Boundless Our Communities Privacy Notice

The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.

The purpose of this privacy is to inform you on how your personal data is used by us here at Boundless by CSMA when you either:

  1. express an interest in an event through our website
  2. express an interest in a member communities’ group
  3. sign up to receive a newsletter from a Special Interest Group
  4. enter a competition or;
  5. join the Boundless Foundation Lottery

This privacy notice is related to these specific purposes only and is in supplement to our main privacy policy which can be found at

Who are we?

In this policy whenever you see the words ‘we’, ‘us’, ‘our’, or ‘Boundless’, it refers to Boundless by CSMA, a trading name of Motoring & Leisure Services, a subsidiary of the Civil Service Motoring Association Limited (registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.

If you have any questions in relation to this privacy policy or how we use your personal data, you can contact us in any of the following ways:

  • Email:
  • Post: Member Services, Boundless, Britannia House, 21 Station Street, Brighton BN1 4DE
  • Telephone: 03301 230278 (Lines open: 8 - 6 Monday - Friday, 9 - 5 Saturday, closed Sunday)

We have a Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact Andrew Hunter directly at

Some events and activities that our community and interest groups promote are provided by third parties – you should check before providing information regarding booking an activity or event.

What Personal Data do we Collect?

Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data in the various activities listed, although the Boundless Lottery is provided by a third party who act as Data Controller (see below for further details).

The key reasons we will collect data include:

1 – When you express an interest in an event, we but send your email address and name to the volunteer who is the organiser of the event. Some events do have links to third party sites or provide instructions to book direct through third parties – we do not pass your personal information to others. Any further interaction with volunteers you may take is beyond our scope as data controller.

2 – When you register an interest in a volunteer group, a record is made on your membership account. The email address held on your account will be used to keep you up to date from time to time about the group’s events, activities and news. You can leave the group at any time.

3 – When you sign up to a group newsletter, depending on your preference the contact details held on your membership account will be used to send newsletters regarding the group you have signed up to.

4 – If you enter a competition, there are specific terms and conditions that are applicable. We only collect the fact you have entered the competition and no further information. In some circumstances where further personal data is collected, we will explain through a privacy notice of this.

5 – The Boundless Foundation Lottery is operated as a subscription-based Society Lottery under the gambling Act 2005 and is licensed by Gambling Commission under the license held by Charities Trust. The lottery is administered by Stirling Management Centre Limited; a certified External Lottery Manager by the Gambling Commission and they have their own terms and conditions and act as the data controller. We verify that those taking part are valid members and eligible to claim a prize.

How will we use your Personal Data?

When you provide your details to us, we will process your personal data only for the set out in the terms and conditions. This includes:

Ref Personal data processed Purpose of processing Lawful basis for processing
1 Name and email address When expressing an interest in an event, we send your details to the event organiser. Legitimate Interest – providing your interest to the orgainser
2a Membership number, name, email To send you relevant information about the group you have joined. Consent – you can leave the group at any time or unsubscribe from emails
2b Membership number, name, email To send you relevant offers and benefits that are linked to an interest group you have joined. Consent – you can withdraw your consent at any time
3 Membership number, name, email or postal address To send you a newsletter or handbook you have signed up to. Consent – you can leave the group at any time or unsubscribe from receiving newsletters at any time.
4a Membership Number, competition name To enter your competition entry Contract – competition terms and conditions
4b Name, email address To send confirmation of competition entry Legitimate Interest – to inform you of your entry
4c Membership number Automated process that selects a winner Contract – competition terms and conditions
4d Email address, name, membership number To contact prize draw winners Carrying out our contractual obligations as with our terms
5a Membership number, name To validate winner details as eligible members for lottery prizes Contract – as stated in the terms and conditions of the Boundless Foundation Lottery
5b Membership number, name, address To validate eligible members only are playing the lottery Contract – as stated in the terms and conditions of the Boundless Foundation Lottery
5c Membership number, name, contact details To contact you if you are no longer eligible to play the lottery Legitimate Interest – only eligible members can take part in the lottery
5c Membership number, name, contact details To inform you if you have won Contract – as stated in the terms and conditions of the Boundless Foundation Lottery
5d Membership number, name, contact details To inform you if you have won Contract – as stated in the terms and conditions of the Boundless Foundation Lottery

Updating your data and marketing preferences

We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or to opt out of being a member of the panel, you can:

Call Boundless:

0800 669944

Phone lines open 8am – 6pm Monday to Friday and 9am – 5 pm Saturday. Calls may be monitored and recorded for training purposes.

Update online:

Log into your account and amend your preferences

Write to:

Member Services, Britannia House, 21 Station Street, Brighton, BN1 4DE

Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.

To unsubscribe from marketing emails, simply either log onto your account via the website and amend your preferences, or you can click on the unsubscribe link that can be found at the bottom of all our marketing email communications.

Cookies and our website

Our various websites allow anyone to view them, and some data is collected (see section 2c). For full access to the website, members are required to log on to the site. This requires registration data to be collected and stored, consisting of email address, password and membership number.

Cookies are small text files stored on your computer when you visit certain websites. We use first-party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third-party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising.

In order to comply with the rules around cookies and other related tracking, our websites have a cookie management tool through One Trust, which places the control of data collection in your hands. Further information can be found in our cookie policy.

Keeping your personal data

We will only use your information for as long as it is required for the purpose it was collected for. If we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under other laws. We will, therefore, keep your personal data for as long as it is necessary once the primary purpose has expired:

  • to respond to any questions, complaints or claims made by you or on your behalf
  • to show that we have treated you fairly or to keep records required by law

We are also required to hold certain information regarding payments under the VAT Act 1994 and HMRC Notice 700/21 as well as under the consumer regulations. This act states either you or we may bring a claim for breach of contract within six years of the event giving rise to a breach. In order that we may defend or bring a breach of contract claim (and to comply with disclosure requirements) we keep your account record for seven years after the end of your last paid membership. This period takes into account the four-month period during which a claim form, issued on the last day of the limitation period, remains valid for service and for any extension for service which may be granted by the court.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

How we secure your data

Information and data security is imperative to us to ensure that we are keeping our members safe. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. We have taken technical and organisational measures to secure your data, including:

  • This website has a secure https:// address (URL). This means that a SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server
  • We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Contracts will be in place to protect any personal data
  • All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies
  • We conduct privacy impact assessments in accordance with data-privacy guidelines
  • We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data
  • We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
  • We require, through the use of contract and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures
  • We invite third-party auditors to measure our compliance with a variety of regulations, including data privacy and for accounting purposes
  • When we use Legitimate Interest as a legal basis for processing personal data, we conduct a Legitimate Interest Assessment in line with recommendations from the ICO. This balance test looks at the protection of your rights and data with our use of such data. These assessments are reviewed by our Data Protection Officer to ensure the rights of members is maintained.

Who we share your Personal Data with and where is it held

When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data-sharing agreements. We do not sell or share your personal information for other organisations to use.

Personal data collected and processed by us may be shared with the following groups where necessary:

  • Boundless employees
  • Boundless volunteers
  • Third party fulfilment partners
  • Third party cloud hosting and IT infrastructure providers who host the website and provide the booking platform.

We may also disclose your personal information to third parties if we are under the duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Your personal data is primarily held in our databases, which are Microsoft systems located in the EU. Your data may be held at our offices, third-party agencies, services providers, representatives and agents as described earlier.

We do not transfer or share any membership data outside of the European Economic Area (EEA).

Your Privacy Rights

In addition to the right to be informed about how we use your personal data (as set out in this privacy notice), you have various other rights in respect of the personal data we hold about you.

Access The right to be provided with a copy of your personal information (the right of access)
Rectification The right to require us to correct any mistakes in your personal information
To be forgotten The right to require us to delete your personal information – in certain situations
Restriction of processing The right to require us to restrict processing of your personal information – in certain circumstances, for example, if you contest the accuracy of the data
Data portability The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations
To object The right to object:
  • – at any time to your personal information being processed for direct marketing (including profiling);
  • – in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

Currently the only automated decision making is around Boundless members who qualify for motor legal expenses as part of their membership and those who do not. This is detailed in section 4b(x).
Right to withdraw consent If you have given us your consent to use your personal information, you can withdraw your consent at any time. This might impact our ability to provide goods and services to you

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Send a written request by either email or letter to our Data Protection Officer (please see ‘Who We Are’)
  • email, call or write to our Data Protection Officer (please see ‘Who We Are’)
  • let us have enough information to identify you
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
  • let us know what right you want to exercise and the information to which your request relates

Your Right to Complain

If you have any queries, concerns or wish to make a complaint you should contact our Membership Services Team on or by calling 03301 230278. Alternatively, you can contact our Data Protection Officer with any query or concern about the use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.

Questions about this Privacy Notice

If you have any questions in relation to this privacy notice or how we use your personal data, we can be contacted by:

  • Email –
  • Post – Member Events, Boundless, 21 Station Street, Brighton, BN1 4DE
  • Telephone – call 03301 230374 (lines open daily 8-6 Mon – Fri & 9-5 Sat)
  • We also have a Data Protection Officer who is happy to answer any questions or concerns you might have. You can contact him in writing at the address above or by email

This Notice

This notice was last updated in August 2020