Esso App privacy policy

Effective Date of Data Privacy Statement: 10^th May 2023.

1. Introduction:

This Privacy Statement provides information on the processing of your personal information by Esso Petroleum Company, Limited and its affiliated companies through your use of the Esso Application (the “App”).

The App facilitates your transaction with the operator of the Esso branded service station from which you make a purchase. By using the App, you are not purchasing products from ExxonMobil.

Your privacy is important to us and we want you to know what information we collect through the App, how we collect it, what we use it for and who we may share your personal information with. This Privacy Statement may be changed over time. You are advised to regularly review the Privacy Statement for possible changes. By using the App, you are consenting to these Privacy Terms.

Special note:

This App should not be used by anyone who is under the age of 16. If you are under 16 years old please do not use this App and do not send us your personal information (for example your name, age, address or email address).

2. Data Controller:

Esso Petroleum Company, Limited (“Esso”) is responsible as the data controller of personal information collected through the App. If you have any questions about the content of this Data Privacy Statement, please contact the Data Privacy Office at the following e-mail address: data.privacy.office@exxonmobil.com

3. What information do we collect?

The App will allow you to submit personal information, that is, information that could identify you as an individual. When you register on the App, Esso will collect and store your login data, such as your name, email address and phone number. If you are a holder of Nectar account and you wish to collect points on qualifying purchases, the App permits you to provide your Nectar account number. In that case, we will process the Nectar account number. Whenever you use the App to make payment at an Esso branded service station, we collect information in relation to the payment transaction, such as time and place of your visit, number of visits, total purchase amount per transaction, products purchased, payment method you use, including payment methods embedded in the App (such as Apple Pay , and Google Pay). For your convenience, you can also save your card in our App, where your data will be kept securely in an encrypted format. We may also collect information regarding your preferences in relation to the fuel purchase transaction, including your preferred payment method, fuel grade preference or receipt preference.

The App can collect information about your geolocation only when the App is installed and if you have given permission for location services. You are able to turn off location services in your phone or App settings, but this will mean that you lose some of the functionality of the App and as a result will need to scan the QR codes found on the pump.

If you personalise the App, participate in a promotion, or submit feedback or other information to us, you may also provide us with additional personal information.

If you wish to pay via the embedded third party payment methods, you will be required to provide certain information to this authorised third party to support security, operations and servicing of the App and your payments. These third party payment providers operate independently of ExxonMobil. Please read the privacy policies (which are different to ExxonMobil’s Privacy Policy) of the respective third party providers on the following links:

• Apple Pay
• Google-Pay

so that you understand how they will process your information, including what information they collect about you and how they use it.

In this regard, also refer to paragraph 7 below.

Google Firebase data collection

Firebase is a development platform of Google LLC, 1600 Amphitheatre Parkway. Mountain View, CA 94043. USA and its affiliates that offers different technical solutions and functions for apps (hereinafter referred to as “Google“). We receive the Firebase services via our IT service provider Comarch, Inc., SSE1 Building, al. Jana Pawła II 39a, 31-864 Krakow ("Comarch") which is Google's contractor for this App. We use Google Cloud servers in Frankfurt for processing. There is no data transfer to Google for its own purposes. To ensure an adequate level of data protection, ExxonMobil with Google for Firebase and Google Cloud services have concluded contractual agreements using the EU standard contractual clauses.

With your consent we use the Firebase tool Crashlytics for Firebase and the feature "Event Tagging". You can consent to our use of Google Firebase upon initial setup of the App and withdraw or renew consent at anytime in your app settings. Please note, that the data collected via Firebase cannot be linked to any specific Esso-Profile and will be processed anonymously.

Crashlytics collects and analyses some of your usage data in order to find technical errors within the App and to improve the App’s user-friendliness. It helps reconstructing events that e.g. made the App crash.

The data collected comprises, for example, a device identifier, your IP address, crash reports and data on your interaction with app buttons, including timestamps and information regarding your device

We use the feature "Event Tagging" to collect information about the performance of the App ("event") and to detect malfunctions and send the information to Firebase (together with a user ID, the time stamp of the event and the status of the App). Based on the information, we receive performance reports from Firebase in order to gain insights that help improving the App performance. The information processed for this purpose is not in any way related to a specific user account.

The data processed with Crashlytics will be stored for a period of up to 90 days.

For detailed information on the processing of your data by Google read https://firebase.google.com/terms/.

4. Why do we collect information?

We may collect, store and use your personal information to provide you with products or services, to bill you for products and services, to tell you about products and services which we think may be of interest to you, to deliver other relevant information to you such as transaction receipts, support messages, marketing messages, details of Nectar points collected and to provide vouchers or coupons.

Furthermore, we may use information collected about you:

      a) To improve and personalise our services. For instance, we may enable features in the App in order to provide you with personal deals and offers; and/or
      b) To communicate with you about news and updates about our products and services and to inform you about any promotions, incentives and rewards offered by us and/or our partners or the operators of Esso branded service stations. We may use analytics software to track usage and behaviour on the App so that we can tailor our communications to you.

We may also use the information collected through the App to analyse links between your usage of the App and your usage of other applications (for instance, our websites) or across the different types of devices you may use to access the App or other applications, in order to improve your cross- application experiences. In doing so, we use cookie files and other storage technologies on our App in accordance with this Privacy Statement and the Cookie Statements on ExxonMobil websites (including www.esso.co.uk).

5. Information on your mobile device or computer

When someone accesses the Esso website via the App, our web servers automatically gather information that allows the site to communicate with the App and/or the visitor’s device during the visit. We also track information such as the number of visits to the website, which parts of the website visitors select, IP address (the Internet address assigned to your device from your Internet Service Provider), domain type, browser type (e.g., Firefox, Chrome or Internet Explorer), date and time of day. We use such information only for statistical purposes that help us design and administer the website.

We may store some information ("cookies" or other files) on your device or computer when you look at or use the App or website. This information facilitates customizing your use of the App and website and helps to avoid the need for you to re-enter your details every time you visit it. You can erase or block this information from your device if you want to. The 'help' screen in your browser or computer user manual should tell you how to do this.

6. Third party advertising

We may use third party advertising technology to provide ads on the App. This technology will not provide any information to third party advertisers that can be used to personally identify you, so it will not include your name, address, or other personal information. When you access an ad, a "cookie" file may be stored on your mobile device. This information is used to help manage our on-line advertising.

To learn more about the third party ad-serving technology, cookies, and how to "opt-out" you can also visit Privacy policy and statement | ExxonMobil or www.allaboutcookies.org (note: you will be taken to a third-party website).

Hyperlinks & Sharing the App or content through Social Media
The App uses links to other websites or applications that Esso does not own, control or maintain. We cannot be responsible for their privacy policies and practices, and we make no representations or warranties about the privacy practices of those websites and applications.

We recommend that you check the privacy policy of these other websites and applications and contact its operator if you have concerns or questions. For example, the App uses Google Maps. Links to the Google privacy policy and Google Maps terms of service are available here: Google Maps/Google Earth Additional Terms of Service (including the Google Privacy Policy).

If you choose to share the App or any of its content through social media. including Facebook, Linked In, TikTok, Instagram and / or X (formerly known as Twitter), your personal information (such as your name and the fact that you are interested in Esso) will also be visible to all the visitors of your personal webpage on those social media sites. On the use of such social media websites, refer to the terms and conditions (including privacy statement) of that social media site. Esso is not responsible for the processing of personal information or the privacy policy of social media websites, and Esso’s Privacy Statement is not applicable to those sites.

7. Sharing Information with Third Parties

7.1 Disclosure of Personal Data to Third Parties

Esso does not sell or otherwise disclose personal information collected through the App to third parties for their own marketing purposes.

To process payment transactions, Esso provides transactional data on a transaction-by-transaction basis to the operator of the service station where the purchase took place.

These companies have access to personal data that they need to fulfil their tasks. In the context of using the app and its individual features, ESSO shares data with the following categories of recipients: IT service providers (Comarch, Infosys, Google, Arvato, Medallia), single sign-on providers (Apple, Google, Facebook), payment service providers (Worldline, American Express), cooperation partners (Nectar), and digital wallet providers (Apple Pay, Google Pay).

To process payment transactions, Esso provides transactional data on a transaction-by-transaction basis to the operator of the service station where the purchase took place.

Transactional data may include:

• Amount spent
• Product(s) purchased
• Frequency of visits
• Eligibility for Nectar points
• Time of visit

Esso does not provide your name, address, or contact details to service station operators. However, operators may be able to link transactional data with other information they collect (for example, CCTV at service stations).

Esso may also provide aggregated transaction data to site operators. Such data is anonymised and does not include names, email addresses, or Nectar card account numbers.

Esso engages third-party providers to perform certain services on its behalf, such as:

• Hosting the App
• Processing payments
• Fraud prevention, detection, and investigation
• Processing Nectar account information
• Sending communications (e.g. email, SMS, push notifications)
• Managing customer lists
• Analysing data and providing marketing support
• Delivering customer service

These third parties may have access to personal information only to the extent necessary to perform their functions and are not permitted to use it for any other purpose. They are required to process personal data in accordance with this Privacy Statement and applicable data protection laws.

Esso has contractual agreements in place with all such service providers requiring them to safeguard the security and confidentiality of personal information in compliance with applicable legal standards.

7.2 Payment Functions

You may add various payment methods in the App to enable payment functionality. Please note that Esso is not a payment service provider. Payment processing is carried out by third-party service providers (“payment processors”) depending on the selected method.

To enable payment functions, Esso securely transmits the following personal data to the relevant payment processor:

• Access credentials for the payment method
• Payment token for the selected method
• Location at the time of initiating the payment
• Time of the transaction
• Details of the purchased product types

In return, Esso receives a token from the payment processor that is used for identification during transactions via the App. The legal basis for this processing is the performance of the contract for using the App and/or the purchase or other contract concluded through it.

Financial transaction data is retained for ten (10) years. Other related data is stored until you delete your Esso Pay account, or longer where necessary to assert or defend legal claims, comply with statutory obligations, or prevent fraud.

7.3 Bank Cards

When you add a credit or debit card to the App, the following details are securely stored in encrypted form within the App:

• PAN (Primary Account Number)
• Card type
• Expiry date
• Cardholder name
• Billing address

Esso does not have access to these details. They are used to authenticate the card with the issuer and enable it as a payment method. The CVV (Card Verification Value) is used solely for authentication and is deleted immediately after authorization.

Adding a bank card is based on your consent, which may be withdrawn at any time by removing the payment method. Processing of card data during a transaction is based on contract performance.

7.4 Apple Pay

When you add Apple Pay, card details stored in your Apple Wallet are not stored or integrated into the App. Instead, the following encrypted details are transmitted for authorisation:

• DPAN (Device Primary Account Number)
• Card type
• Expiry date
• Cardholder name
• CAVV (Apple-generated one-time token)
• ECI (Electronic Commerce Indicator)

These details are not stored in the App.

Use of Apple Pay is based on your consent with Apple directly, which you may withdraw at any time by removing it as a payment method. During transactions, Esso transmits transaction data (including purchase details, time, location, station, and method) to Apple Pay. For more information, please refer to the Apple Pay Privacy Policy.

7.5 Google Pay

When you add Google Pay, card details stored in your Google Wallet are not stored or integrated into the App. If selected as a payment method, you are redirected to Google Pay for authentication. Upon successful authentication, Google Pay sends an encrypted token to the App for authorization. This token is not stored by Esso.

Use of Google Pay is based on your consent, which you may withdraw at any time by removing it as a payment method. During transactions, Esso transmits transaction data (including purchase details, time, location, station, and method) to Google Pay. For more information, please see the Google Privacy Policy and the Google Payments Privacy Notice.

7.6 Automated Decision-Making and Use of AI

The App and its third-party service providers may use automated tools, including artificial intelligence (AI), for specific purposes such as fraud detection, security monitoring, and prevention of unauthorised transactions. These automated processes help us protect users and maintain the integrity of payment transactions.

The logic applied involves the analysis of transaction patterns, device information, and other relevant signals to identify activity that may present a risk. Decisions are primarily aimed at detecting potentially fraudulent or suspicious activity and may result in a transaction being delayed, declined, or subject to additional verification.

Esso does not use AI or automated decision-making to produce legal or similarly significant effects without human involvement. You may contact Esso to obtain more information about these processes or to request a review of any decision that you believe has been made in error.

8. Biometric / Device Security Data

If you choose to use biometric authentication features provided by your device (such as Face ID, Touch ID, or fingerprint recognition) to log into or authorise payments in the App, please note that these biometric identifiers are processed and stored locally on your device. Esso does not collect, access, transmit, or store any biometric data.

9. Data transfers & Sharing information with Affiliates

We may transfer the personal information we collect about you to countries other than the country in which the information was originally collected. These transfers include transfers to affiliated companies around the world so that we may analyse the data in order to improve our global products and services. When we transfer the personal information to other countries, we will protect that information as described in this Privacy Statement. By using the App and submitting data to the App, you provide express consent to these transfers, including trans-border transmission of data covered by this Privacy Statement.

We comply with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the UK, EEA or Switzerland including execution of binding corporate rules by Esso and its affiliated companies as needed.

10. Data Security

We are committed to ensuring that the information collected about you is secure. We take reasonable measures including administrative, technical and physical procedures to protect your information from loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. Your full payment card details are not stored on your mobile device and we also only show masked Nectar account numbers on the App. The level of security can only be effective if you follow certain security practices yourself including using unique and strong passwords, never sharing your account or login details with anyone and by using the available mobile device security features. If you believe that any of your account login details have been exposed, you can change your password at any time through the App.

11. Opt Out/Modify Information

If you no longer wish to use the App, you can uninstall the App. You can request the removal or modification of your personal information via the App or by sending an e- mail to the Data Privacy Office (see address in Section 2). We will delete or render anonymous any personal information that is no longer needed.

12. Your Rights

When living in a country with comprehensive data privacy laws, certain rights in relation to the information collected may apply, including:

• The right to know and see what personal information is processed;
• The right to have inaccurate personal information corrected or deleted;
• The right to withdraw consent to the processing of the personal information. In this case, you will no longer be able to use the App. In this case you should uninstall / remove the app.

13. Data Retention

Esso and its affiliated companies may retain personal information you provide for the duration of the services and for as long as is necessary to provide support related reporting and trend analysis. Individual transaction data will be securely stored according to ExxonMobil’s data retention guidelines for transactional data. Receipts that are stored in the App will be visible for two years and will be automatically removed after those two years.

14. Conditions of Use, Notices and Revisions

Use of the App is subject to the Terms and Conditions of Esso App and this Privacy Statement. We reserve the right to change this notice at any time without notice.

We may change this Privacy Statement from time to time by posting the updated version on the App. We advise you to review this page regularly to stay informed and to make sure that you are happy with any changes. If we make material changes to this Privacy Statement, we will notify you via email or within the App. If you object to any of the changes to our terms, you are free to stop using our services, delete the App and request for your personal information to be deleted.

¹ ExxonMobil and/or ExxonMobil Affiliates mean (a) Exxon Mobil Corporation or any parent of Exxon Mobil Corporation, (b) any company or partnership in which Exxon Mobil Corporation or any parent of Exxon Mobil Corporation, directly or indirectly, (1) owns or (2) controls, more than fifty per cent (50%) of the ownership interest having the right to vote or appoint its directors or functional equivalents (“Affiliated Company”) and (c) any joint venture in which Exxon Mobil Corporations, any parent of Exxon Mobil Corporation or an Affiliated Company has day to day operational control.