At Cepsa (Gibraltar) Limited (“CepsaGib”), we value your privacy and are committed to protecting your personal data. This Privacy Policy (“Policy”) explains how we collect, use, store, and protect the data you provide to us when using the GibFuel+ mobile loyalty application ("App") at CepsaGib and its subsidiaries. By using the App, you agree to the terms of this Policy.
1. Our role
We collect, use and are responsible for certain personal information about you. We are regulated under the General Data Protection Regulation which is EU law that applies in Gibraltar. We are responsible for your personal data as the ‘controller’ of this information.
2. Information we collect
A. Mandatory information
When you create an account or use the App, we collect the following mandatory information to provide core services:
• Name: for account identification purposes.
• Date of birth: to ensure you are over the age of 18 years old.
• Email: to communicate with you, including updates, promotions, and important notifications e.g. special birthday offers and promotions (subject to your opt-in preferences).
• Email opt-in setting: whether or not you have agreed to receive marketing emails.
B. Optional information
You may choose to provide additional information to enhance your experience:
• Gender: to personalize offers or communications.
• Phonenumber: for customer support or SMS notifications (if opted-in).
• Address: for location-specific promotions or communications.
C. Automatically collected information
We automatically collect and store the following data as part of your loyalty program usage:
• Point balance: your current loyalty point balance.
• Point history: detailed records of how and when you earn or use points.
• Coupon activation history: information about coupons you have activated within the App.
• Coupon redemption history: information about vouchers you have redeemed.
• Transaction amount: the monetary value of transactions that contribute to your points balance.
3. How we use your data
We use the information collected for the following purposes:
• Account management: to create and manage your user account.
• Loyalty program administration: to track your points, coupon activations, and redemptions.
• Customer support: to assist you with any inquiries or issues.
• Personalisation: to send personalised offers, promotions, and birthday rewards based on your preferences and optional data (e.g., gender, birthday).
• Marketing: if you opt-in, we will send promotional emails about special offers, new features, or services.
• Analytics: to improve our services and optimise your experience, we may analyse aggregated data for insights.
4. Legal basis for processing your data
We are required to have a legal basis for use of your personal data. The law says we must have one or more of these reasons:
• Consent: you provide us with your clear consent to process your personal data for a specific purpose.
• Legal obligation: it is necessary to use your personal data so that we may comply with the law.
• Legitimate interests: the use of your personal data is necessary for our legitimate interests or the legitimate interests of a third-party (i.e. a business or commercial reason for our own use of your personal data).
5. Sharing your data
Except as described in this Policy, we will not give, sell, rent or loan any of your personal data to any third parties.
We will not share your personal data with anyone outside the CepsaGib group of companies except:
• Where you have given us your permission to do so.
• Where we are required to do so by law and/or by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world.
• With third-party service providers who help us operate the App, manage the loyalty program, or provide customer support. These third-parties may also gather information about you in accordance with their own privacy policies.
• With fraud prevention agencies.
• With our group companies.
• Where permitted by law, it is necessary for our legitimate interests or those of a third party and is not inconsistent with the purposes listed above.
6. Sending data outside of the EEA
We will only send your data outside of the European Economic Area (“EEA”) in cases where we must do so to comply with a legal duty or in cases where we are working with our third-party service providers or partners.
If we do transfer your personal information outside of the EEA to our third-party service providers or partners, we will ensure that the information is protected to the same standard as it would be in the EEA. In doing so, we will use one of the following safeguards:
• Transfer the information to a non-EEA country with privacy laws that give the same protection as the EEA.
• Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
• Transfer it to organisations that are part of Privacy Shield.
7. Data security
We take reasonable measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. As effective as modern security practices are, no physical or electronic security system is entirely secure and we cannot ensure that all of your personally identifiable information provided will never be accessed. We implement industry-standard security practices, including encryption and secure storage, to safeguard your personal data.
8. Data retention
We retain your personal data for as long as your account is active or as necessary to provide you with the services outlined in this Policy. Upon request, we will delete or anonymise your data unless required by law to retain it. We may keep your data even after your account is no longer active if we are not able to delete the data due to legal, regulatory or technical reasons.
9. Your rights
You have the right to:
• Opt-out of receiving marketing emails by adjusting your email preferences within the App or clicking the unsubscribe link in any promotional email.
• Access and update your personal data in the App at any time.
• Request that personal data is corrected on the App.
• Request that personal data is deleted and destroyed in cases where you believe that we no longer need to process your information for the purposes for which it was provided; we have requested your permission to process your personal data and you wish to withdraw your consent; or we are not using your information in a lawful manner. Please note that if you request us to delete your information, we may have to suspend your use of the App.
• Restrict the processing of your personal data in cases where you believe that any of the information we hold about you is inaccurate; we no longer need to process your information for the purposes for which it was provided or we are not using your information in a lawful manner. Please note that if you request us to restrict processing your information, we may have to suspend your use of the App.
• Object to the processing of your personal data (unless we can demonstrate compelling and legitimate grounds for the processing, which may override your own interests or where we need to process your information to investigate and protect us or others from legal claims). Depending on the circumstances, we may need to restrict or cease processing your personal data altogether, or, where requested, delete your information. Please note that if you object to us processing your information, we may have to suspend your use of the App.
• Object at any time to the processing of your personal data for direct marketing purposes.
• Withdraw your consent. Where we rely on your permission to process your personal data, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
• Lodge a complaint with the regulator. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the relevant data protection authority. For more information please visit: www.gra.gi.
10. Making a complaint
You should direct all complaints relating to how we have processed your personal data to the Data Protection Officer at GDPR@gibfuelplus.com. CepsaGib staff will inform the Data Protection Officer immediately if they receive a complaint relating to how the firm has processed personal data so the relevant complaints procedure can be followed.
11. Children’s privacy
Our App is not intended for use by children under the age of 18, and we do not knowingly collect personal information from children. If we discover that we have inadvertently collected such data, we will take steps to delete it.
12. Changes to this policy
We may update this Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any significant changes by posting the revised policy in the App or sending an email.
13. Contact us
If you have any questions about this Policy, please contact us at:
