When you first register or login to use our websites and apps (the "Digital Assets"), a member of the bp group ("bp", "we", "us" or "our") will collect, use and share your information to give you access to your chosen Digital Asset.
This privacy notice ("Notice") explains what information we collect about you, how we use it, who we share it with and how long we retain it in relation to your registration and login into Digital Assets that use our central authentication platform. When you later use your account in one of our specific Digital Assets, this Notice ceases to apply, and the relevant Digital Asset’s privacy notice applies instead.
The relevant local bp entity of the country in which you are located will be responsible for the processing of your personal information as described in this Notice and will act as the controller of such information. These responsible bp entities are:
| Country | Entity |
|---|---|
| Australia | BP Australia Pty Limited GPO Box 5222, Melbourne, VIC 3001 |
| Germany | Aral Aktiengesellschaft, Wittener Straße 45 44789 Bochum |
| India | Castrol India Limited Technopolis Knowledge Park Mahakali Caves Road, Andheri (E) Mumbai - 400093 |
| Mexico | Bp Estaciones Y Servicios Energéticos, S.A. De C.V. Avenida Santa Fe, Número 505, Piso 10, Colonia Cruz Manca, Delegación Cuajimalpa de Morelos, Código Postal 05349, Ciudad de México |
| Netherlands | BP Europa SE – BP Nederland d’Arcyweg 76 (Havennummer 6425) 3198 NA Europoort-Rotterdam |
| Poland | BP EUROPA SE Oddział w Polsce z siedzibą w Krakowie, przy ul. Pawiej 9, KRS: 0000345546 |
| South Africa | BP Southern Africa (Pty) Ltd 199 Oxford Road, Oxford Parks, Dunkeld, 2193 |
| Spain | BP Energia Espana, S.A. Unipersonal C. de Quintanadueñas, 6, 2°, Fuencarral-El Pardo, 28050, Madrid |
| United Kingdom | BP Oil UK Limited Chertsey Road, Sunbury-on-Thames, Middlesex TW16 7BP |
| United States of America | bp America Inc. 1209 Orange Street, Wilmington, Delaware, 1980 |
We obtain most of the information from you. If we don’t receive this information from you, we obtain your personal information from other sources, such as third parties and publicly available data sources. We also generate some of the information about you ourselves e.g. through the creation of an authentication ID.
As part of your registration and login, we will ask you to submit personal information which is necessary for us to give you access to your chosen Digital Asset. You can choose to register or login by linking your Apple, Facebook or Google Account or you can register or login directly via our bp platform. Once you are successfully registered, we may link your account information to other Digital Assets so that you can use the same account credentials across multiple Digital Assets. In that context, bp will process the personal information about you set out in the table below.
| Category | Details | Source |
|---|---|---|
| Contact information | Phone number Email address First name |
You / API triggered by you |
| Digital Asset usage | Information about your device and your use of our Digital Assets or related communications (including Internet Protocol (IP) addresses or other identifiers, such as browser type, plug-ins, mobile carrier, time zone and location, operating system and platform, and other device information relating to the technology on the devices you use to access our Digital Assets) | You / Us |
We use cookies (and similar technologies e.g. web beacons, pixels, tags, and JavaScript) to collect information about your use of the Digital Asset. You can set your browser to refuse all or some browser cookies, or to alert you when Digital Assets set or access cookies. If you disable or refuse cookies, please note that some parts of our Digital Assets may become inaccessible or not function properly.
We primarily use your information to give you access to our Digital Assets and services relating to those Digital Assets. We keep your information secure by implementing appropriate security measures as required by applicable data protection laws.
Lawful basis
Where required by applicable law, we ensure that we have a lawful basis to use your personal information for the purposes outlined in this Notice. Under the UK and EU GDPR, we will rely on Article 6 lawful bases listed below. We will also rely on one or more of these lawful bases when they are available in other countries.
The table below sets out in more detail why we collect and how we use your information and our lawful bases under applicable data protection laws.
| Purpose / activity | Information we use | Lawful basis for processing |
|---|---|---|
Customer management – to administer and improve our business (including our services and products). This includes: User registration and authentication process; Management and administration of our customers and business; or to improve and develop our business (including through training artificial intelligence systems). |
Contact information Digital Asset usage information |
Legitimate interests (to manage and provide services to you and to improve the services of our Digital Assets) Legal obligations |
| Maintenance and management of the Digital Asset. This includes: ongoing review and improvement of the information provided on our Digital Assets to ensure they are user friendly and to prevent any potential disruptions or cyber- attacks; to conduct troubleshooting / analysis, required to detect malicious code / threat actors, and to understand how this may affect your device; or statistical monitoring and analysis of current cyber-attacks on devices and systems and for the ongoing adaptation of solutions to secure devices and systems against current cyber-attacks. We also anonymise or deidentify your personal information for this purpose. Please refer to section 7 (Retention of your information) for details on how we anonymise your information. To the extent we process deidentified information, we will maintain and use the information in deidentified form and will not attempt to reidentify the information unless permitted by applicable law. |
Contact information Digital Asset usage information |
Legitimate interests (maintaining and managing information technology services, network and data security, and fraud prevention) |
| To collect information about your use of the Digital Asset (including information about your device and your use of our services through cookies and other similar technologies). | Account information Digital Asset Usage information |
Legitimate interests (providing the necessary functionality of our Digital Asset) Consent only where required by applicable data protection laws e.g. for information obtained from non-essential cookies and similar technologies – you can withdraw this consent at any time in your cookie preferences |
| Analytics, statistical and insight purposes. Where relevant, your email address will be shared with the Digital Asset you are accessing and its will be subject to such Digital Asset’s specific privacy notice, which may include these purposes. | Contact information Digital Asset Usage information |
Legitimate interests (improving and enhancing our business model and services, to better understand our customers) |
Legal and regulatory. This includes: to comply with and to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; to prevent and detect fraud or other criminal activity or misconduct; or for establishment and handling of legal claims. |
Contact information Digital Asset Usage information |
Legal obligations (where the processing activity is required by law or regulation or to comply with our legal obligations)
Legitimate interests (to protect against misuse or abuse of our Digital Assets and to exercise our legal rights) |
Business support. This includes: receipt of services from third party service providers e.g. consultancy, banking, legal, insurance and accounting services to restructure our business, including in the context of sales, transfers, mergers and acquisitions (and related negotiations). |
Contact information Digital Asset Usage information |
Legitimate interests (supporting or restructuring our business) |
To give you access to the Digital Assets, we may share your information with bp entities and third party recipients, such as external service providers, social media companies and legal or regulatory bodies. We have contracts in place with these third parties governing the use of your information. Any service provider we appoint is required to comply with privacy laws and contractual security measures.
Further details about the information we share with service providers and third parties are set out in the table below.
| Service provider / third party | Purpose | Information shared |
|---|---|---|
Other bp entities We may share your information with other bp entities or companies that we acquire in the future after they are made part of the bp group, to the extent such sharing of information is necessary to administer and manage the Digital Assets. |
Account administration e.g. we share your information with other bp entities as part of our business operations, including with our parent company bp plc, headquartered in the UK Data and records management | Contact information Digital Asset Usage information |
Third party service providers If you decide to register/login through social, your data will be shared with your selected ‘single sign-on’ service (e.g. Meta, Google or Apple). We share your personal data with our IT service providers Microsoft, AWS, Salesforce and Google Cloud. We also use Twilio as our OTP service provider. |
IT systems and support | Contact information Digital Asset Usage information |
| Professional advisors like lawyers and accountants | Legal and accountancy advice Advice from other professional advisors e.g. we share your personal information with third parties (and their advisors) to whom we may choose to sell, transfer or merge parts of our business or our assets |
Contact information Digital Asset Usage information |
Regulatory authorities Courts Other public authorities
These authorities may be situated outside your country. In these instances, the legal or regulatory authority will be considered to be a data controller (not acting on our instructions) and will be primarily responsible for deciding how your information is held and used once shared by us. |
Regulatory and compliance e.g. we disclose your information as required by applicable laws Tax Conduct of complaints or legal claims e.g. we disclose your information when we believe that disclosure is necessary to protect our rights or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on bp |
Contact information Digital Asset Usage information |
We maintain our authentication platform in the EU. However, as an international company, we may transfer your personal information to other bp entities, in particular to bp entities in India, for IT support purposes, or the UK and the USA where we have central operations. Where this is the case, we ensure that the importing country offers an adequate level of data protection compliance (such as the UK when sending personal data from the EEA member countries), or we will rely on our global compliance framework which includes appropriate data transfer measures and safeguards to ensure that we protect your personal information in accordance with applicable data protection laws.
Concerning intragroup transfers from the EEA or the UK, we rely respectively on the EU Commission approved standard contractual clauses adopted by decision 2021/914 and the UK IDTA, as each may be amended or updated from time to time. Where we transfer personal information to a third party outside the bp group, we ensure that appropriate measures are in place to offer an adequate level of protection for your personal information. As above, this includes the use of the EU Commission approved standard contractual clauses adopted by decision 2021/914 and the UK IDTA, where required under applicable laws.
You can request further information about our international transfers and the contractual safeguards we implement using the contact details below.
How long we will hold your personal information will vary based on the purpose for which we are using it. We will need to keep the information for as long as is necessary for each purpose in line with our policies and business needs. These needs may vary between countries. In the context of registration and login, we will keep the information needed to authenticate you for as long as you maintain an account with us.
We will only keep your information for longer periods where necessary to meet our regulatory or legal obligations, before anonymising your information or deleting it. Anonymising personal information means ensuring that the data is no longer identifiable to you personally. We do this either by aggregating the data (for example, to make a finding about a group of people as opposed to a specific individual) or by removing any personal identifiers (for example, contact information) so that we can still use data to identify trends and patterns but cannot link this data back to you.
If you choose to unsubscribe from a service, we may keep a ‘suppression list’ containing your contact information so we know you have unsubscribed and to ensure you are not contacted again. If we hold your personal information on a suppression list, we will not use it for any other purpose.
Some or all of the rights set out below will apply to you depending on where you are located. For instance, if you are located in the EEA or the UK, you are afforded all of the rights set out below, and if you are in Australia, you have the right to access and correct your personal information.
| Where we process your personal information based on legitimate interests, you have the right to object to such processing, including profiling on grounds relating to your particular situation, at any time. If you exercise your right to object, we will stop processing your personal information in that context. In some cases, however, we may demonstrate that we have compelling legitimate grounds to continue to process your personal information and if this is the case, we will inform you. |
If you are in another country and are unsure about which authority you may be able to complain to, please contact us using the details below.
Please be aware that all the rights listed above are not absolute and there are situations where they cannot be exercised or are not relevant.
If you have any questions and grievances about this Notice, our privacy practices or your data protection rights, please contact us (including data protection officers, where relevant) at privacy3@bp.com.
When you contact us, please indicate in which country and/or state you reside. When you exercise your rights, if we cannot easily confirm your identity or if you use a third party to exercise your rights describe in this Notice.
Our Digital Assets may contain links to external websites, services or content provided by third parties, which are outside of our control and are not covered by this Notice. Interacting with this external content may allow third parties to collect or share information about you. The information practices of these third parties, including the social media platforms that enable you to register or login into our Digital Assets, are governed by their own privacy notices. We encourage you to read these third party privacy notices, to better understand their privacy practices.
This Notice was last updated in February 2024. We will update it again when necessary to reflect changes in the law and our practices. If we make a material change to the Notice, you will be provided with appropriate e-mail notice in accordance with legal requirements.
We encourage you to periodically review this Notice to stay informed about our collection, processing and sharing of your personal information.