Privacy and Cookies policy

  • Definitions

    • Controller – InPost S.A. (Société anonyme), a company incorporated and existing under the laws of Luxembourg, with its registered office at 70, route d'Esch, L-1470 Luxembourg, entered into the Luxembourg Business Register (Registre de Commerce et des Sociétés) under number B248669.
    • Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
    • Policy – this Privacy Policy.
    • GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
    • Website – an online service run by the Controller at the address.
    • User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
  • Data processing in connection with the use of the website

    • In connection with the User’s use of the website, the Controller collects data within the scope necessary to provide services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the personal data collected during the use of the Website by the User are described below.
  • Purposes and legal basis of data processing at the website

    USE OF THE WEBSITE

    • Personal data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) are processed by the Controller:
      • to provide Users with an access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
      • for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used on the Website;
      • to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights;
      • for the marketing purposes of the Controller and other entities, in particular those associated with displaying behavioral advertising – the rules of personal data processing for marketing purposes are described in the section called “MARKETING”.
    • Activity of a User on the Website, including their personal data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical and administrative purposes as well as in order to ensure security of the IT system and to manage the system and for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
  • Marketing

    • The Controller processes personal data of Users to perform marketing activities which may involve:
      • displaying marketing content which is not tailored to a User’s preferences (contextual advertising);
      • displaying marketing content which is tailored to the User’s interests (behavioral advertising).
    • In some cases, the Controller uses profiling in order to carry out the marketing activities. This means that thanks to automatic data processing, the Controller evaluates selected factors concerning natural persons in order to analyze or predict their behavior.
    • CONTEXTUAL ADVERTISINGThe Controller processes personal data of Users for marketing purposes in connection with contextual advertising directed to Users (i.e. advertising which is not tailored to the User’s preferences). In these cases, personal data are processed in connection with the pursuit of the Controller’s legitimate interest (Article 6(1)(f) of GDPR).
    • BEHAVIORAL ADVERTISINGThe Controller and its trusted partners process personal data of Users, including the Users’ personal data collected through cookies and other similar technologies, for marketing purposes in connection with behavioral advertising directed to Users (i.e. advertising which is tailored to the User’s preferences). In these cases, personal data processing also involves profiling of Users. The use of personal data collected through this technology for marketing purposes, in particular to promote goods and services of third parties, requires the User’s consent. Such consent may be withdrawn at any time.
  • Cookies and similar technologies

    • Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information to facilitate using a website, e.g. by remembering the User’s visits at the Website and actions performed by them.
    • “SERVICE” COOKIESThe Controller uses the so called “service” cookies primarily in order to provide the User with services electronically and improve the quality of these services. Accordingly, the Controller and other entities providing analytical and statistical services on its behalf, storing information or gaining access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.). Cookie files used for the above purpose include:
      • user input cookies (session identifiers) stored for the duration of a session;
      • authentication cookies used for services that require authentication for the duration of a session;
      • user-centric security cookies, e.g. used to detect abuses concerning authentication;
      • multimedia player session cookies (e.g. flash player cookies);
      • persistent user interface customization cookies for the duration of a session or slightly longer;
      • cookies used to monitor online traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to compile statistics and reports about the operation of the Website). Google does not use the data collected to identify a User and neither does it combine any information items to make such an identification possible. Detailed information on the scope and rules of collecting data in connection with the service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
    • “MARKETING” COOKIESThe Controller and its trusted partners also use cookies for marketing purposes, e.g. in connection with sending behavioral advertising to Users. For this purpose, the Controller and its trusted partners store information or gain access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.). Using cookie files and the personal data collected through them for marketing purposes, in particular to promote goods and services of third parties, requires the User’s consent. Such consent may be withdrawn at any time.
  • Period of personal data processing

    • The period of data processing by the Controller depends on the type of services provided and the purpose of the processing. In principle, data is processed for the entire period between expressing consent to the processing until the moment of withdrawing consent or filing an effective objection to the data processing in the cases where the legal basis for the processing is the Controller’s legitimate interest.
    • The data processing period may be extended if processing is necessary to determine and pursue possible claims or defend against claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.
  • User’s rights

    • A User has the right to: access the content of the data and demand its rectification, erasure, restriction of processing, the right to data portability and the right to object to data processing as well as the right to lodge a complaint with the supervisory authority responsible for personal data protection.
    • To the extent that a User’s data are processed on the basis of their consent, the consent may be withdrawn at any moment by contacting the Controller.
    • A User has the right to object to data processing for marketing purposes if the processing is done in connection with the Controller’s legitimate interest and also – for reasons connected with the User’s particular situation – in other cases when the legal basis for data processing is the Controller’s legitimate interest (e.g. in connection with carrying out analytical and statistical objectives).
  • Data recipients

    • In connection with provision of services, personal data will be disclosed to external entities, including in particular vendors responsible for maintenance of IT systems, entities providing accounting services, marketing agencies (regarding the marketing services) and entities related to the Controller, including companies from its group.
    • If a User’s consent is obtained, their data may also be made available to other entities for their own purposes, including marketing purposes.
    • The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to a relevant legal basis and in compliance with prevailing laws.
  • Transfer of data outside the EEA

    • The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
      • cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued;
      • application of standard contractual clauses issued by the European Commission;
      • application of binding corporate principles approved by the relevant supervisory authority;
    • At the data collection stage, the Controller always informs the User of the intention to transfer personal data outside the EEA.
  • Personal data security

    • The Controller conducts an ongoing risk analysis to ensure that personal data is processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on personal data are recorded and performed only by authorized employees or contractors.
    • The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
  • Contact data

    • The Controller may be contacted by e-mail dpo@inpost.pl or by letter sent to the mailing address ZOD, Integer.pl S.A., ul. Wielicka 28, 30-552 Kraków.
    • The Controller has appointed a Data Protection Officer that may be contacted by e-mail dpo@inpost.pl in any matter concerning personal data processing.
  • Amendments to the privacy policy

    • The policy is verified on an ongoing basis and updated when needed. The present version of the Policy was approved and has been in force since 11.01.2021.