Security and Privacy Notice

The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed so you can be confident when you share your information with us.

We will keep this privacy notice updated to show you all the things we do with your personal data. This notice applies if you are a member or use any of our services, attend our events, visit our website, email, call or write to us. In certain circumstances we may also provide an extra privacy notice, which will always refer to this notice.

We’ll never sell your personal data and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured.


Who are we?

In this notice whenever you see the words ‘we’, ‘us’, ‘our’, ‘Boundless’, it refers to Boundless by CSMA a trading name of Motoring & Leisure Services a subsidiary of the Civil Service Motoring Association Limited. (Registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.

If you have any questions in relation to this privacy notice or how we use your personal data they should be sent to membership@boundless.co.uk, addressed to the Data Protection Officer, Boundless, Britannia House, 21 Station Street, Brighton, BN1 4DE or, if you wish to speak to us direct, call 03301 230 278 (lines open 8am-8pm Monday to Friday, 9am-5pm Saturday and Sunday).


What personal data do we collect?

Your personal data (which is any information relating to an identified or identifiable individual) will be collected and used by us. We’ll only collect the personal data that we need and when we do so, from 25 May 2018 we are subject to the General Data Protection Regulation (GDPR), which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.

We collect personal data in connection with specific activities such as registration or membership requests, placing an order, booking holidays, donations and conducting research.

You can give us your personal data by joining as a member, completing forms on our website, purchasing tickets to an event, registering to use our website, subscribing to take part in research, entering a competition, promotion or survey or by corresponding with us by phone, email or post.

The personal data you give us may include name, title, address, date of birth, email address, telephone number, photographs, testimonials, usernames, financial information and passwords.

Where personal data is required to provide services to you, it may delay or prevent us from providing those services to you if you do not provide the relevant personal data when we ask for it.


Personal data provided by you

This includes information you give when interacting with us, for example when you join, register, place an order or communicate with us, and can include:

  • Personal details (name, date of birth, email, address, telephone) when you join as a member or volunteer.
  • Financial information (payment information such as credit or debit card, and direct debit details).
  • Your opinions and attitudes about Boundless, our approved partners, holiday properties and membership experiences and activities.

If you buy membership as a gift, or recommend someone to join, your details will be recorded and your association with that relationship will be recorded. Data that is provided through our recommend a friend scheme will be used to send a recommendation email on your behalf. This data will not be used for any other marketing purposes and will be deleted after a period of three months subject to them joining.


Personal data we automatically collect

We may automatically collect the following information:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and if you access our website via your mobile device we will collect your unique phone identifier.
  • Information about your visit, including, but not limited to the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
  • Information about your purchases including but not limited to revenue figures, the types of products purchased, membership applications, purchases, holiday bookings, recommendations and renewals.
  • The terms that you use to search our website.

Please note that certain services on our website are not available to you until you’ve joined and have registered to use our website.


Personal data collected by your involvement with us

Your activities and involvement with us will result in personal data being created. This could include details of how you’ve helped us by volunteering, when you have attended an event, if you have shown interest in joining the club or if you have purchased a product through one of our approved partners.

In certain cases, some of our approved partners may share details of your purchase. This data is then processed by us as we have a legitimate interest to ensure that benefits are only made available to our members. A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.


Information we generate

We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and which of our approved partners you transact with may be able to help us build a profile which will help us decide which of our communications are likely to interest you.


How we use your personal data

We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 1998, GDPR (from 25 May 2018) and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.

Under these data protection laws, we can only use your personal data if we have a proper reason for doing so, such as:

  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

Personal data provided to us will be used for the purpose or purposes outlined in any fair processing notice in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. If we are asked by the police, law enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.

Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities.

Marketing communications

Your privacy is important to us, so we’ll always keep your details secure. We’d like to use your details to keep in touch about membership including the products and services available to you.

If you choose to hear from us we may send you information based on what is most relevant to you or the things you have told us that you like in your account preferences. We may also show you relevant content. This might be about membership, events, approved partner offers, and our holiday properties.

We will never share your information with companies outside of Civil Service Motoring Association Limited for inclusion in their marketing. We may, however, share cookie data with third parties to help with our own adverting targeting. If you agree to receive marketing information from us, you can change your mind at a later date.

If you do choose that you do not want to receive marketing communications, you won’t hear about some of the great things we’re doing, but you will still receive essential service messages and notifications about your membership.

Personal data you provide may be profiled to help us with targeted advertising. This includes, but is not limited to, Google AdWords, Google third-party partner websites and third-party social networking sites such as Facebook. For example:

  • We may host member email addresses on Google AdWords for the purpose of matching these addresses with Google accounts to create an audience list. This audience list may then be used for advertising and marketing re-targeting purposes on Google Search, YouTube and Gmail. All data hosted on Google AdWords will be keep confidential and secret, and won’t be used by Google to build or enhance profiles of Boundless members, in compliance with Google’s Customer Match policy.
  • We may host members’ email addresses on Facebook to enable Facebook to cross-check it with its data in order to create a list of matching users on Facebook. This list may then be used to ensure we don’t serve you online membership advertisements once you are already a member. The matched data is only used by Facebook to create this user list and this information is not distributed by Facebook in order to protect the privacy of the users. Once the Facebook user list is created all original data is deleted. The list of matching users will be used for advertising and marketing purposes on Facebook.

We may sometimes use third parties to capture some of our data on our behalf, but only when we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR.

We’ll always act upon your choice of how you want to receive communications (for example, by email, post, phone or SMS). However there are some communications that we need to send. These are essential to fulfil our obligations to you as a member or partner. Examples are:

  • Transaction messaging, such as Direct Debit schedules, purchase confirmations, holiday booking confirmations.
  • Membership-related mailings such as welcome packs, renewal reminders, Boundless Magazines and notice of our Annual General Meeting.

Servicing your membership

We use personal data you provide to service your membership. This includes sending renewal information to annual members by mail and email, sending Boundless magazines and information about our Annual General Meeting. We also use your data to verify your membership when you contact member services or register on our website to manage your membership online.

We check your membership card to confirm eligibility at events to give you access to VIP add-ons and may contact you for feedback on your experiences at Boundless events that you may have attended.

Competition, gifts, rewards and incentives

We may sometimes use third parties to process our competitions, gifts, rewards and incentives on our behalf. Data cannot be used for any other purpose in this instance.

Retail sales, holidays and event management

We process customer data to fulfil retail activities, event tickets, and holiday bookings at our holiday properties. Your data will be used to communicate with you throughout the process, including confirmation of your order, payment and to confirm dispatch, to clarify where we may need more detail to fulfil your order or booking, or to resolve issues that may arise with your order or booking. We may use this data to keep you informed about sales or promotions that will be of interest to you based on previous purchases.


Research

We carry out research with our members, [staff and volunteers] to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and to make sure our offers, content and partnerships are relevant and interesting to you.

If you choose to take part in our research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part.

We may give some of your personal data (for example, contact information) to a research agency who will carry out research on our behalf.


Updating your data and marketing preferences

We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or marketing preferences please contact us in the following ways:

Call Boundless:

0800 669944

Phone lines open 8am – 8pm Monday to Friday and 9am – 5 pm Saturday and Sunday. Call may be monitored and recorded for training purposes.


Update online:

Log in to your account and amend your preferences, or if you haven’t yet registered for an online account visit boundless.co.uk/register to create one.


Write to:

Data Protection Officer, Boundless, 21 Station Street, Brighton, BN1 4DE

Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.


Cookies

Cookies are small text files stored on your computer when you visit certain websites. We use first party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising. You can control the use of cookies inside your browser settings. Further information can be found online at boundless.co.uk/cookiepolicy


Links to other websites

Our website contains links to approved partner websites and may from time to time link to partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these sites will operate under their own privacy notices. We do not accept any responsibility of liability for these policies. We advise users to read the privacy notices of other websites before registering any personal data, this privacy notice applies solely to the personal data collected by Boundless.


Keeping your personal data

We will only use and store your information for as long as it is required for the purposes it was collected for. We will, therefore, keep your personal data for as long as it is necessary:

  • to respond to any questions, complaints or claims made by you or on your behalf;
  • to show that we have treated you fairly; or
  • to keep records required by law.

We will not retain your personal data for longer than necessary for the purposes set out in this privacy notice. Different retention periods apply for different types of personal data.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.


How we secure your data

Information system and data security is imperative to us to ensure that we are keeping our members safe.

We carefully assess, manage and protect new and existing systems to ensure that they are up to date and secure against ever changing threats. We will also limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.

All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies.

When you trust us with your personal data we will always keep your information secure to maintain your confidentiality. We use a strong encryption when your information is stored or in transit to minimise the risk of unauthorised access or disclosure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


Disclosing your information to third parties

When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them. We do not sell or share your personal information for other organisations to use.

Personal data collected and process by us may be shared with the following groups where necessary:

  • Boundless employees and volunteers.
  • Third party fulfilment partners.
  • Third party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website.

Also, under strict controlled conditions:

  • Contractors
  • Service provides providing services to us
  • Advisors
  • Agents
  • Auditors

We may also disclose your personal information to third parties if we are under the duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

For a list of companies we share data with please visit boundless.co.uk/thirdparties


Where your personal data is held

Your personal data may be held at our offices, third party agencies, services providers, representatives and agents as described above (see above:‘Disclosing your information to third parties’)

Some of these third parties may be based outside of the European Economic Area (EEA). For more information, including how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the EEA’.


Transferring your personal information out of the EEA

We may transfer your personal information to countries which are located outside the EEA. Whenever we do this, we ensure a similar degree of protection is afforded to your personal information by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

If you would like further information, please contact us at membership@boundless.co.uk or telephone: 03301 230 278.


Your rights

You have the following rights, which you can exercise free of charge:

Access

The right to be provided with a copy of your personal information (the right of access)

Rectification

The right to require us to correct any mistakes in your personal information

To be forgotten

The right to require us to delete your personal information—in certain situations

Restriction of processing

The right to require us to restrict processing of your personal information—in certain circumstances, for example, if you contest the accuracy of the data

Data portability

The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations

To object

The right to object:
—at any time to your personal information being processed for direct marketing (including profiling);
—in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision-making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you


For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Send a written request by either email or letter to our Data Protection Officer (please see ‘who are we’)
  • let us have enough information to identify you;
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  • let us know what right you want to exercise and the information to which your request relates.

How to complain

We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.


Changes to this privacy notice

We’ll amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect and use your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website - boundless.co.uk

This privacy notice was last updated on 21st May 2018.


Do you need extra help?

If you would like this notice in another format (for example, large print or braille), please contact at membership@boundless.co.uk or telephone: 03301 230 278.