1. Home
  2. Products and services
  3. bp IDP Privacy statement

bp Global Privacy Statement for CIP Registration Process

1. Introduction  

When you first register or login to use our websites and apps (the "Digital Assets"), a member of the bp group ("bp", "we", "us" or "our") will collect, use and share your information to give you access to your chosen Digital Asset.


This privacy notice ("Notice") explains what information we collect about you, how we use it, who we share it with and how long we retain it in relation to your registration and login into Digital Assets that use our central authentication platform. When you later use your account in one of our specific Digital Assets, this Notice ceases to apply, and the relevant Digital Asset’s privacy notice applies instead.

 

2. Responsible bp entity

The relevant local bp entity of the country in which you are located will be responsible for the processing of your personal information as described in this Notice and will act as the controller of such information. These responsible bp entities are:

Country Entity
Australia BP Australia Pty Limited
GPO Box 5222,
Melbourne, VIC 3001
Germany Aral Aktiengesellschaft,
Wittener Straße
45 44789 Bochum
India Castrol India Limited
Technopolis Knowledge Park Mahakali Caves Road, Andheri (E) Mumbai - 400093
Mexico Bp Estaciones Y Servicios Energéticos, S.A. De C.V.
Avenida Santa Fe, Número 505, Piso 10,
Colonia Cruz Manca, Delegación Cuajimalpa de Morelos,
Código Postal 05349,
Ciudad de México
Netherlands BP Europa SE – BP Nederland
d’Arcyweg 76 (Havennummer 6425)
3198 NA Europoort-Rotterdam
Poland BP EUROPA SE
Oddział w Polsce z siedzibą w Krakowie, przy ul. Pawiej 9,
KRS: 0000345546
South Africa BP Southern Africa (Pty) Ltd
199 Oxford Road, Oxford Parks,
Dunkeld, 2193
Spain BP Energia Espana,
S.A. Unipersonal
C. de Quintanadueñas, 6, 2°,
Fuencarral-El Pardo,
28050, Madrid
United Kingdom BP Oil UK Limited
Chertsey Road,
Sunbury-on-Thames,
Middlesex TW16 7BP
United States of America bp America Inc.
1209 Orange Street,
Wilmington,
Delaware, 1980

3. Information we collect

We obtain most of the information from you. If we don’t receive this information from you, we obtain your personal information from other sources, such as third parties and publicly available data sources. We also generate some of the information about you ourselves e.g. through the creation of an authentication ID.

 

As part of your registration and login, we will ask you to submit personal information which is necessary for us to give you access to your chosen Digital Asset. You can choose to register or login by linking your Apple, Facebook or Google Account or you can register or login directly via our bp platform. Once you are successfully registered, we may link your account information to other Digital Assets so that you can use the same account credentials across multiple Digital Assets. In that context, bp will process the personal information about you set out in the table below.

Category Details Source
Contact information Phone number
Email address
First name
You / API triggered by you
Digital Asset usage Information about your device and your use of our Digital Assets or related communications (including Internet Protocol (IP) addresses or other identifiers, such as browser type, plug-ins, mobile carrier, time zone and location, operating system and platform, and other device information relating to the technology on the devices you use to access our Digital Assets) You / Us

Digital Asset usage information

We use cookies (and similar technologies e.g. web beacons, pixels, tags, and JavaScript) to collect information about your use of the Digital Asset. You can set your browser to refuse all or some browser cookies, or to alert you when Digital Assets set or access cookies. If you disable or refuse cookies, please note that some parts of our Digital Assets may become inaccessible or not function properly.

4. Why we collect your information and how we use it

We primarily use your information to give you access to our Digital Assets and services relating to those Digital Assets. We keep your information secure by implementing appropriate security measures as required by applicable data protection laws.

 

Lawful basis
Where required by applicable law, we ensure that we have a lawful basis to use your personal information for the purposes outlined in this Notice. Under the UK and EU GDPR, we will rely on Article 6 lawful bases listed below. We will also rely on one or more of these lawful bases when they are available in other countries.

 

  • Performance of the contract we have with you for the provision of our services relating to the Digital Asset. The terms and conditions of your chosen Digital Asset will govern this contract;·
  •  Our legitimate interests to use your personal information where it is necessary for our (or a third party’s) legitimate interests and those interests do not override your interests, fundamental rights and freedoms. This means we will only use your information for the purposes of a legitimate interest when there is no unfair impact on you;·
  • Our legal obligations we also use your personal information where it is necessary to comply with the law; and
  • Your Consent if you consent to the processing of your personal information in specific cases. You can withdraw your consent at any time as set out below in section 8.1 (Data Protection Rights).

The table below sets out in more detail why we collect and how we use your information and our lawful bases under applicable data protection laws.

Purpose / activity Information we use Lawful basis for processing

Customer management – to administer and improve our business (including our services and products).

This includes:

User registration and authentication process;  Management and administration of our customers and business; or to improve and develop our business (including through training artificial intelligence systems).

Contact information

Digital Asset usage information

Legitimate interests (to manage and provide services to you and to improve the services of our Digital Assets) Legal obligations
Maintenance and management of the Digital Asset.
This includes:
ongoing review and improvement of the information provided on our Digital Assets to ensure they are user friendly and to prevent any potential disruptions or cyber- attacks; to conduct troubleshooting / analysis, required to detect malicious code / threat actors, and to understand how this may affect your device; or statistical monitoring and analysis of current cyber-attacks on devices and systems and for the ongoing adaptation of solutions to secure devices and systems against current cyber-attacks. 

We also anonymise or deidentify your personal information for this purpose. Please refer to section 7 (Retention of your information) for details on how we anonymise your information. To the extent we process deidentified information, we will maintain and use the information in deidentified form and will not attempt to reidentify the information unless permitted by applicable law.

Contact information

Digital Asset usage information

Legitimate interests (maintaining and managing information technology services, network and data security, and fraud prevention)
To collect information about your use of the Digital Asset (including information about your device and your use of our services through cookies and other similar technologies).

Account information

Digital Asset Usage information

Legitimate interests (providing the necessary functionality of our Digital Asset) Consent only where required by applicable data protection laws e.g. for information obtained from non-essential cookies and similar technologies – you can withdraw this consent at any time in your cookie preferences
Analytics, statistical and insight purposes. Where relevant, your email address will be shared with the Digital Asset you are accessing and its will be subject to such Digital Asset’s specific privacy notice, which may include these purposes.

Contact information

Digital Asset Usage information

Legitimate interests (improving and enhancing our business model and services, to better understand our customers)

Legal and regulatory. 

This includes:

to comply with and to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; to prevent and detect fraud or other criminal activity or misconduct; or for establishment and handling of legal claims.

Contact information

Digital Asset Usage information

Legal obligations (where the processing activity is required by law or regulation or to comply with our legal obligations)

 

Legitimate interests (to protect against misuse or abuse of our Digital Assets and to exercise our legal rights)

Business support. 

This includes:

receipt of services from third party service providers e.g. consultancy, banking, legal, insurance and accounting services to restructure our business, including in the context of sales, transfers, mergers and acquisitions (and related negotiations).

Contact information

Digital Asset Usage information

Legitimate interests (supporting or restructuring our business)

5. Information we share

To give you access to the Digital Assets, we may share your information with bp entities and third party recipients, such as external service providers, social media companies and legal or regulatory bodies. We have contracts in place with these third parties governing the use of your information. Any service provider we appoint is required to comply with privacy laws and contractual security measures.

 

Further details about the information we share with service providers and third parties are set out in the table below.

Service provider / third party  Purpose  Information shared

Other bp entities

We may share your information with other bp entities or companies that we acquire in the future after they are made part of the bp group, to the extent such sharing of information is necessary to administer and manage the Digital Assets.

Account administration e.g. we share your information with other bp entities as part of our business operations, including with our parent company bp plc, headquartered in the UK Data and records management

Contact information

Digital Asset Usage information

Third party service providers

If you decide to register/login through social, your data will be shared with your selected ‘single sign-on’ service (e.g. Meta, Google or Apple). We share your personal data with our IT service providers Microsoft, AWS, Salesforce and Google Cloud. We also use Twilio as our OTP service provider.

IT systems and support

Contact information

Digital Asset Usage information

Professional advisors like lawyers and accountants

Legal and accountancy advice

Advice from other professional advisors e.g. we share your personal information with third parties (and their advisors) to whom we may choose to sell, transfer or merge parts of our business or our assets

Contact information

Digital Asset Usage information

Regulatory authorities

Courts

Other public authorities

 

These authorities may be situated outside your country. In these instances, the legal or regulatory authority will be considered to be a data controller (not acting on our instructions) and will be primarily responsible for deciding how your information is held and used once shared by us.

Regulatory and compliance e.g. we disclose your information as required by applicable laws
Tax
Conduct of complaints or legal claims e.g. we disclose your information when we believe that disclosure is necessary to protect our rights or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on bp

Contact information

Digital Asset Usage information

6. International transfers

We maintain our authentication platform in the EU. However, as an international company, we may transfer your personal information to other bp entities, in particular to bp entities in India, for IT support purposes, or the UK and the USA where we have central operations. Where this is the case, we ensure that the importing country offers an adequate level of data protection compliance (such as the UK when sending personal data from the EEA member countries), or we will rely on our global compliance framework which includes appropriate data transfer measures and safeguards to ensure that we protect your personal information in accordance with applicable data protection laws.

Concerning intragroup transfers from the EEA or the UK, we rely respectively on the EU Commission approved standard contractual clauses adopted by decision 2021/914 and the UK IDTA, as each may be amended or updated from time to time. Where we transfer personal information to a third party outside the bp group, we ensure that appropriate measures are in place to offer an adequate level of protection for your personal information. As above, this includes the use of the EU Commission approved standard contractual clauses adopted by decision 2021/914 and the UK IDTA, where required under applicable laws.

You can request further information about our international transfers and the contractual safeguards we implement using the contact details below.

 

7. Retention of your information

How long we will hold your personal information will vary based on the purpose for which we are using it. We will need to keep the information for as long as is necessary for each purpose in line with our policies and business needs. These needs may vary between countries. In the context of registration and login, we will keep the information needed to authenticate you for as long as you maintain an account with us.


We will only keep your information for longer periods where necessary to meet our regulatory or legal obligations, before anonymising your information or deleting it. Anonymising personal information means ensuring that the data is no longer identifiable to you personally. We do this either by aggregating the data (for example, to make a finding about a group of people as opposed to a specific individual) or by removing any personal identifiers (for example, contact information) so that we can still use data to identify trends and patterns but cannot link this data back to you.


If you choose to unsubscribe from a service, we may keep a ‘suppression list’ containing your contact information so we know you have unsubscribed and to ensure you are not contacted again. If we hold your personal information on a suppression list, we will not use it for any other purpose.


8. Your Rights

Some or all of the rights set out below will apply to you depending on where you are located. For instance, if you are located in the EEA or the UK, you are afforded all of the rights set out below, and if you are in Australia, you have the right to access and correct your personal information.


8.1 Data Protection Rights

  • Access to your personal information. Where applicable, you are entitled to receive a copy of personal information we hold about you.
  • Correction of the personal information that we hold about you. You may request that we correct any incomplete or inaccurate data we hold about you, though we may need to verify the accuracy of the new data you provide to us. It is important that the personal information we hold about you is accurate and current. Please contact us using the contact details below to update us in the event of any changes to your personal information.
  • Erasure of your personal information. You may request that we delete or remove personal information where there is no overriding reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we are required to erase your personal information to comply our legal obligations. 
  • Restriction of processing of your personal information. You may ask to suspend the processing of your personal information in the following scenarios:
    • If you want us to establish the data's accuracy;
    • Where our use of the data is unlawful but you do not want us to erase it;
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    • You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to continue to process it.
  • · Transfer of certain of your personal information to you or a third party. Where this right applies, we will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Please note that this right only applies to information you provided to us and which we process on the basis of consent or where it is necessary to perform a contract with you.·
  • Withdraw consent where we are relying on consent to process your personal information. Withdrawal will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Where we seek consent, it can be withdrawn by a digital consent management tool, or by sending an email to the contact details set out below.

8.2 Right to object

Where we process your personal information based on legitimate interests, you have the right to object to such processing, including profiling on grounds relating to your particular situation, at any time.

If you exercise your right to object, we will stop processing your personal information in that context. In some cases, however, we may demonstrate that we have compelling legitimate grounds to continue to process your personal information and if this is the case, we will inform you.

8.3 Right to complain to your supervisory authority

  • We are committed to working with you to obtain a fair resolution of any complaint about our use of your information. If you have any concerns or wish to make a complaint to our privacy teams (including relevant data protection officers), please use the details provided in section 9.
  • You may have the right to lodge a complaint with a competent supervisory authority. In particular:
  • if you are in Australia, for details on how to lodge a complaint, please refer to the website of the Office of the Australian Information Commissioner, which regulates and supervises the use of personal information in Australia.
  • if you are in the UK, you can make a complaint to the Information Commissioner’s Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113. Details for the office of the Information Commissioner in the UK are available at www.ico.org.uk.
  • if you are in Spain, you can make a complaint to Agencia Española de Protección de Datos (“AEPD”) C/Jorge Juan, 6 28001 Madrid, Spain Tel +34 900 293 183/ +34 900 293 621, www.aepd.es.
  • if you are in Poland, you can make a complaint to the President of the Office of Personal Data Protection (“Office of Personal Data Protection”) ul. Stawki 2 00-193 Warsaw, https://uodo.gov.pl/.
  • if you are in Germany, you can make a complaint to any of the data protection authorities of the federal states (Bundesländer), the contact details of which you can find at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.
  • If you are in Mexico, please refer to the Office of the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI”) at home.inai.org.mx, on how to lodge a complaint.

If you are in another country and are unsure about which authority you may be able to complain to, please contact us using the details below.


Please be aware that all the rights listed above are not absolute and there are situations where they cannot be exercised or are not relevant.

 

9. Contact us

If you have any questions and grievances about this Notice, our privacy practices or your data protection rights, please contact us (including data protection officers, where relevant) at privacy3@bp.com.

When you contact us, please indicate in which country and/or state you reside. When you exercise your rights, if we cannot easily confirm your identity or if you use a third party to exercise your rights describe in this Notice.


10. Third party websites we link to

Our Digital Assets may contain links to external websites, services or content provided by third parties, which are outside of our control and are not covered by this Notice. Interacting with this external content may allow third parties to collect or share information about you. The information practices of these third parties, including the social media platforms that enable you to register or login into our Digital Assets, are governed by their own privacy notices. We encourage you to read these third party privacy notices, to better understand their privacy practices.


11. Changes to Our Privacy Notice

This Notice was last updated in February 2024. We will update it again when necessary to reflect changes in the law and our practices. If we make a material change to the Notice, you will be provided with appropriate e-mail notice in accordance with legal requirements.
We encourage you to periodically review this Notice to stay informed about our collection, processing and sharing of your personal information.