Privacy statement

1. What this Privacy Statement covers

When you visit any of our websites or apps (the "Digital Asset"), participate in one of our schemes, contact us, purchase our products and services, and/or conduct business with us in any other way, a Castrol ("Castrol", "we", "us" or "our") entity or affiliate may collect and process your personal data.

This privacy statement (“Privacy Statement”, or this “Statement”) covers personal data of individuals who work for, on behalf of, or who are shareholders of our

• business customers,
• suppliers or vendors, or
• business partners.

This Statement details what data we usually process about you, why we process it, how we use it, how long we retain it for, and your rights over your personal data.

Where applicable, supplementary privacy statements may be communicated to you separately to provide further information about the processing of your personal data, as we comply with legal requirements and local practices.

2. Categories of personal data we collect

Personal data, or personal information, means any information about an individual from which that person can be identified directly or indirectly. We may process the following personal data about you:

Cookie information

When you visit our Digital Asset, cookies (and similar technologies) are used to collect information about your Digital Asset usage. You can set your browser to refuse all or some browser cookies or to alert you when Digital Assets set or access cookies. If you disable or refuse cookies, please note that some parts of this Digital Asset may become inaccessible or not function properly. For more information about the cookies we use, please refer to the Cookies Preferences page available in each of our Digital Assets.

3. Why we collect your data and how we use it

When we use your personal data for the purposes outlined in this Privacy Statement, we ensure that we have a lawful basis to do so.

Lawful bases

Where required under applicable law, we ensure that we have a lawful basis to use your personal data for the purposes outlined in this statement. We usually rely on the lawful bases listed below. We also rely on one or more lawful bases when they are available in other countries:

• Performance of the contract – We have a contract with you for the provision of our products, services or Digital Assets. Usually, the terms and conditions of your chosen Digital Asset will govern this contract;
• Legitimate interests – To use your personal data where it is necessary for our (or a third party’s) legitimate interests and those interests do not override your rights, fundamental rights and freedoms. This means we will only use your data for the purposes of a legitimate interest when there is no unfair impact on you;
• Compliance with law or regulation – We also use your personal data where it is necessary to comply with the law; and
• Your Consent – If you consent to the processing of your personal data in specific cases. You can withdraw your consent at any time as set out below in the section on Data Protection Rights.

The table below sets out in more detail why we collect and how we use your data and our lawful bases under applicable data protection laws.

You may choose not to provide us with your personal data. However, if you choose not to provide it, we may not be able to offer some of our services to you.

Profiling

We may apply profiles to you based on the personal data set out above. Such profiles may be used to personalize the Digital Asset or services, decide what to advertise to you and/or as part of security threat detection and prevention.

4. Information we share

Intragroup sharing

We may share your personal data with other entities within our group of companies as part of our business operations, including with our parent company bp PLC, headquartered in the United Kingdom.

Third party service providers

We may share your personal data with third-party service providers, agents and contractors to provide services to us (for example, our accountants, professional advisors, and IT and communications providers). We may also share your personal data with our business partners who may use it for their own purposes (as permitted by applicable data protection law), such as for administering and promoting their products/services. Any third-party provider we appoint must protect your personal data in line with the contractually required security measures.

Social media platforms

To the limited extent that it’s applicable, we may use your personal data to undertake advertising campaigns on social media platforms such as LinkedIn, Instagram and Facebook to provide information about upcoming services or new products, and to ensure you only receive relevant advertising about our products and services. We may share your personal data with social media platforms so that you see advertising about our, or our partners’, products and services, that we think you will be interested in when you interact with the relevant social media platform. We may also share your personal data with social media platforms to help us present relevant advertising to individuals who the social media platforms determine are likely to have similar interests to you.

Legal and regulatory disclosures

We may disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served to us. We may also share your personal data in connection with legal proceedings. These bodies may be situated outside of your jurisdiction. In these instances, the legal and/or regulatory authority will be considered to be a data controller (not acting on our instructions) and will be primarily responsible for deciding how your personal data is held and used once shared by us.

We may also share your personal data with credit reference agencies and fraud prevention agencies for the purposes of assessing creditworthiness and product suitability, checking your identity, managing your account, and preventing criminal activity.

Restructuring recipients

We may share your personal data with third parties (and their advisors) to whom we may choose to sell, transfer or merge parts of our business or our assets.

5. International transfers

As an international company, we may store or transfer your personal data to other group entities around the world. Where this is the case, we will ensure that the importing jurisdiction offers an adequate level of data protection, or we will provide the personal data under a comprehensive, flexible, and global compliance framework which implements appropriate measures and safeguards (including the relevant module of the EU standard contractual clauses and the UK Addendum, where applicable) to ensure that your personal data is protected in accordance with applicable data protection laws.

Similarly, where we transfer personal data to a third party located in a different jurisdiction, we will ensure that appropriate measures are in place to ensure an adequate level of protection for your personal data, such as by including appropriate clauses in our agreements with third parties.

You can request further information about our international transfers and the contractual safeguards we implement using the contact details below.

6. Retention of your data

How long we will hold your personal data will vary based on the purpose for which we are using it. We will need to keep your data for as long as is necessary for each purpose in line with our business needs, as documented in our internal policies. These may vary between jurisdictions. For example, if you are located in the UK and we have a contract with you, we will typically retain your personal data for 6 years following the termination of that contract, unless litigation is anticipated, when we will keep it longer.

We calculate the retention period based on the time the personal data is needed to: (a) fulfill the purposes described in this Privacy Statement, (b) meet the timelines required or recommended by regulatory authorities, professional bodies, or associations, (c) comply with applicable laws, legal holds, and other legal obligations (including contractual obligations), and (d) comply with your requests.

There may be laws or regulations which set a minimum period for which we must keep your personal data. We will only hold your data for the defined retention period, before anonymizing the data or deleting it. Anonymising personal data means ensuring that the data is no longer identifiable to you personally. We do this either by aggregating the data (for example, to make a finding about a group of people as opposed to a specific individual) or by removing any personal identifiers (for example, contact information) so that we can still use data to identify trends and patterns but cannot link this data back to you.

If you choose to unsubscribe from a service, we may keep a ‘suppression list’ containing your details so we know you have unsubscribed and to ensure you are not contacted again. Your personal data held on a suppression list will not be used for any other purpose.

7. Your Rights

Some or all of the rights set out below will apply to you depending on where you are located. For instance, if you are located in the EEA or the UK, you are afforded all of the rights set out below, and if you are in Australia, you have the right to access and correct your personal data.

7.1 Data Protection Rights

• Access to your personal data. Where applicable, you are entitled to receive a copy of personal data we hold about you.
• Correction of the personal data that we hold about you. You may request that we correct any incomplete or inaccurate data we hold about you, though we may need to verify the accuracy of the new data you provide to us. It is important that the personal data we hold about you is accurate and current. Please contact us using the contact details below to update us in the event of any changes to your personal data.
• Erasure of your personal data. You may request that we delete or remove personal data where there is no overriding reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we are required to erase your personal data to comply with our legal obligations.
  
• Restriction of processing of your personal data. You may ask to suspend the processing of your personal data in the following scenarios:
  • If you want us to establish the data's accuracy; -
  • Where our use of the data is unlawful but you do not want us to erase it;
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to continue to process it.
• Transfer of certain of your personal data to you or a third party. Where this right applies, we will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to information you provided to us and which we process based on consent or where it is necessary to fulfil a contract with you.    
• Withdraw consent where we are relying on consent to process your personal data. Withdrawal will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Where we seek consent, it can be withdrawn by a digital consent management tool, or by sending an email to the contact details set out below.

7.2   Right to object

Where we process your personal data based on legitimate interests, you have the right to object to such processing, including profiling on grounds relating to your particular situation, at any time.

If you exercise your right to object, we will stop processing your personal data in that context. In some cases, however, we may demonstrate that we have compelling legitimate grounds to continue to process your personal data and if this is the case, we will inform you.

7.3   Right to complain to your supervisory authority

We are committed to working with you to obtain a fair resolution of any complaint about our use of your information. If you have any concerns or wish to make a complaint to our privacy teams (including relevant data protection officers), please use the details provided below in the Contact Us section.

You may have the right to complain to a competent supervisory authority.

Please be aware that all the rights listed above are not absolute and there are situations where they cannot be exercised or are not relevant.

Country specific requirements

If you are a resident of India, in addition to the section 7 above the following data subject right are applicable to you:

1. Right to information about third-party sharing – You may request information about the identities of third parties with whom we have shared your personal data.
2. Right to nominate – You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
3. Right to complain to the Data Protection Board of India – If you are not satisfied with our response to your grievance, you may have the right to make a complaint to the Data Protection Board of India in accordance with applicable law.

8. Contact us

If you have any questions about this Statement, our privacy practices or your data protection rights, please contact us (including data protection officers, where relevant) at privacy@castrol.com.

When you contact us, please indicate in which country and/or state you reside. When you exercise your rights, if we cannot easily confirm your identity or if you use a third party to exercise your rights described in this Privacy Statement.

9. Third party websites we link to

Our Digital Assets may contain links to external websites, services or content provided by third parties, which are outside of our control and are not covered by this Statement. Interacting with this external content may allow third parties to collect or share information about you. The privacy practices of these third parties are governed by their own privacy statements. We encourage you to read these third party’s terms, to better understand their privacy practices.

10. Change to this Privacy Statement

This statement was last updated in April 2026. We will update it again when necessary to reflect changes in the law and our practices. If we make a material change to this Privacy Statement, you will be provided with appropriate e-mail notice in accordance with legal requirements. We encourage you to periodically review this Statement to stay informed about our processing of your personal data.

When we collect your personal data

If you decide to contact us then you will be asked to submit the limited personal data which is necessary for us to handle your query. This is completely voluntary. 

If you do contact us we rely on the legitimate interests basis of processing in order to handle your query. 

If any form which collects your personal data allows you to voluntarily provide additional information, we seek this information because we think it will help us to give you a better quality service. You do not have to provide such information if you do not wish to do so. 

We also collect personal data from cookies, which we explain more about below.

Site traffic information and cookies

On your first visit to this site you were asked (by a notification banner) to accept our use of cookies and similar technologies and we'd like to
explain how we use these technologies.

To learn about what cookies and similar technologies are, we recommend that you visit the following third-party website: www.allaboutcookies.org

Like many websites, we use cookies for a variety of purposes. These technologies collect information about your device hardware and interactions with our site.

This information helps us to :-

• Continuously improve our site's content and functionality by analysing where, on which types of devices and how our site is used, how many visitors we receive, and where they click through to the site from;
• Remember you in case you re-visit our site, so we will know if you have already been served with cookie banners, surveys, or (where site content is undergoing testing) which version of the content you were served;
• See how successfully our marketing campaigns are performing. This is done through conversion pixels, which fire a short line of code to tell us when you have clicked on a particular button on our website or reached a particular page.

To delete or stop cookies being placed on your computer, please check the help menu of your internet browser. Blocking cookies will reduce the functionality of this website.

Who do we share your personal data with and where does it go?

As an international company, we may store or transfer your personal information to other BP companies around the world. Where this is the

case, we do this under a comprehensive, flexible, and global compliance framework which implements appropriate measures and safeguards (including EU standard contractual clauses) to ensure that your personal information is protected in accordance with applicable data protection law. Any transfer of personal data to this site will be secured by encryption. 

We have the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on BP. If there is a takeover, sale or purchase of our business, we may disclose your personal data to the new (or prospective) owner of the business.

How long do we keep your information?

We will only hold your information for as long as necessary to fulfil the purposes for which it was collected, before making it non-identifiable or deleting it. 

If you send us any ‘contact us’ messages, we will delete or de-identify these messages once we have finally satisfied your query.

Your rights, complaints and how to contact us

You have the right to access your personal data and ask for it to be rectified or deleted at any later time.

If you have questions or concerns relating to the handling of your personal data, please get in touch with us at privacy@castrol.com.
 

If you are in the EU, you also have the right to raise a privacy concern with the Data Protection Authority established in the relevant EU country. However, please consider using BP’s EU-approved complaint resolution mechanism under our BCRs using the contact address set out above.

Third-party websites we link to

Our website may contain links to third-party sites. This privacy statement does not apply to those third-party sites. 

We recommend that you read the privacy statements of any other third-party sites that you visit as we cannot accept responsibility for the privacy practices of these sites which may be different to ours.

Changes to the privacy statement

We may update this privacy statement from time to time and recommend that you revisit it on occasion to see the latest version. 

This statement was last updated in February 2023.