from the Website to be stored on the User's end device.
- 9.4 Consent to the collection of cookies can be withdrawn on the Website via the cookie banner. The User can return to the banner by clicking the button below:
After displaying the banner, the User may withdraw consent by clicking the "Manage cookies" button, moving the slider next to the selected cookie category and pressing the "Close and save" button.
The user also has the option to withdraw consent by changing browser settings. Detailed information on this can be found at the following links:
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer?redirectslug=Cookies&redirectlocale=en-US
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
- Opera: https://help.opera.com/en/latest/web-preferences/
- Safari: https://support.apple.com/en-euro/guide/safari/sfri11471/mac
- Internet Explorer:
- 10.1 The period of data processing and storage depends on the type of service provided and the purpose of data processing. As a rule, the data is processed throughout the time the service is provided or the order is being processed, until the consent is withdrawn, or an effective demand to stop data processing is filed, in cases where the legal basis for data processing is the Administrator's legitimate interest.
- 10.2 The data processing period may be extended if processing is necessary to establish and assert any claims or defend against them, and after that time only in cases and to the extent required by law. After the storage period, data is permanently deleted or anonymised.
- 11.1 The User has the right to: access the data and demand its rectification, deletion, restricting its processing, as well as the right to transfer data, the right to object to the processing of data, and the right to lodge a complaint to a supervisory body dealing with the protection of personal data.
- 11.2 To the extent that the User's data is processed on the basis of consent, this consent may be withdrawn at any time by contacting the Administrator.
- 11.3 The User has the right to object to the processing of data for marketing purposes, if the processing takes place in relation to the Administrator's legitimate interest, and in other cases - related to the particular situation of the User - where the legal interest of basis for data processing is Administrator's legitimate interest (e.g. in connection with the implementation of analytical and statistical objectives).
- 11.4 For more information on the rights resulting from the GDPR, see here
- 12.1Personal data will be disclosed to external entities in connection with the provision of services, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, i.e. DotPay sp. z o. o., entities providing accounting services, marketing agencies (in relation to marketing services), i.e. evl.pl sp. z o.o., Benhauer sp. z o.o., Smolar Agencja Promocyjno – Reklamowa, Open Gate Sp. z oo. and entities related to the Administrator, including companies from its capital group.
- 12.2 The Administrator reserves the right to disclose selected information concerning the User to the competent authorities and third parties that submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
- 13.1 The level of protection of personal data outside of the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
- 13.1.1 cooperation with entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued concerning their adequate level of Personal Data protection;
- 13.1.2 use of standard contractual clauses issued by the European Commission;
- 13.1.3 applying binding corporate rules, approved by a competent supervisory authority;
- 14.1 The Administrator conducts risk analysis on an ongoing basis to ensure that personal data is processed in a secure manner - ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary for the tasks performed by them. The administrator makes sure that all operations on personal data are recorded and performed only by authorized employees and associates.
- 14.2 The Administrator undertakes all necessary actions so that subcontractors and other cooperating entities guarantee that appropriate security measures are applied whenever they process personal data at the request of the Administrator.
15. Contact details
- 15.1 The administrator has appointed a Data Protection Officer, who can be contacted at the following e-mail address: firstname.lastname@example.org about any matter related to the processing of Personal Data by the Administrator.
- 15.2 The Administrator can also be contacted at the correspondence address detailed in Chapter 2.
- 16.1 The policy is verified on an ongoing basis and updated if necessary.
- 16.2 The current version of the Policy has been adopted and is effective from 01.07.2021.