Privacy Policy
1. Introduction
1.1. This Privacy Policy (the „Policy”) explains how Expert Petroleum Solutions S.R.L. and other XP Group companies (collectively referred to as „XP”, „We”, „Us”) collect, use, store, and protect your personal data when you visit our website www.xp-group.com (the „Website”) and interact with Us. Expert Petroleum Solutions S.R.L. acts as the primary data controller for personal data collected through the Website. Depending on your interaction with the Website and our services, the data controller may also be the relevant XP Group entity with which you interact directly or that provides services to you in your country, acting as an independent controller. You may consult the full list of XP Group companies in the Contact Us section of our Website.
1.2. Your privacy matters to Us. At XP, We understand that entrusting Us with your personal information is an important decision. Whether you are just discovering Us, evaluating a potential project or collaboration with Us, or exploring employment possibilities, We are dedicated to safeguarding your data with the same level of care and diligence that defines our work. Transparency, accountability, and respect for your rights are at the core of how We handle personal data.
1.3. We are committed to ensuring that your privacy is protected in accordance with Regulation (EU) 2016/679 (the „General Data Protection Regulation” or „GDPR”) and applicable Romanian data protection legislation.
1.4. Please review this Policy carefully together with our Cookie Policy and Terms and Conditions.
2. About Us
2.1. The primary data controller responsible for your personal data is Expert Petroleum Solutions S.R.L., a limited liability company incorporated under Romanian law, with its registered office located at Victoria Business Park, 73-81 București-Ploiești Road, C3 Building, 1st floor, 1st District, Bucharest, Romania, registered with the Trade Registry under no. J2010009880406, sole registration code (CUI) 26367230.
2.2. For any questions regarding this Privacy Policy or the processing of your personal data, you may contact our Data Protection Officer at the following email address: dpo@xp-group.com.
3. Personal data we collect from you
3.1. „Personal data” refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.2. Certain types of personal data are classified as „special categories of personal data” under the GDPR due to their sensitive nature. These include information that reveals or relates to racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic or biometric data used for identification purposes, health information, or details about an individual’s sex life or sexual orientation. XP does not intentionally collect or process special categories of personal data. Should you inadvertently provide Us with such sensitive information, We will promptly delete it and will not use it for any purpose.
3.3. We do not knowingly process personal information of anyone under the age of 16 years old. Our Website is mainly designed for business-to-business (B2B) purposes and is not directed at minors. If We become aware that We have inadvertently collected personal data from a child under 16 without appropriate parental consent, We will take steps to delete such information as quickly as possible.
3.4. We do not receive personal data from third parties such as LinkedIn, Meta, or other external platforms.
3.5. Data collected through the contact forms on Our Website
We collect personal data directly from you when you submit information through the contact forms available on the Contact Us page from Our Website. Our Website features four distinct contact forms, each designed to capture information relevant to the nature of your inquiry, namely:
(a) General Inquiries Form
When you submit a general inquiry, We collect from you the following information:
- First name
- Last name
- Company/Institution
- Job title
- Phone number
- Business email address
- Comments
(b) Production Enhancement Form
When you contact Us regarding potential projects or collaborations related to production enhancement services, We collect from you the following information:
- First name
- Last name
- Company/Institution
- Job title
- Phone number
- Business email address
- Comments
(c) Decarbonization Solutions Form
When you contact Us regarding potential projects or collaborations related to decarbonization solutions, We collect the following information:
- First name
- Last name
- Company/Institution
- Job title
- Phone number
- Business email address
- How We can help you (service interests)
- Comments
(d) Human Resources Form
When you contact our HR Department for job applications or other HR-related matters, We collect from you the following information:
- First name
- Last name
- Phone number
- Email address
- Comments
- CV attachment
3.6. Data collected automatically
Our Website uses cookies to ensure proper functionality and to analyze Website usage. The cookies we use fall into the following categories:
Strictly Necessary (Essential) Cookies: These cookies are essential for the technical operation and functionality of Our Website.
Statistics Cookies: With your consent (where required), We use Google Analytics 4 (GA4) to collect certain technical and usage data automatically when you visit our Website. Such data may include user data (e.g.,device type, operating system, browser type, screen resolution, language settings, approximate geolocation namely country, region, city, based on anonymized IP, session and behavior-related data (e.g., number of sessions, session duration, pages visited, scrolling activities), traffic and source data and conversion data.
GA4 uses the following cookies:
- _ga – Anonymous user identifier
- _ga_XXXX – Session data
We do not collect directly identifiable information such as names, email addresses, or social security numbers through GA4.
For more detailed information about the cookies We use, please refer to our Cookie Policy.
4. Purposes and Legal grounds for processing your personal data
4.1. We process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal Basis (Article 6 of the GDPR) |
|---|---|
| Responding to general inquiries and requests - We process personal data submitted through our contact forms to respond to your questions, comments, and requests. | Legitimate interest in responding to communications and facilitating potential business development, and where applicable, taking steps at your request prior to entering into a contract (Art. 6(1)(b) and Art. 6(1)(f) of the GDPR) |
| Discussing potential projects, partnerships or commercial opportunities | Legitimate interest in responding to communications and facilitating potential business development, and where applicable, taking steps at your request prior to entering into a contract (Art. 6(1)(b) and Art. 6(1)(f) of the GDPR) |
| Processing job applications and recruitment - If you apply for an internship or job, We will process the personal data necessary to assess your application and determine your suitability for the concerned position. | Legitimate interest in conducting an effective recruitment process and evaluating candidate suitability (Art. 6(1)(f) of the GDPR) |
| Concluding an employment contract, in case your job application is successful. | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR) |
| Retaining recruitment data for future vacancies – We may retain the job applicant’s data beyond the conclusion of a specific recruitment process to consider the applicant for future vacancies that may match their profile. | Your explicit consent for retaining your data for future vacancies (Art. 6(1)(a) of the GDPR), which you may withdraw at any time. |
| Website analytics and performance improvement | Legitimate interest in improving, managing, and optimizing the performance of the Website (Art. 6(1)(f) of the GDPR) and preventing unlawful activities |
| Ensuring Website security and functionality | Legitimate interest in ensuring the security and proper functioning of the Website and preventing unauthorized access (Art. 6(1)(f) of the GDPR) |
| Investigating and taking action against illegal or harmful behavior | Legitimate interest in investigating abuse, illegal conduct, or violations of terms of service (Art. 6(1)(f) of the GDPR) |
| Establishing, exercising or defending legal claims | Legitimate interest in protecting our legal rights and defending legal claims in judicial, administrative, or regulatory proceedings (Art. 6(1)(f) of the GDPR) |
| Complying with legal obligations | Processing personal data where necessary to comply with legal obligations to which XP is subject under EU or Romanian law (Art. 6(1)(c) of the GDPR) |
5. Recipients of your personal data and data transfers
5.1. Personal data collected through our Website contact forms may be shared with the following internal departments within XP, depending on the nature of your inquiry:
- Human Resources Department: for job applications and HR related inquiries
- Production Enhancement Department: for production enhancement project inquiries
- Decarbonization Services Department: for decarbonization solutions project inquiries
- Assistance Department: for general inquiries.
5.2. Each department will assess whether to contact you and respond to your request based on the information provided in your submission.
We may also share your personal data with the following categories of external recipients:
- IT and hosting service providers who assist in operating our Website;
- Other service providers such as professional advisors (e.g., legal and accounting professionals, auditors, etc.) where required;
- Third parties in connection with the sale or re-organization of all or any part of our business, if necessary;
- Public authorities and regulatory bodies: if required under applicable laws, XP may disclose personal data to public authorities or institutions;
- Law enforcement agencies and courts: where We are required by law to disclose your personal data in response to lawful requests or court orders.
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6. International data transfers
6.1. Your personal data is primarily processed within the European Union. However, certain third-party service providers We use, such as Google Ireland Limited, Google LLC or subsidiaries of Google LLC (for Google Analytics), may process personal data in the United States or other countries outside the European Economic Area. Where such transfers occur, We ensure that appropriate safeguards are in place to protect your personal data.
6.2. For any transfers of personal data outside the European Economic Area, XP relies on the following safeguards to ensure an adequate level of protection:
- Adequacy decisions of the European Commission.
- Standard Contractual Clauses approved by the European Commission.
- Other legally recognized mechanisms ensuring an adequate level of data protection.
For a full list of non-EU/EEA countries that the European Commission has recognized as providing adequate data protection, please visit: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
You have the right to obtain a copy of the safeguards We have put in place by contacting our Data Protection Officer.
7. Data retention period
7.1. We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the following retention periods: (i) general inquiries and business development contacts: up to 1 (one) year from last contact; (ii) job applications: up to 1 (one) year from submission date for consideration of future vacancies, unless you withdraw consent earlier; (iii) analytics data: up to 14 months. We may retain data for longer periods where required by applicable law (for example, to comply with legal obligations or to establish, exercise, or defend legal claims).
7.2. After the applicable retention periods expire, your personal data will be securely deleted or irreversibly anonymized, unless a longer retention period is required or permitted by law (for example, to comply with legal obligations or to establish, exercise, or defend legal claims).
8. Updating your personal data
8.1. Maintaining the accuracy and completeness of your personal data is a priority for Us. To help Us achieve this, We ask that you keep Us informed of any changes to your information, including your contact details and other relevant data. You can inform Us of any changes to your personal data by contacting our Data Protection Officer at : dpo@xp-group.com.
9. Protecting your personal data
9.1. Your personal data will be secured by Us through the implementation of security measures appropriate to the categories of personal data We process. To this end, We implement appropriate physical, technical, and administrative security measures to protect your personal data against theft, accidental loss, unauthorized modification, unauthorized or accidental access, processing, deletion, use, disclosure, copying, or accidental or unlawful destruction.
9.2. While We implement modern and commercially reasonable security measures, We cannot guarantee the absolute security of personal data stored in our systems, nor can We ensure that information transmitted via the internet or other computer networks is fully protected against unauthorized access, interception, or alteration during transmission. Any transmission of personal data is undertaken at your own risk, and We shall not be liable for any resulting misuse of such data.
Our security measures include:
- Secure Socket Layer (SSL) encryption
- Firewall protection
- Access restrictions and authentication controls
- Regular data backups
- Internal data protection policies and procedures
10. Your rights regarding your personal data
10.1. As a data subject, you have the following rights in relation to your personal data under the GDPR:
- the right to access the personal data held by Us about you;
- the right to have your personal data rectified, for example if it is incomplete or inaccurate;
- under specific circumstances and subject to applicable law, the right to restrict or object to the processing of your personal data, or to request that your personal data is erased;
- under specific circumstances and subject to applicable law, the right to receive a copy of the personal data which you have provided to Us, in a structured, commonly used and machine-readable format (known as „data portability”);
- where you have provided personal data based on your consent, or voluntarily, the right to withdraw your consent at any time, without prejudice to the lawfulness of the processing done before your withdrawal;
- the right to opt out, free of charge, at each and any time of receiving marketing communications from Us
- the right to be informed, without undue delay, of a personal data breach that is likely to result in a high risk to your rights and freedoms.
10.2. To exercise any of these rights, please contact our Data Protection Officer at dpo@xp-group.com. We will respond to your request within one (1) month of receipt.
10.3. XP does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
10.4. If you believe that our processing of your personal data infringes the GDPR or applicable Romanian data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Romania, the supervisory authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania Website: www.dataprotection.ro Email: anspdcp@dataprotection.ro.
11. Cookies and tracking technologies
11.1. Our Website uses cookies and similar tracking technologies. Detailed information about the cookies we use, their purposes, retention periods, and how to manage your cookie preferences is set out in our Cookie Policy.
12. Third-party website and embedded content
12.1. Our Website may include links to third-party websites, such as a widget connected to XP’s official LinkedIn page. When you visit these third-party websites via links on our Website, the handling of your personal data will be subject to the privacy policies of those external parties. We do not assume responsibility for the privacy practices or content maintained by these third-party websites.
12.2. We encourage you to review the privacy policies of any third-party websites you visit.
13. Contact Us
13.1. If you have any questions, concerns, or requests regarding this Policy or the processing of your personal data, please contact Us via email at dpo@xp-group.com or by sending us a letter to our postal address: Expert Petroleum S.R.L., Victoria Business Park, 73-81 București-Ploiești Road, C3 Building, 1st floor, 1st District, Bucharest, Romania.
14. Changes to this Policy
14.1. We may update this Policy from time to time to reflect changes in our practices or applicable law. If We make material changes to this Policy, We will take appropriate steps to notify you, which may include posting a notice on our Website.
14.2. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
This Privacy Policy was last updated on April 20th 2026.
