Data protection statement

We take privacy seriously. This notice tells you who we are, what information we collect about you, and what we do with it. We only use information about you in accordance with applicable data protection laws. Click on "find out more" in each section for further details.

Who are we?

We are a member of Philip Morris International. Our information (name, address, etc.) will have been provided to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on an app or website, or in an email containing a link to this statement.

  • PMI: Philip Morris International, a leading international tobacco group. It consists of a number of companies or "affiliates."

  • PMI Group Companies: Each member of the Philip Morris International group of companies is a “PMI Group Company.” “We” (or “us” or “our”) refers to the affiliated PMI company that first collected information about you.

How do we collect information about you?

We may collect information about you in various ways.

  • You may provide information to us directly (e.g., by filling out a form, calling us, signing up to receive PMI press releases or email communications, or submitting content to a PMI digital touchpoint).

  • We may collect information automatically (for example, when you use a PMI app or website).

  • We may obtain information from third parties (e.g., contact information from creative and marketing agencies or publicly available information on social media platforms such as Facebook and Twitter).

In this notice, we refer to all the ways you interact with us as “PMI touchpoints.” PMI touchpoints include both physical (e.g., events) and digital (e.g., apps and websites).

We may collect information that you provide directly. This will typically occur when you:

  • register to become a member of our databases (this can be done in person, via app, or online),

  • submit content to a digital PMI touchpoint,

  • download or use a digital touchpoint (e.g., an app or website),

  • contact us via a point of contact or via email, social media, or telephone,

  • register to receive PMI press releases, email notifications, or corporate communications,

  • participate in PMI surveys or (if permitted by law) PMI competitions or promotions in connection with events, or

  • participate in an event organized by an affiliated PMI company.

We may collect information about you automatically. This will typically happen when you:

  • participate in an event organized by an affiliated PMI company (e.g., through sensors at the event that connect with mobile technology),

  • communicate with us (e.g., via a touchpoint or social media platforms),

  • use PMI touchpoints (e.g., through tracking mechanisms (such as cookies and web beacons/pixels) that you receive when you use the PMI touchpoint or receive an email from us),

  • use third-party websites (e.g., using technology similar to that described in the above paragraph, which you receive when you visit a PMI touchpoint or receive an email from us); or

  • publish posts on social media platforms that we follow (for example, so that we can understand public opinion or respond to requests regarding PMI (for example, PMI campaigns).

As mentioned above, we may collect information about you automatically through the use of cookies and similar tracking technologies (such as web beacons/pixels) that you receive when you visit PMI digital touchpoints or receive an email from us. The specific cookies and other mechanisms used depend on the PMI touchpoint in question. To learn about the mechanisms used at a touchpoint, including how to accept or reject cookies, please see the information provided on or through that touchpoint. These mechanisms may include Google Analytics cookies (see www.google.com/policies/privacy/partners/).

Where permitted by law, we may obtain information about you from third parties. This may include information shared between affiliated PMI companies, publicly available profile information (such as your preferences and interests) on third-party social media sites (such as Facebook and Twitter), and marketing lists acquired from third-party marketing agencies.

We may also collect information in other contexts, which will be made clear to you at the time.

What information do we collect about you?

We may collect various types of information about you:

  • information necessary to arrange your participation and accommodation at an event

  • information required for your participation in activities at an event

  • information necessary to provide you with press releases or email alerts

  • information you provide to us in forms or surveys

  • information you provide to us when you submit content to a digital touchpoint

  • information about your visits to our events or PMI touchpoints

  • information you provide to us in communications you have with us in connection with an event or campaign

  • information about your preferences and interests

  • information necessary to verify your identity and age

  • information about your experiences at our events, receipt of our communications, or our

Information we collect directly from you will be apparent from the context in which you provide it. For example:

  • if you choose to participate in an event that may include booking accommodation and transportation, you must provide your name, contact details, passport or identity document so that we can make the necessary bookings,

  • if you submit content to a digital PMI touchpoint, you may provide your name, username, contact details, image, location, interests, and preferences;

  • you may provide information about your preferences, interests, and experiences so that we can offer you services and updates that will interest you and to improve our events and services;

  • if you choose to participate in an event activity,

  • We may collect information that allows us to verify your age. Information that we collect automatically generally relates to:

  • at an event (including areas in the immediate vicinity), which areas you visit and for how long,

  • information about your visit or call (such as time, date, and duration),

  • recordings (if permitted) of your visit to an event,

  • your use of digital PMI touchpoints (such as the pages you visit, the page you came from, and the page you went to when you left, search terms entered or links clicked on within the touchpoint, when you first opened the touchpoint, how long you use it, and how you interact with messages or message banners we send you); we may use cookies and similar tracking technologies (such as pixels/web beacons) to do this,

  • your use of third-party websites, where the information collected will be similar to that described in the above point (we may use cookies and similar tracking technologies (such as pixels/web beacons) to do this);

  • your mobile or desktop device and software (such as your IP address or unique device identifier (e.g., Mobile Advertising Identifier (MAID) or Android ID (SSAID)), location information (either derived from your IP address or if you choose to share your precise location with us for specific purposes, such as store locator), device brand and model, screen display settings, web browser type, operating system (some of which may be used in "digital fingerprinting" (see below for the purposes for which we use information about you), and details of any cookies (or similar technologies) that we may have stored on your device).

Information we collect from third parties will generally consist of publicly available profile information (such as your preferences, interests, and experiences), for example from public posts on social media. We may also collect your name and email address from third parties to invite you to participate in an event and participate in event activities.

For what purposes do we use information about you, and on what legal basis?

In this section, we describe the purposes for which we use personal data. However, this is a global notice, and where the laws of a country restrict or prohibit certain activities described in this notice, we will not use information about you for those purposes in that country.

Subject to the above, we use information about you for the following purposes:

  • To comply with legal obligations, such as (if applicable) verifying your age and identity

  • To administer our user-generated content contract with you (where you submit content to a PMI digital touchpoint)

  • To provide you with press releases, email alerts, and newsletters

  • To enable you to use PMI touchpoints and to personalize your experiences with PMI touchpoints

  • To understand whether you are still engaged with our communications and whether you wish to continue receiving them

  • For general business administration, and to support all of the above, including managing your accounts so you can use PMI touchpoints that are relevant to you, managing your agreements with us or with anyone who supports our services, customize your experiences with PMI touchpoints, prevent fraud (e.g., in connection with our events and surveys, to ensure they are not taken more than once by the same person), provide security at events, and administration and troubleshooting

  • For business analysis, statistical, or scientific purposes, including improving PMI touchpoints and services, and the information we (or our affiliates) provide to those interested in our businesses

  • For other purposes that we notify you of, or that will be clear from the context, at the time when information about you is first collected

The legal basis for our use of information about you is one of the following (as explained in more detail in the "Learn more" section):

  • compliance with a legal obligation to which we are subject,

  • the performance of a contract to which you are a party,

  • a legitimate business interest that is not outweighed by interests that you must protect the information,

  • where none of the above applies, or where required by law, your consent (which we will ask for before processing the information).

The purposes for which we use information about you, with corresponding collection methods and legal basis for use, are:

Comply with legal obligations

  • confirm your age and identity

This information is generally provided directly to us by you.

We use them because it is necessary for us to comply with legal obligations, in certain areas of our business, to deal only with adults, or in countries where there is no such legal obligation, because we have a legitimate business interest in dealing only with adults that is not overridden by your interests, rights, and freedoms to protect information about you.

Manage our user-generated content agreement with you (if applicable)

  • if you submit content to a digital PMI touchpoint, we will use information about you and the content you submit to comply with and in accordance with our user-generated content terms

This information is generally provided directly to us by you.

We use them on the basis that it is necessary for us to perform our contract with you, and on the basis that we have a legitimate business interest in managing our relationship, in using content that you submit to a digital PMI touchpoint, and to operate PMI touchpoints, in these ways that are not overridden by your interests, rights, and freedoms to protect information about you.

Deliver PMI touchpoints, press releases, email alerts, and newsletters

  • allow you to use PMI touchpoints (e.g., allow you to remain logged in to sections of a touchpoint reserved for authorized users, manage your language preference, manage your accounts)

  • delivery of PMI press releases, email alerts, and newsletters

  • customize your experience of PMI touchpoints (e.g., to personalize your visit, such as with greetings or suggestions that may interest you)

  • prevention of fraud (for example, in connection with our campaigns, competitions, and surveys to ensure that they are not taken more than once by the same person)

  • management of your accounts and troubleshooting

  • staff training and quality control

  • ensure safety at events

This will typically be a combination of information that you provide to us (e.g., your name and contact information and social media information) and information that we collect automatically (e.g., using technology (such as cookies and web beacons/pixels) to monitor your use of PMI touchpoints and emails from us, or closed-circuit recordings at events), and using similar technology to monitor your use of third-party touchpoints.

We use them on the basis that we have a legitimate business interest in operating PMI touchpoints, and in customizing your experiences, and in understanding whether you wish to continue receiving our communications, in ways that are not overridden by your interests, rights, and freedoms to protect information about you.

Business administration

  • general organizational management, business registration, administration, and troubleshooting

  • administration and hosting of events, including administration and facilitation of accommodation and transportation to attend events or participate in an event activity, and organization of security at the event

  • correspondence in relation to our relationship with you, including handling your inquiries and requests

  • Development, implementation, operation, and maintenance of IT systems

  • maintaining the security of systems and devices

  • the operation of contact databases

We generally receive the information directly from you.

We use them because we have a legitimate business interest in running our business (including organizing events), managing our relationship with you, and maintaining the security and integrity of our IT systems and events, which is not overridden by your interests, rights, and freedoms to restrict the use of information about you.

Security and system monitoring

  • approval and access control and logs, where applicable

This information is collected automatically through various methods, such as automated systems and device monitoring.

We use them because we have a legitimate business interest in ensuring the confidentiality, integrity, and security of our digital infrastructure, which is not overridden by your interests, rights, and freedoms to protect information about you.

Business analysis and improvements

  • enable us or our business partners to inform you about potential opportunities to be involved in the communication of PMI campaigns

  • for business analysis and improvement (including for PMI products, stores selling PMI products, events, digital PMI touchpoints, and the information we (or our affiliates) provide to those interested in our businesses)

This will typically be a combination of information you give us (such as demographic information, e.g., your age, gender, and the city where you live), information we collect automatically (which will include information about your electronic PMI device and your use of it, but where we seek your consent to use certain information, we do not use this information for these purposes unless you have given your consent), and (where permitted by law) information we obtain from third parties. If we have more than one type of information from these categories, we combine them to improve our analysis.

We use them on the grounds that we either:

  • have your consent to do so, or

  • We have a legitimate business interest in analyzing and improving our business performance, PMI touchpoints, events, and in inviting others to become involved in communicating PMI campaigns that are not overridden by interests, rights, and freedoms to protect information about you.

If we do not base our use of information about you on one of the above legal bases, or if the law requires it, we will ask for your consent before processing the information (these cases will be clear from the context).

In some cases, we may use information about you in ways not described above. Where this is the case, we will provide a supplemental privacy notice explaining such use. You should read any supplemental notices along with this notice.

Who do we share your information with, and for what purposes?

We may share information about you with:

  • affiliated PMI companies,

  • third parties who provide services to affiliated PMI companies or to you, including travel agencies who use the information to arrange or facilitate travel and accommodation at events;

  • carefully selected business partners of affiliated PMI companies (in areas related to our events) so that they can contact you with offers they believe may be of interest to you, in accordance with your preferences; and

  • other third parties, where required or permitted by law.

We only share information about you with others in accordance with applicable laws. So where the law requires your consent, we will ask for it first.

Sharing information with other affiliated PMI companies

  • Information about you will be shared with Philip Morris Products S.A. (based in Neuchâtel, Switzerland), which is the central location for the processing of personal data for affiliated PMI companies. Philip Morris Products S.A. processes information about you for all the purposes described in this statement.

  • Information about you may be shared with the affiliated PMI company responsible for the country in which you reside (if it was not the affiliated PMI company that initially collected the information) for all of the purposes described in this statement.

  • Information about you may be shared with any other affiliated PMI company that you contact (for example, if you are traveling and want to know about an affiliated PMI company's event, promotion, or general activities in another country) in order to improve our service to you.

Information about affiliated PMI companies and the countries in which they are established is available.

Where might information about you be sent?

As with any multinational organization, affiliated PMI companies transfer information globally. Therefore, information about you may be transferred globally (for example, if you are in the European Economic Area (“EEA”), your information may be transferred outside the EEA. If you are in Australia, your information may be transferred outside Australia).

When you use information as described in this statement, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.

For example, affiliated PMI companies within the EEA may transfer personal data to affiliated PMI companies outside the EEA. In all such cases, the transfer will be:

  • on the basis of a decision by the EuropeanCommission on adequacy

  • subject to appropriate safeguards, such as EU model contracts, or

  • necessary to perform obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in connection with travel arrangements.

In all cases, appropriate security measures to protect personal data will be applied in the countries or areas concerned in accordance with applicable data protection laws.

Our service providers are located in many countries around the world, including, in particular, the EEA, Switzerland, the United States, Canada, India, the Philippines, Indonesia, and Australia.

How do we protect information about you?

We implement appropriate technical and organizational measures to protect personal data we store from unauthorized disclosure, use, alteration, or destruction. Where appropriate, we use encryption and other technologies to help secure the information you provide. We also require our service providers to comply with strict data protection and security requirements.

How long will information about you be stored?

We store information about you for the period necessary to fulfill the purposes for which the information was collected. After that, we delete it. The period will vary depending on the purposes for which the information was collected. Please note that in certain circumstances, you have the right to request that we delete the information. We are also sometimes legally obliged to store the information, for example, for tax and accounting purposes.

We typically retain information based on the criteria described in the table below:

Type Explanation/typical storage criteria

  • communicating PMI campaigns and events to you (if you use digital touchpoints and can be contacted)

Most of the information in your profile is retained for the duration of our relationship with you, for example, while you continue to use digital touchpoints or respond to our communications. Some elements of your profile, such as records of how we interact with you, will naturally become obsolete after a period of time, so we automatically delete them after defined periods (typically 15 months as appropriate for the purpose for which we collected them).

  • communicating PMI campaigns and events to you) (if you are no longer in contact with us)

  • PMI campaign and event communication for you (if you cannot be contacted)

This scenario is the same as above, but if we have no contact with you for an extended period of time (typically 1 year), we will stop sending you messages and delete your history of responses to them. This will happen, for example, if you never click on an invitation to an event or log in to a digital touchpoint during that time. The reason is that, under these circumstances, we assume that you prefer not to receive the messages.

If you have registered to receive communications but the information you provide us to contact you does not work, we will typically store your information for a period of only 6 months to allow you to return and correct it.

  • database records

If you have opted in to receive email communications (and similar) or use a PMI digital touchpoint, most of the information in your profile will be retained for as long as you continue to receive the communications, use the digital touchpoint, or respond to our communications. Some elements of your profile, such as your usage history for PMI’s digital touchpoint, will naturally become obsolete after a period of time, so we automatically delete them after defined periods of time, as appropriate for the purpose for which we collected them.

  • system audit logs

System audit logs are typically stored for a period of 18 months.

  • business analysis

Most business analytics data is retained for the duration of our relationship with you as described in the first row of this table above. However, some elements of it naturally become obsolete after a period of time, so we automatically delete them after defined periods of time as appropriate for the purpose for which we collected them.

What rights and options do you have?

You may have some or all of the following rights with respect to information about you that we hold:

  • request us to grant you access to them,

  • request us to correct, update, or delete them,

  • request that we restrict our use of them in certain circumstances,

  • object to our use of them, under certain circumstances,

  • withdraw your consent to our use of it,

  • data portability under certain circumstances,

  • opt out of our use of them for direct marketing, and

  • file a complaint with the supervisory authority in your country (if there is one).

We offer you easy ways to exercise these rights, such as "unsubscribing" from links or providing you with a contact address in messages you receive.

Some mobile applications that we offer may also send you push notifications, for example about events. You can disable these notifications via the settings on your phone or in the application.

The rights you have depend on the laws in your country. If you are located in the European Economic Area, you have the rights set out in the table below. If you are located elsewhere, please contact us (see the section "Who to contact with questions?" at the end of this notice) for more information.

Rights regarding the information we hold about you Additional information (note: certain legal limitations apply to all of these rights)

  • to request that we grant you access to them

This is a confirmation of:

  • whether we process information about you,

  • our name and contact details,

  • the purpose of the processing,

  • the categories of information concerned

  • the categories of persons with whom we share the information and, if a person is outside the EEA and does not benefit from an adequacy decision by the European Commission, the appropriate safeguards to protect the information;

  • (if we have them) the source of the information, if we did not collect it from you,

  • (to the extent that we do something that you are made aware of) the existence of automated decision-making, including profiling, which has legal effects on you or significantly affects you in a similar way, and information about the logic involved, as well as the significance and intended consequences of such processing for you, and

  • the criteria for determining the period for which we retain the information.

At your request, we will provide you with a copy of the information we hold about you (provided that this does not affect the rights and freedoms of others).

  • to request that we correct or update them

This applies if the information we hold is inaccurate or incomplete.

  • to request us to delete them

This applies if:

  • the information we store is no longer necessary for the purposes for which we use it,

  • we use the information based on your consent, and you withdraw your consent (in this case, we will remember not to contact you again unless you tell us that you want us to delete all information about you, in which case we will respect your wishes),

  • we use the information on the basis of legitimate interest, and we find that, following your objection, we do not have an overriding interest in continuing to use it,

  • the information was obtained or used unlawfully, or

  • to comply with a legal obligation.

  • to request that we restrict our processing of them

This right applies temporarily while we investigate your case if you:

  • disputing the accuracy of the information we use, or

  • have objected to our use of the information on the basis of legitimate interest (if you exercise your right in these cases, we will inform you before we use the information again).

This right also applies if:

  • our use is unlawful and you oppose the erasure of the data, or

  • We no longer need the information, but you need it to file a lawsuit.

  • to object to our processing of them

You have two rights here:

  • if we use information about you for direct marketing: You can "opt out" (without having to give a reason), and we will comply with your request, and

  • if we use your information on the basis of legitimate interest for purposes other than direct marketing, you may object to our use of it for those purposes, provide an explanation of your particular situation, and we will consider your objection.

  • to withdraw your consent to our use of it

This applies if the legal basis on which we use your information is consent. These cases will be clear from the context (for example, if you gave your consent using the preference center in one of our apps, you can withdraw your consent by turning the corresponding switch on/off).

  • for data portability

If:

(i) you have provided information to us, and
(ii) we use that information by automated means and on the basis of either your consent or the performance of our contractual obligations to you, then you have the right to receive that information back from us in a commonly used format, and the right to require us to transfer the information to another party, if it is technically possible for us to do so.

  • to lodge a complaint with the supervisory authority in your country

Each country in the European Economic Area must provide one or more public authorities for this purpose.

You can find their contact details here:

http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm For other countries, please visit the website of your country's authority.

Country-specific additional points

Depending on which country you are in, you may have additional rights.

If you are in Australia, find out more...

  • If you are in Australia, the following additional information applies to you:

(A) if you do not provide your personal data to us, we may not be able to (as applicable) provide you with the information you request; and

(B) our data protection policy (available at https://www.pmiprivacy.com/en-au/privacy-policy) explains: (i) how you can access and correct the personal data we hold about you, (ii) how you can lodge a complaint about our handling of your personal data, and (iii) how we handle any complaints.

If you are in France, you can find out more...

  • If you are in France, you have the right to give us instructions regarding the information we hold about you in the event of your death (in particular, whether we should retain or delete it, and whether others should have the right to see it). You may:

(A) issue general instructions to a digital service provider registered with the French data protection authority (known as the “CNIL”) (these instructions apply to all use of information about you), or

(B) give us specific instructions that apply only to our use of information about you.

Your instructions may require us to transfer information about you to a third party (but if the information contains details of others, our obligation to respect their data protection rights may mean that we cannot follow your instructions to the letter). You may appoint a third party to be responsible for ensuring that your instructions are followed. If you do not appoint a third party in this way, your successors (unless you specify otherwise in your instructions) will be entitled to exercise your rights over information about you after your death:

(i) to administer your estate (in which case your successors will be able to access information about you to identify and obtain information that may be useful in administering your estate, including any digital assets or information that may be considered a family memory that can be transferred to your successors); and

(ii) to ensure that parties using information about you take account of your death (such as closing your account and restricting the use or updating of information about you).

You may modify or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, please refer to Article 40-1 of Law 78-17 dated January 6, 1978. When you die, you will, by default, stop using your account, and we will delete information about you in accordance with our retention policies (see the section "How long will information about you be retained?" for more details).

If you are in the Philippines, find out more...

If you are located in the Philippines, you may have rights in addition to those set forth in this statement in accordance with the Philippine Data Protection Act and its implementing rules and regulations, including the National Data Protection Commission's Data Protection Policy Advisory Opinion No. 2018-031.

If you are in Denmark, find out more...

If you are in Taiwan, the following additional information applies to you:

If you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information, products, or services you request.

If you are in Switzerland, you can find out more...

If you are in Switzerland, information about you may be transferred outside Switzerland, including to a country or territory that may not have equivalent data protection standards. In such cases, the transfer will be subject to appropriate safeguards such as the standard contractual clauses in accordance with the new Data Protection Act and guidance from the Federal Data Protection and Information Commissioner.

Who should you contact if you have questions?

If you have any questions or wish to exercise any of your rights, you can find contact details for the relevant affiliated PMI company and, where applicable, the data protection officer, here. Contact details will also be provided in any communication that an affiliated PMI company sends to you.

If your country has a data protection authority, you have the right to contact it with any questions or concerns. If the relevant affiliated PMI company cannot resolve your questions or concerns, you also have the right to seek legal remedy in a national court.

Changes to this notice

We may update this statement (and any supplemental data protection statement) from time to time. Where required by law, we will notify you of the changes; further, where required by law, we will also obtain your consent to the changes.

First version: April 19, 2024