Last updated 2 August 2021
The protection of your personal data is very important to us. When providing postal services, we are obliged to maintain postal secrecy, which includes, among others, information provided in postal items, data on entities using postal services and data on the fact and circumstances of providing postal services or using these services. In addition, information or data covered by postal secrecy may be collected, recorded, stored, processed, changed, deleted or made available only if these activities relate to the postal service provided or are necessary for its performance or separate provisions provide otherwise.
This document is to provide you with the necessary information on how we process your personal data and what your rights are in relation to the processing of your personal data.
We have appointed a data protection officer (DPO), who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO on
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues
(www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Who is the controller of your personal data?
The controller of your data is InPost UK Limited. This means we are responsible for deciding how and why we use your personal data.
Where we use subcontractors in the performance of our services, the subcontractor may also be an independent data controller or a data processor (which means they process personal data on our behalf - we tell them how they can use it). All parties we work with protect your personal data in accordance with data protection law.
What personal data do we process?
As part of the services provided by InPost, we may process the following personal data:
- First Names, Last Names, Usernames and Titles
- Billing Address, Delivery Address, email address and telephone numbers
- Bank account and payment card details
- IP Address
- Login Data
- Marketing and Communication data
To the extent this information is necessary for the provision of services provided by InPost you will likely be under a contractual requirement to provide this information to us (either in your contract with us if you contract directly with us or your contract with our partners). If you don’t provide that information we will be unable to provide our service.
In certain circumstances complaints submitted to us due to non-performance or improper performance of postal and transport services may be subject to statutory requirements for you to provide certain information relating to your complaint.
In addition, because – for the purposes of security and protection of you and your shipments, in particular against theft and vandalism – we use monitoring of InPost parcel lockers, under which it is possible to record your image. Such processing of your data is necessary not only for the protection of our legitimate interests, but also for the protection of your interests. We also process contact details of our business partners and prospective business partners and their personnel.
How do we receive your personal information?
Your personal data is obtained by InPost in the following circumstances:
- when you give us your shipment to be delivered to a person indicated by you or to the indicated place;
- in the event that our customers (e.g. online stores and/or their partners) provide us with your data in order to perform our delivery and/or collection services;
- in the event that you submit a complaint to us in respect of the services we provide, or when your data is provided by a person authorised to make such a complaint, for example our customer who sent you a parcel and then submitted to InPost a complaint for non-performance or improper performance of the service on that shipment;
- where you submit to us an inquiry regarding the services or activities of InPost;
- if you provide InPost with your data to receive an InPost commercial offer;
- if you provide InPost with your data to create an account with InPost, which allows you to generate orders for the services we offer;
- if you provide your data for the purposes of receiving marketing related to InPost products and services and entities cooperating with InPost, which will be implemented by InPost or independently by these entities;
- If you sign up to any newsletters we may offer from time to time; and
- If you sign up to receive market research we conduct from time to time;
Why do we process your personal data?
Primarily, we process personal data in order to provide our services to you (or the retail partner with whom we contract). This includes:
- providing postal or transport services , as well as services accompanying these services, including delivery of a parcel you have sent or delivery to you;
- to send you messages by email or SMS in relation to the delivery of a parcel, status updates; locker locations and payment, deposit and collection receipts;
- to process payments and refunds; and
- to register you as a new customer.
We process personal data as required to fulfil tax, legal and settlement obligations and to exercise legal rights and comply with any other legal obligations we are subject to.
- We also process personal data for the following purposes:providing you with information and materials of a marketing nature or for the purpose of providing you with an offer;
- analysis, including personalisation, solely for the purposes of optimising processes in the provision of our services and improving their provision;
- complaint handling;
- fraud prevention and detection;
- security purposes including theft and vandalism detection and prevention; and
- to the extent necessary in the event of a sale or possible sale of the whole or part of our business or the restructuring of our business.
How long do we store your personal data?
We store your personal data no longer than necessary. In particular, we store personal data for the time necessary for the proper performance of the services we provide, and after this period no longer than until the expiry of the limitation period for claims that may be raised in connection with the provision of these services. We store your personal data for the following periods:
- when you have an InPost account which enables you to order the services we provide, and commission these services as the sender (including the payer), as well as if you do not have such an account, but use our services as the sender (including the payer), we store your personal data for a maximum period of 6 years from the day you sent the parcel;
- when you are the recipient of a shipment, we store your personal data for no longer than the period of limitation of any claims for the provision of services by us, resulting from the Limitation Act 1980 (which is generally 6 years from the provision of the relevant service);
- when you file a complaint or complain about the services provided by InPost, we process your personal data contained in your complaint for the time necessary to consider your complaint. After this time we can store it for no longer than the period of limitation of any claims for a complaint arising from generally applicable law;
- when you submit another application or inquiry to us, we store your personal data for the period of service and eventual implementation of your application, and after that period we may store it for a period not exceeding the period of possible limitation of claims resulting from generally applicable law; and
- if the period of storage of your personal data results from mandatory provisions of law, we store your personal data for the period specified in these provisions.
Why do we store your data for such a period of time?
- as InPost we have to comply with the obligations arising from the provisions of generally applicable law, in particular in the field of implementation of postal law, transport law, tax and accounting regulations, and other legal obligations imposed on InPost; and
- we have a legitimate interest in the pursuit and defence of claims arising from the provision of services by InPost,
- we have a responsibility for the continuous improvement of the level of security, in particular preventing fraud and fraud.
What are the legal grounds for processing your personal data by InPost?
In order to comply with data protection laws that apply to us we need to identify the legal grounds we rely on to use your personal data. These are set out below.
Necessary for a contract you are party to: InPost primarily processes your personal data in order to perform the postal and transport services it offers. These services are performed on the basis of contracts, including contracts concluded with shippers and online retailers with whom you have contracted with directly. Without processing this personal data, we are not able to perform these services (e.g. without knowing the address for delivery of the package and its addressee, we are not able to deliver such a package), or other services we have committed to. The processing of your personal data is also necessary to perform a contract you are party to..
Legitimate interest: We also process your personal data for purposes arising from our legitimate interests – by “legitimate interest” we mean an interest which is compatible with the generally applicable law (e.g. direct marketing of our products or services to our business customers and prospective business customers or pursuing claims by us for our business activities). Whenever we want to process your personal data on the basis of a legitimate interest, we examine and assess whether such processing of personal data will affect you and your rights. We will not process your personal data on the basis of our “legitimate interest” if your interest or your rights and freedoms override it. Our legitimate interests are noted in the “why do we process your personal data” section above.
Legal obligations: We processing personal data to comply with legal obligations we are under.
Consent: We generally don’t rely on consent to process your personal data. However, there are a few exceptions to that:
- our legal ground for non-essential cookies is consent.
- if you are a consumer we will ask for your consent to send you unsolicited direct marketing although there are some limited circumstances where consent may not be required (for example we send you marketing related other services of ours which are similar to those you have purchased from us),
You may withdraw your consent to the processing of your personal data for these purposes without affecting the validity of the processing of personal data before the consent is withdrawn.
Who are the recipients of your personal data?
By “recipient” of personal data we mean a natural or legal person, public authority, entity or other entity to whom personal data is disclosed, regardless of whether it is a third party. Your personal data is not processed exclusively by InPost and its staff. We provide our services with the help of many subcontractors, including transport companies and couriers. Your data is therefore processed by such categories of recipients as:
- InPost employees and associates and agents;
- InPost subcontractors in connection with the collection and delivery of parcels;
- InPost subcontractors responsible for payments and refunds;
- insurers responsible for covering potential damage to shipments;
- subcontractors operating our IT networks and databases and creating IT solutions for us and providing marketing services to us;
- subcontractors servicing the InPost helpline and customer service department;
- Her Majesty’s Revenue & Customs, regulators and other authorities based in the United Kingdom who may require us to report processing activities;
- our affiliates;
- professional entities providing InPost tax, legal, auditing, digital marketing, website hosting and settlement consultancy; and
- third parties in the context of a sale or possible sale of the whole of or part of our business or the restructuring of our business.
Is your personal data transferred outside the UK?
Your personal data is transferred outside the UK in the event that the services provided by InPost are to be performed outside the UK. This is the case, for example, when you send a parcel via InPost to such a country. Your personal data may also be transferred to our subcontractors (e.g. entities that deliver your parcel in that country) and entities providing InPost with tax, legal, audit and billing advice if they operate outside the UK. With each of the above cases, we ensure that appropriate safeguards (such as specific approved contractual clauses) or exemptions are in place or that the recipient is in a country which the UK deems to offer an adequate level of data protection, equivalent to that in the UK. We do not transfer your personal data outside the UK if such transfer is not possible or is excluded by generally applicable law.
If you use our website and systems available through our website (in particular enabling the generation of orders and other activities related to the ordering of postal and transport services), when browsing these pages, so-called “cookies” are created. These are small text files that are stored on your device through which you browse websites. You can find more information on the cookies we use in our
What are your rights regarding access to your personal data?
You have the right to information about how we use personal data (which is what this notice is for): to access your personal data, rectification, deletion or limitation of processing of your personal data in certain circumstances, as well as the right to object to processing, and the right to transfer this data and receive a copy of it.
Please be aware that these rights are not absolute and there may be some situations in which they cannot be exercised or are not relevant.
If you have consented to the processing of your data by InPost (although, please note, generally we do not rely on consent to use your personal data), you have the right to withdraw consent at any time, without affecting the lawfulness of the processing that was carried out on the basis of consent before its withdrawal.
You also have the right to ask us to stop processing your personal data for marketing purposes at any time.
You can exercise the above rights by contacting our DPO :
You also have the right to lodge a complaint with your data protection regulator (which in the UK is the Information Commissioners Office) if you feel that we have not properly addressed our obligations.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
This notice may change, in particular if it is necessary due to a change in generally applicable law or a change in the scope of services offered by InPost. If we update this notice we’ll revise the “last updated” date at the top of the notice. We'll endeavour to make you are aware of material changes but we suggest you also check this page from time to time to ensure you are up to date with our latest privacy practices.