Boundless Privacy Centre

Back to


Boundless Business to Business Privacy Notice

The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.

The purpose of this privacy notice is to inform you on how your personal data is used by us here at Boundless when you engage with us on behalf of your employer or business, or when we engage with you about working together on a business to business basis.

1) Who we are

In this policy whenever you see the words ‘we’, ‘us’, ‘our’, or ‘Boundless’, it refers to Boundless by CSMA, a trading name of Motoring & Leisure Services, a subsidiary of the Civil Service Motoring Association Limited (registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.

If you have any questions in relation to this privacy policy or how we use your personal data, you can contact us in any of the following ways:

  • Email:
  • Post: Member Services, Boundless, Britannia House, 21 Station Street, Brighton BN1 4DE
  • Telephone: 03301 230278 (8am – 8pm Monday to Friday, 9am – 5pm Saturday and Sunday).

We also have a friendly Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact him directly at

2) Our commitment to you

The security of personal information is extremely important to us and we are committed to protecting and respecting your privacy. In this notice we aim to be honest and clear about how we handle the information we collect from you or create about you. We will detail how we collect, use and safeguard your personal information and any conditions under which we may need to share personal information.

We will also cover how information may be used for marketing and communication activities, your choices in this regard, your privacy rights and how the law protects you.

We’ll never sell your personal data and will only share it with organisations we work with when necessary and the privacy and security of your data is assured.

We will keep this privacy policy updated to show you all the things we do with your personal data.

3) What personal data do we collect and how?

Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.

3a) The types of personal data we collect

This includes information you give when interacting with us, for example when you complete an online form to request information from us or to make an enquiry and may include:

  • Name, address, date of birth, email address, telephone number
  • Details of your business, your role or position, job title, company size
  • If using our website, we may collect technical information such as including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform and, if you access our website via your mobile device, we will collect your unique phone identifier

There may be other times that we collect and process your information – we will inform you through additional privacy notices regarding these activities at the time.

3b) How we collect your personal data and why we have it

We collect your information usually directly from you, either through an online form, face to face or through online media platforms via a webform, such as on Linkedin or Facebook. We may also collect your information from publicly available sources such as your company website.

We will use your information to provide you with some information about who we are and what we do and where consent is given by yourself we will send you further information about us. If we have collected your information from a publicly available source, we may make an introductory call to introduce who we are and ensure you are happy to be contacted further.

4) How we use your personal data

Our primary goal in collecting personal information from you is to provide you with information about Boundless and how we can support you as an employer and what we can offer your employees. We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 2018, GDPR and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.

Under these data-protection laws, we can only use your personal data if we have a proper reason for doing so, such as:

  • to comply with our legal and regulatory obligations
  • for the performance of our contract with you or to take steps at your request before entering into a contract
  • for our legitimate interests or those of a third party, or
  • where you have given consent

If we are asked by the police, law-enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.

Below are the key times and purposes we will process your data and under what lawful basis:


Personal data processed

Purpose of processing

Lawful basis for processing


Name, email address

To send you an introductory email when you have provided us with your information.

Legitimate interest – responding to your request for information


Name, telephone number

When collected from a public place, to offer further information about working together.

Legitimate interest – business interest in providing a service to your business


Name, email address

Sending emails to provide information about us.

Consent – you can change your consent at any time


Email address

To add your email to the subscription list for the sending of a weekly email

Consent – you can change your consent at any time


Technical and usage data

To use data analytics to improve our website, marketing and experience.

Legitimate interest

5) Updating your data and marketing preferences

We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or marketing preferences please contact us in the following ways:

Call Boundless:

tel:0800 669944

Phone lines open 8am – 6pm Monday to Friday and 9am – 5 pm Saturday. Calls may be monitored and recorded for training purposes.

Write to:

Member Services, Britannia House, 21 Station Street, Brighton, BN1 4DE

Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.

To unsubscribe from marketing emails, simply click on the unsubscribe link that can be found at the bottom of all our marketing email communications.

6) Cookies and our website

Cookies are small text files stored on your computer when you visit certain websites. We use first-party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third-party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising.

In order to comply with the rules around cookies and other related tracking, our websites have a cookie management tool through One Trust, which places the control of data collection in your hands. Further information can be found in our cookie policy.

7) Keeping your personal data

We will only use your information for as long as it is required for the purpose it was collected for. If we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under other laws. We will, therefore, keep your personal data for as long as it is necessary once the primary purpose has expired:

  • to respond to any questions, complaints or claims made by you or on your behalf
  • to show that we have treated you fairly or to keep records required by law

In general terms, this means we will retain your data only for the period we remain in contact with each other and you consent for us to do so.

When it is no longer necessary to retain your personal data, we will delete any personal information we may have on an individual person, but main retain business information for a period of time to ensure we do not attempt to contact your business again for a period of time.

8) How we secure your data

Information and data security is imperative to us to ensure that we are keeping our members safe. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. We have taken technical and organisational measures to secure your data, including:

  • This website has a secure https:// address (URL). This means that an SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server
  • We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Contracts will be in place to protect any personal data
  • All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies
  • We conduct privacy impact assessments in accordance with data-privacy guidelines
  • We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data
  • We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
  • We require, through the use of contract and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures
  • We invite third-party auditors to measure our compliance with a variety of regulations, including data privacy and for accounting purposes
  • When we use Legitimate Interest as a legal basis for processing personal data, we conduct a Legitimate Interest Assessment in line with recommendations from the ICO. This balance test looks at the protection of your rights and data with our use of such data. These assessments are reviewed by our Data Protection Officer to ensure the rights of members is maintained.

9) Disclosing your information to third parties

When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data-sharing agreements. We do not sell or share your personal information for other organisations to use.

Personal data collected and processed by us may be shared with the following groups where necessary:

  • Boundless employees
  • Third-party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website
  • Also, under strict contractually controlled conditions:

  • Contractors
  • Service providers providing services to us
  • Advisors
  • Agents
  • Auditors

We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

10) Where your personal data is held

Information system and data security is imperative to us to ensure that we are keeping our members safe.

Your personal data is primarily held in a system called Hubspot, who act as a data processor for us, with necessary data processing agreements and terms in pace to ensure your information remains secure and only used for the purposes we have set out.

We do not transfer or share any membership data outside of the European Economic Area (EEA).

11) Your rights

You have the following rights, which you can exercise free of charge:


The right to be provided with a copy of your personal information (the right of access)


The right to require us to correct any mistakes in your personal information

To be forgotten

The right to require us to delete your personal information – in certain situations

Restriction of processing

The right to require us to restrict processing of your personal information – in certain circumstances, for example, if you contest the accuracy of the data

Data portability

The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations

Data portability

The right to object:

  • at any time to your personal information being processed for direct marketing (including profiling);
  • in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.

Data portability

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

Currently the only automated decision making is around Boundless members who qualify for motor legal expenses as part of their membership and those who do not. This is detailed in section 4b(x).

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Send a written request by either email or letter to our Data Protection Officer (please see ‘Who We Are’)
  • let us have enough information to identify you
  • let us have proof of your identity and let us know what right you want to exercise and the information to which your request relates

12) How to complain

If you have any queries, concerns or wish to make a complaint you should contact our Membership Services Team on or by calling 03301 230278. Alternatively, you can contact our Data Protection Officer with any query or concern about the use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.

Changes to this privacy notice

We will amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website

Do you need extra help?

If you would like this notice in another format (for example, large print or braille), please contact at or telephone: 03301 230374.