What does this Privacy Notice cover?
This Privacy Notice provides information regarding the processing of your personal data when using services and/or purchasing products from or on behalf of a company or companies within BSM and the BSM group of companies (“BSM” or “we”) whether as:
- a retail, energy or e-mobility customer;
- a member of BSM loyalty program s or equivalent (‘BSM Loyalty Programme’);
- a participant of any BSM events, competitions or equivalent (“BSM Competitions”)
- a visitor to BSM website (‘Website’ or ’BSM Website’); and/or
- a user of the BSM applications or other BSM online services (‘BSM Online Services’) ); and/or
- a participant of any BSM surveys (“BSM Survey”)
This Privacy Notice explains what personal data are processed about you; why we are processing your personal data and for which purposes; for how long we hold your personal data for; how to access and update your personal data, as well as the options you have regarding your personal data and where to go for further information.
Special Notice - if you are under 14 years old. Processing children’s personal data
Except in those cases where BSM organizes educational events specifically designed for children, we do not intentionally collect personal data of individuals under 14 years old. If you are under 14 years old please do not send us your personal data for example, your name, address and email address. If you wish to contact BSM in a way which requires you to submit your personal data (such as for education or innovation events) please get your parent or guardian to do so on your behalf.
What personal data do we process about you? Collection of information
We collect information, including personal data about you, as a BSM customer, user of BSM Apps and/or visitor to BSM Website or BSM administered social media page (‘BSM Social Media Page’). This information may be either:
- Information that you provide to us - when creating a BSM account profile, we will ask for your name, e-mail address and gender (so that we can address you properly but you do not have to provide us with this information), your contact preferences and information necessary for answering any security questions. If you decide to become a member of BSM Loyalty Programme, participant of BSM Competitions, a user of BSM Online Services or our mobile payments, we may ask you to provide further personal data necessary for the performance of such services and/or authentication such as type of vehicle, driver pattern, date of birth (if collected), communications preferences and mobile number;
- Information that we obtain through your use of BSM services - we will also collect information about how and where you use or purchase BSM and/or Shell services and products. Such information may include electronic device information, IP addresses, log information, browser type and preferences, location information, online identifiers to enable ‘cookies’ and similar technologies. Your purchase history includes data regarding (i) specific products you buy, (ii) the total amount of your purchases per transaction, (iii) the time and place of the purchases you make and (iv) the payment method you use, including payment methods embedded in the BSM Online Services (such as mobile payment option);
- If you are a member of BSM Loyalty Programme - we will collect information about your participation in these programs; this includes data regarding (i) the type and description of the award you have chosen, (ii) the awards you have chosen, (iii) the amount of points you have redeemed, (iv) the frequency and time of redemption of your points and (v) the delivery method used to provide you with your award (if any);
- If you participate in BSM Competitions and BSM Survey – When you participate in BSM Competitions, we may receive personal data about you such as your username, your name, details of your identity card, profile picture, hometown, email address and gender. We will use any personal data received from the BSM Competitions and BSM Survey in accordance with this Privacy Notice.
- Information gathered through external sources - in order to ensure we have the most up to date information about you to provide you with better products and increasingly tailored services, we will combine information that we hold about you, with additional information which is publicly available or obtained through authorised third parties. This includes information about your shopping habits and related products or services that you may use, such as the number of household cars that you possess or the types of cars that you are interested in; or
- Information gathered through social media pages - When you communicate with us through a BSM Social Media Page (for example, when you comment on, share or react to a post , upload media, send a personal message or subscribe to a BSM Social Media Page), we may receive personal data about you such as your user name, profile picture, hometown, email address and gender. We will use any personal data received from social media in accordance with this Privacy Notice.
BSM view of the customer
With the aim of ensuring you have a seamless experience with BSM, and depending upon the nature of your engagement with BSM, we combine information gathered from the sources referred to above to create a personal profile of you. This ensures we have the most up to date information about you in order to better develop services and products and to tailor offers relevant to your specific interests.
Why do we process your personal data?
The personal data covered by this Privacy Notice are only processed:
- where you choose to provide your personal data;
- where it is necessary to conclude a transaction with you (such as payment information);
- where it is necessary for the purposes of the legitimate interests pursued by BSM, except where such interests are overridden by your interests or fundamental rights and freedoms; or
- where it is necessary for BSM to comply with a legal obligation.
Where the processing is based on consent, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.
What are the consequences of not providing your personal data?
Where you choose not to provide us with information set out above for the purposes of using BSM App or participating in BSM Loyalty Programme, you may be limited in enjoying the full interaction with BSM Online Services and/or to participate in BSM Loyalty Programme and BSM Competitions and may not be eligible to BSM future services and competitions.
Who is responsible for any personal data collected?
BSM or a third party hired by BSM will be responsible for processing your personal data.
For what purposes do we process your personal data?
We process your personal data for the purposes of:
- providing our products and delivering our services to you;
- managing relationships and marketing such as maintaining and promoting contact with you;
- account management including account verification (that is, ensuring that only you or someone you have authorized can access your account and information);
- customer service and development of our products and services;
- performance of and analysis of market surveys and marketing strategies;
- promotions and contests offered to BSM customers, including offering you digital rewards to recognise you as a valued customer; or
- detecting or preventing fraud if you use a mobile payment function to purchase BSM and/or Shell products;
or for a secondary purpose where it is closely related, such as:
- storing, deleting or anonymising your personal data;
- audits, investigations, dispute resolution or insurance purposes, litigation or defence of claims;
- statistical, historical or scientific research; or
- legal and/or regulatory compliance.
Communication and marketing - your choices
If you have consented to receive communications from BSM (or if you have previously purchased goods/and or services from us and permitted by local law), you may receive offers that are tailored towards your preferences based on the information gathered about you from the various sources described above in order to provide you with better products and increasingly tailored services.
We may send you service updates and notifications without your advance consent only where such updates and/or notifications are necessary for the proper functioning of the BSM Apps or other services that you use.
You may receive pertinent offers and communications by different channels and you may update your subscription preferences via your personal profile settings anytime or use the unsubscribe functionality for the different digital channels.
Transaction security and preventing, detecting and investigating fraud
When you use a mobile payment application to purchase BSM and/or Shell products, you may be asked to provide additional personal details to complete the transaction. We may use the personal data you provide to prevent, detect and investigate fraud and to enforce the terms and conditions of the mobile payment application.
We may share some information with the service providers involved in mobile payments (such as e-banking institutions, e-wallet or e-payment providers), including but not limited to your IP address, device ID or unique identifier, loyalty card number for the purposes detailed above as well as for the purposes of collecting points, device type, geo-location information, connection information (for e.g. wi-fi) and mobile network information.
Your rights in relation to your personal data
We aim to keep our information as accurate as possible. You can request:
- access to your personal data;
- correction or deletion of your personal data (but only where it is no longer required for a legitimate business purpose such as completing a retail transaction);
- that you no longer receive marketing communications;
- that the processing of your personal data is restricted;
- that combining of your personal data from different sources to create a personal profile no longer takes place; and/or
- that you receive personal data that you have provided to BSM, in a structured, digital form to be transmitted to another party, if this is technically feasible.
Who can you contact if you have a query, concern or complaint about your personal data?
Security of your personal data
We have implemented technology and policies with the objective of protecting your privacy from unauthorised access and improper use. In particular, we may use encryption for some of our services, we apply authentication and verification process for access to BSM services and we regularly test, assess and evaluate the effectiveness of our security measures.
Who will we share your personal data with?
Your personal data are exclusively processed for the purposes referred to above and will only be shared on a strict need to know basis with:
- Other companies within the Brunei Shell Joint Venture companies;
- With your consent, authorized third party companies in co-operation with BSM that may supply products and/or services to users of BSM Online services, BSM Loyalty Programmes and BSM Competitions;
- Authorized service providers involved in mobile payments (such as e-banking institutions, e-wallet or e-payment providers);
- Authorised agents, licensees, service providers, external auditors and/or subcontractors of BSM;
- A competent public authority, government, regulatory, supervisory, investigative or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which the BSM is subject to or as permitted by applicable law; or
- Any person to whom BSM proposes to transfer any of its rights and/or duties.
Transfers of your personal data to other countries
Where your personal data have been transferred to authorized third parties located outside of Brunei Darussalam we take organizational, contractual and legal measures to ensure that your personal data are exclusively processed for the purposes mentioned above and that adequate levels of protection have been implemented to safeguard your personal data.
Interacting with BSM through social media
If you choose to interact with BSM through social media on a BSM administered social media page (‘BSM Social Media Page’) such as Facebook, Instagram, Twitter or LinkedIn, your personal data (such as your name, your profile picture and the fact that you are interested in BSM) will be visible to all visitors of your personal webpage depending on your privacy settings on the relevant social media platform, and will also be visible to BSM. You can delete any information that you share on these sites at any time through your relevant social media platform’s account. BSM does not track your activity across the different social media sites that you use. Please contact BSM if you wish to make a request that you are unable to action yourself and which relates to a BSM Social Media Page.
Additionally and to the extent BSM is jointly responsible with a social media platform of a BSM Social Media Page, BSM will have access through the social media platform to aggregated data providing statistics and insights that help to understand the types of actions you take on BSM Social Media Pages. For more information on how your personal data are processed on those social media platforms, including any targeted advertising that you may receive, please refer to your privacy settings accessible through your relevant social media platform’s account.
How long do we hold your personal data for?
Personal data processed by BSM in line with this Privacy Notice will be deleted or rendered anonymous (such that it will no longer be possible to identify you);
- without undue delay upon you requesting that your BSM account profile is deleted or to discontinue your participation in BSM Loyalty Programme; or
In relation to financial transactions (including those made through BSM App), your personal data will be held for 10 years from the transaction.
In all cases information may be held for (a) a longer period of time where there is a legal or regulatory reason to do so (in which case it will be deleted once no longer required for the legal or regulatory purpose) or (b) a shorter period where the individual objects to the processing of their personal data and there is no longer a legitimate business purpose to retain it.
Changes to this Privacy Notice
This Privacy Notice may be changed over time. You are advised to regularly review this Privacy Notice for possible changes.