Phillips 66 Privacy Statement
Effective Date: October 15th, 2020
Phillips 66 Company is committed to protecting your privacy. This Privacy Statement provides information regarding how we treat your personal data collected, and your associated rights when using websites, platforms, and other services that link to this Privacy Statement, or when purchasing products from, conducting business with, or otherwise interacting with a company or companies within the Phillips 66 group of companies (“Phillips 66”, “we”, “us”, “our”).
Specifically, this Privacy Statement applies to individuals including consumers, loyalty program members, mobile application subscribers (e.g. Phillips 66 Mobile Pay), visitors to a Phillips 66 website or mobile application, recipients of electronic communications from us, viewers of our advertisements or other online content, individuals who interact with us through social media websites and other websites and applications. By accessing our services linked to this Privacy Statement, you consent to the terms described herein.
Personal Data Collection
The types of information we collect depends on which product or service you use.
Categories of Data You Provide to Us or Our Service Providers
Identifiers, such as real name, alias or display/username, postal address, telephone number, email address, account name, telephone number, and date of birth.
Information necessary to complete financial transactions, such as telephone number, bank account number, credit card number, debit card number, bank or customer account information, and in connection with credit requests, social security number or other national/tax identification number.
Commercial Information, such as inquiries about and records of products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies and other information that assists us in identifying the best products and services for you.
Employment information, such as your job title, job function, company/organization name and information.
Demographic information, such as your nationality and country of residence.
Your preferences with respect to email marketing
Contest entry and event registration information you provide.
Feedback from you about our products and services
You are not required to provide information we may request, but if you choose not to provide it, we may not be able to provide you the requested service or to complete your transaction.
Categories of Data Collected Automatically by Us or Our Service Providers
- Information about your browsing behavior on our sites or applications, such as the date and time you visit, the areas or pages you visit, the amount of time you spend viewing or using our site or application, and the number of times you return. On websites or applications to which you log on, we may connect this information with your identity to determine your potential interests in our products and services.
- Information regarding whether emails we send you are opened, forwarded, or used to click-through to our services.
- We also collect certain standard information that your browser sends to every website you visit, such as your internet protocol (IP) address, your browser type and capabilities, your preferred language, your operating system, software version, the date and time you access the site, and the website from which you linked to our site(s) or application(s), if any.
- Your mobile device(s) identifier, mobile device(s) manufacturer and model, operating system used by your device(s), mobile phone service carrier, the dimensions of your device(s), and the mobile application version you used. If an Android device is used, an advertising identifier (Google sends it automatically).
- Geolocation data, such as your physical location or movements.
Categories of Data We Collect About You from Third Parties
- If you use a third-party login to create an account with us or otherwise link to us via a third-party service, we may receive information about you from the third party (subject to your privacy settings on those third-party services), such as the above-listed identifiers and demographic information, your interests, and publicly observed data (for example, from social media websites or online activity).
We may draw inferences from any of the categories of data above described or combine the information we receive from and about you through any of the above means and publicly available information to help us tailor our communications to you and to improve our services.
Cookies, Web Beacons, and Other Tracking
Our site(s) may also contain web beacons, which are small, transparent image files. Web beacons allow us to count the number of users who have visited pages of our site(s). We may include web beacons in promotional email messages or newsletters in order to determine whether messages have been opened and acted upon, including whether the recipient clicked on a link in the email or forwarded the email to another person.
Tracking Options and “Do Not Track” Signals
Our Use of Personal Data
We use your personal data for the following purposes only.
Customer Service. We use personal data to answer your questions and to respond to your requests made through our websites, call centers, applications, or through third-party websites (including social media).
Commercial. We use personal data to deliver services or to execute transactions you request, such as concluding and executing agreements with customers, suppliers, and business partners; recording and settling services, products, and materials to and from a Phillip 66 company; and facilitating use of our websites and applications.
Improve/Develop Products or Services (including websites and applications). We use your personal data to develop or improve Phillips 66 or our branded stations’ products or services; to determine how to best provide services to you and to manage your accounts; and to improve our websites and applications to make them easier to use.
Marketing, Tailored Content, and Promotions.
- We may use your personal data for the development, execution, and analysis of market surveys and marketing strategies to better understand our, and our branded stations’, customers and users of our websites or applications.
- With your consent, we may advertise and market our products and services to you, and those of our branded stations. When collecting information that may be used to contact you about such products or services, we give you the opportunity to opt-out from receiving such communications and each email communication we send includes an unsubscribe link allowing you to stop delivery of that type of communication. Specifically, we may use your personal data to:
- provide you content tailored to your interests;
- send you advertisements, promotional materials, and offers from us and our branded stations;
- analyze whether the advertisements, promotions, and offers we send are effective;
- help us determine whether you may be interested in new products or services from us or our branded stations;
- update you about new features, offers, and benefits; and
- conduct contests offered by us or our branded stations.
Account management and verification. We may use your personal data to manage your account with us, and to send text, SMS, or push notifications to your mobile device with your prior knowledge and consent.
Fraud and security. We use your personal data to protect the security and integrity of our services and our business, as well as to safeguard your personal data. We may also use your personal data to manage fraud and security risk, including detecting and preventing fraud or criminal activity if you use our mobile payment function.
- We may also use your personal data in other ways as required or permitted by law or with your consent prior to the point of collection, or in an aggregated and non-specific format (where you cannot be reasonably identified) for analytical and demographic purposes.
We use your personal data only because it is necessary for the performance of an agreement with you, for our or a third party’s legitimate interests, or with your consent.
With Whom We Share Your Personal Data
We have disclosed to other parties all categories of personal data collected in the last 12 months as described below. We have not sold personal data in the last 12 months.
Service Providers. We disclose your personal data to our Service Providers for legitimate business purposes to provide services to us or on our behalf, such as data hosting, cloud services, sending out information and communications, processing transactions, analyzing data, technical support, and other business and professional services. We provide these companies with only those elements of personal data they need to provide their services to us.
To Third Parties for Transactions. We may also disclose personal data in connection with certain transactions, such as to financial institutions, government entities, and shipping companies or postal services involved in fulfilling transactions, or to other third parties to whom you or your agents authorize us to disclose your personal data in connection with products or services we provide to you.
Required Disclosures. We may disclose your personal data if required to do so by law or in our good-faith belief that such action is necessary to comply with legal requirements or with legal process served on us, and to protect our or others’ rights, property, or safety.
Operating Globally and International Transfers
We may transfer personal data to and store personal data in countries other than the country where it was collected or where you accessed our websites or applications. Those countries may have different data privacy and protection laws than the countries from which the personal data was collected or from which you accessed our websites or applications. To the extent required by applicable law, we will take measures to protect personal data so transferred or stored. For example, we implement Standard Contractual Clauses approved by the European Commission and use similar contractual obligations to comply with applicable laws of other jurisdictions. By choosing to use our services, including our websites and applications, and submitting personal data to us, you consent to the transfer of such personal data outside of your country of residence.
Personal Data Retention
To the extent permitted by applicable law and in accordance with the provisions of this Privacy Statement, we keep personal data for so long as (1) it is needed for the purpose for which we obtained it originally, or (2) we have another lawful basis for retaining it beyond the purpose for which it was originally obtained.
We use, and we require our Service Providers to use, industry standard security measures for securing and protecting personal data, including without limitation encrypting data in transit and at rest, as well as limiting access to personal data on a least privilege basis (i.e., giving each user access only to personal data needed to perform their specific job duties).
Our websites and applications may contain links to other websites, including those of other companies, organizations, and publications. These websites operate independently from our websites and applications, and we do not control and are not responsible for the content, security, or data privacy practices used by other entities. You should review the privacy statements of those websites to determine how they protect and use your personal data.
Our services, including our websites and applications, are not directed to children under 16 years of age and we do not knowingly collect any personal data from children under 16. If we learn that we collected the personal data of a child under the age of 16, we will use reasonable efforts to delete such information from our systems promptly.
Depending upon the laws applicable where you reside, you may have any or all the following rights. We are committed to protecting your privacy and will make reasonable efforts to honor your exercise of the below rights regardless of your residency as permitted by law. Residents of California have the following rights.
Right to Access
You have the right to request that we disclose certain information to you about our collection and use of your personal data over the past 12 months. Once we receive your verifiable consumer request, we will disclose to you:
- the categories of personal data we collected about you;
- the categories of sources for the personal data we collected about you;
- our business or commercial purpose for collecting or selling your personal data;
- the categories of third parties with whom we share that personal data;
- the specific pieces of personal data we collected about you; and
- if we sold or disclosed your personal data for a business purpose, two separate lists:
- identifying the categories of personal data sold to which categories of third-party purchasers; and
- identifying the categories of personal data disclosed to which categories of third parties.
Right to Delete
You have the right to request that we delete any of your personal data we collected from or about you, subject to certain below-listed exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records unless an exception applies.
We may deny your deletion request if retaining the personal data is necessary for us or our service providers to:
- complete the transaction for which we collected the personal data, provide a product or service you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- debug products to identify and repair errors that impair existing intended functionality;
- exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided by law;
- comply with the California Electronic Communications Privacy Act or other applicable laws;
- engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- comply with a legal obligation;
- make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We will not discriminate against you for exercising any of your rights. Unless permitted by applicable law, we will not do any of the following should you choose to exercise your rights:
- deny you goods or services;
- charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- provide you a different level or quality of goods or services; or
- suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
How to Exercise Your Rights
To exercise these rights, you may
submit a request through our webform or call us at 1.800.527.5476.
Only you or a person you authorize to act on your behalf may make a request related to your personal data. Please note that you must verify your identity and request before we take further action. As a part of this process, government identification may be required. In order to designate an authorized agent to make a request on your behalf, you must provide a valid power of attorney, the requester’s valid government issued identification, and the authorized agent’s valid government issued identification.
You may submit a request only twice within a 12-month period. Your request must provide information which sufficiently allows us to reasonably verify you are the person about whom we collected the personal data and must describe your request with enough detail to sufficiently allow us to properly understand, evaluate, and respond to it.
Our Response Process
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding our receipt of the verifiable request. If applicable, our response will explain the reasons we cannot comply with your request. For access requests, we will select a format to provide your personal data that is readily usable and should allow you to transmit the personal data without hindrance.
We will not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine your request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Changes to Privacy Statement
We reserve the right to amend this Privacy Statement at any time at our discretion and will review and update it as may be necessary but will do so at least annually. When we do, we will revise the effective date at the top of this Privacy Statement. Please revisit this page periodically to become aware of the most recent privacy terms; your use of our services linked to this Privacy Statement after such changes have been posted constitutes your agreement to such terms.
If you have questions regarding this Privacy Statement or our handling of personal data, you may