Security and Privacy Notice

The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.

We will keep this privacy notice updated to show you all the things we do with your personal data. This notice applies if you are a member or use any of our services, attend our events, visit our website, email, call or write to us. In certain circumstances we may also provide an extra privacy notice, which will always refer to this notice.

We’ll never sell your personal data and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured.

Sections within this policy:

  1. Who are we?
  2. Collection of personal data
  3. How we use your personal data
  4. Updating your marketing preferences
  5. Storage and retention of data
  6. Sharing data with third parties
  7. Our Websites
  8. Your rights
  9. How to complain
  10. Additional help
  11. Updates to this policy

1 Who are we?

In this notice whenever you see the words ‘we’, ‘us’, ‘our’, ‘Boundless’, it refers to Boundless by CSMA a trading name of Motoring & Leisure Services a subsidiary of the Civil Service Motoring Association Limited. Our registered office is at Britannia House, 21 Station Street, Brighton, BN1 4DE and registered company number 02813598. We are authorised and regulated by the Financial Conduct Authority.

If you have any questions in relation to this privacy notice or how we use your personal data, we can be contacted by:

  • Email -
  • Post - Member Services, Boundless, Britannia House, 21 Station Street, Brighton, BN1 4DE
  • Telephone - call 03301 230 278 (lines open 8am-8pm Monday to Friday, 9am-5pm Saturday and Sunday).

We also have a Data Protection Officer, Andy, who is happy to answer any questions or concerns you might have. You can contact him in writing at the address above or by email

2 Collection of personal data

2a What personal data do we collect

Your personal data (which is any information relating to an identified or identifiable individual) will be collected and used by us. We’ll only collect the personal data that we need, and when we do so we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.

We collect personal data in connection with specific activities such as registration or membership requests, placing an order, booking holidays, donations and conducting research.

You can give us your personal data by joining as a member, completing forms on our website, purchasing tickets to an event, registering to use our website, subscribing to take part in research, entering a competition, promotion or survey or by corresponding with us by phone, email or post.

The personal data you give us may include name, title, address, date of birth, email address, telephone number, photographs, testimonials, usernames, financial information and passwords.

Where personal data is required to provide services to you, it may delay or prevent us from providing those services to you if you do not provide the relevant personal data when we ask for it.

2b Personal data provided by you

This includes information you give when interacting with us, for example when you join, register, renew, place an order or communicate with us, enter a competition or join the lottery, attend an event or visit a Boundless retreat and can include:

  • Personal details (name, date of birth, email, address, telephone) when you join as a member or volunteer.
  • Financial information (payment information such as credit or debit card, and direct debit details).
  • Your opinions and attitudes about Boundless, our approved partners, holiday properties and membership experiences and activities.

If you buy membership as a gift, or recommend someone to join, your details will be recorded and your association with that relationship will be recorded. Data that is provided through our recommend a friend scheme will be used to send a recommendation email on your behalf. This data will not be used for any other marketing purposes and will be deleted after a period of three months subject to them joining.

Boundless Champions

If you register an interest to become a Boundless Champion, your details will be recorded and we will use these details to contact you about the Boundless Champions scheme. This data will be held for a period of three months subject to you becoming a Boundless Champion, and you are able to opt out of us contacting you at any time.

If you become a Boundless Champion, you will either already be an existing member or we will provide you with Boundless membership and your data will be used as explained in this notice. Conditions apply to the Boundless Champion scheme - these can be found at

Boundless Volunteers

If you become a Boundless Volunteer, we may request additional information from you. Volunteers who serve on a committee will be required to provide additional information about themselves. This will be explained at the time you become a committee member as we will use your personal information for additional reasons than set out in this notice. Conditions apply to being a Boundless Volunteer which are available upon request.

2c Personal data we automatically collect

We may automatically collect the following information:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and if you access our website via your mobile device we will collect your unique phone identifier.
  • Information about your visit, including, but not limited to the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
  • Information about your purchases including but not limited to revenue figures, the types of products purchased, membership applications, purchases, holiday bookings, recommendations and renewals.
  • The terms that you use to search our website.

Please note that certain services on our website are not available to you until you’ve joined and have registered to use our website.

2d Personal data collected by your involvement with us

Your activities and involvement with us will result in personal data being created. This could include details of how you’ve helped us by volunteering, when you have attended an event, if you have shown interest in joining the club or if you have purchased a product through one of our approved partners.

In certain cases, some of our approved partners or those who provide access to benefits on our behalf may share details of your purchase with us. This data is then processed by us as we have a legitimate interest to ensure that benefits are only made available to our members. A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

2e Information we generate

We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and which of our approved partners you transact with may be able to help us build a profile which will help us decide which of our communications are likely to interest you.

3 How we use your data

We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 2018, GDPR and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.

Under these data protection laws, we can only use your personal data if we have a proper reason for doing so, such as:

  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

Personal data provided to us will be used for the purpose or purposes outlined in any fair processing notice in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. If we are asked by the police, law enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.

Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities.

3a Marketing communications

Your privacy is important to us, so we’ll always keep your details secure. We’d like to use your details to keep in touch about membership including the products and services available to you.

If you choose to hear from us we may send you information based on what is most relevant to you or the things you have told us that you like in your account preferences. We may also show you relevant content. This might be about membership, events, approved partner offers, and our holiday properties.

We will never share your information with companies outside of Civil Service Motoring Association Limited (“CSMA”) for inclusion in their marketing. We may, however, share cookie data with third parties to help with our own adverting targeting. If you agree to receive marketing information from us, you can change your mind at any time. You can manage how we communicate to you via your online account or by contacting us by email or telephone.

If you do choose that you do not want to receive marketing communications, you won’t hear about some of the great things we’re doing, but you will still receive essential service messages and notifications about your membership.

Personal data you provide may be profiled to help us with targeted advertising. This includes, but is not limited to, Google AdWords, Google third-party partner websites and third-party social networking sites such as Facebook. For example:

  • We may host member email addresses on Google AdWords for the purpose of matching these addresses with Google accounts to create an audience list. This audience list may then be used for advertising and marketing re-targeting purposes on Google Search, YouTube and Gmail. All data hosted on Google AdWords will be keep confidential and secret, and won’t be used by Google to build or enhance profiles of Boundless members, in compliance with Google’s Customer Match policy.
  • We may host members’ email addresses on Facebook to enable Facebook to cross-check it with its data in order to create a list of matching users on Facebook. This list may then be used to ensure we don’t serve you online membership advertisements once you are already a member. The matched data is only used by Facebook to create this user list and this information is not distributed by Facebook in order to protect the privacy of the users. Once the Facebook user list is created all original data is deleted. The list of matching users will be used for advertising and marketing purposes on Facebook.

We may sometimes use third parties to capture some of our data on our behalf, but only when we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR.

We’ll always act upon your choice of how you want to receive communications (for example, by email, post, phone or SMS). However there are some communications that we need to send. These are essential to fulfil our obligations to you as a member or partner. Examples are:

  • Transaction messaging, such as Direct Debit schedules, purchase confirmations, holiday booking confirmations.
  • Membership-related mailings such as welcome packs, renewal reminders, Boundless Magazines and notice of the CSMA Annual General Meeting.

3b Servicing your membership

We use personal data you provide to service your membership. This includes sending renewal information to annual members by mail and email, sending Boundless magazines and information about the CSMA Annual General Meeting. We also use your data to verify your membership when you contact member services or register on our website to manage your membership online.

We check your membership card to confirm eligibility at events to give you access to VIP add-ons and may contact you for feedback on your experiences at Boundless events that you may have attended.

3c Competitions, gifts, rewards and incentives

We may sometimes use third parties to process our competitions, lottery, gifts, rewards and incentives on our behalf. Data cannot be used for any other purpose in this instance

3d Retail sales, holidays and event management

We process customer data to fulfil retail activities, event tickets, and holiday bookings at our holiday properties. Your data will be used to communicate with you throughout the process, including confirmation of your order, payment and to confirm dispatch, to clarify where we may need more detail to fulfil your order or booking, or to resolve issues that may arise with your order or booking. We may use this data to keep you informed about sales or promotions that will be of interest to you based on previous purchases depending on your marketing permissions.

3e Research

We carry out research with our members, staff and volunteers to get feedback on their experience with us. This can be through a variety of means, including feedback forms, surveys, focus groups, reviews or other methods. We use this research to improve the experiences that we offer and to make sure our offers, content and partnerships are relevant and interesting to you.

If you choose to take part in our research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part.

We may give some of your personal data (for example, contact information) to a research agency who will carry out research on our behalf.

4 Updating your marketing preferences

We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or marketing preferences please contact us in the following ways:

Call Boundless:
0800 669944

Phone lines open 8am – 8pm Monday to Friday and 9am – 5 pm Saturday and Sunday. Calls may be monitored and recorded for training purposes.

Update online:
Log in to your account and amend your preferences, or if you haven’t yet registered for an online account visit to create one.

Write to:
Member Services, Britannia House, 21 Station Street, Brighton, BN1 4DE

Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.

5 Storage and retention of data

5a Keeping your personal data

We will only use and store your information for as long as it is required for the purposes it was collected for. We will, therefore, keep your personal data for as long as it is necessary:

  • to respond to any questions, complaints or claims made by you or on your behalf;
  • to show that we have treated you fairly; or
  • to keep records required by law.

We will not retain your personal data for longer than necessary for the purposes set out in this privacy notice. Different retention periods apply for different types of personal data.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

Once your membership ends, your records will continue to be stored for a period of time to allow you to re-activate your account within a certain timeframe. If you chose to renew your membership with Boundless by CSMA you will need to re-confirm your agreement to the Terms and Conditions and marketing preferences.

5b How we secure your information

Information system and data security is imperative to us to ensure that we are keeping our members safe.

We carefully assess, manage and protect new and existing systems to ensure that they are up to date and secure against ever changing threats. We will also limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.

All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies.

When you trust us with your personal data we will always keep your information secure to maintain your confidentiality. We use a strong encryption when your information is stored or in transit to minimise the risk of unauthorised access or disclosure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

5c Where your personal data is held

Information system and data security is imperative to us to ensure that we are keeping our members safe.

Your personal data may be held at our offices, third party agencies, services providers, representatives and agents as described above (see above: ‘Disclosing your information to third parties’)

Some of these third parties may be based outside of the European Economic Area (EEA). For more information, including how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the EEA’.

6 Sharing data with third parties

6a Disclosing your information to third parties

When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them. We do not sell or share your personal information for other organisations to use.

Personal data collected and process by us may be shared with the following groups where necessary:

  • Boundless employees and volunteers.
  • Third party fulfilment partners or those third parties who provide access to benefits.
  • Third party partner who will capture your view on your membership so that we can continue to improve our service to you.
  • Third party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website.

Also, under strict controlled conditions:

  • Contractors
  • Service provides providing services to us
  • Advisors
  • Agents
  • Auditors

We may also disclose your personal information to third parties if we are under the duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

For a list of companies we share data with please visit

6b Transferring your personal information out of the EEA

We may transfer your personal information to countries which are located outside the EEA. Whenever we do this, we ensure a similar degree of protection is afforded to your personal information by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

If you would like further information, please contact us at or telephone: 03301 230 278

7 Our websites

Our various websites allow anyone to view them, and some data is collected (see section 2c). For full access to the website, members are required to log into the site. This requires registration data to be collected and stored, that consists of an email address, password and membership number.

7a Cookies

Cookies are small text files stored on your computer when you visit certain websites. We use first party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising. You can control the use of cookies inside your browser settings. Further information can be found online at

7b Links to other sites

Our website contains links to approved partner websites and may from time to time link to partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these sites will operate under their own privacy notices. We do not accept any responsibility of liability for these policies. We advise users to read the privacy notices of other websites before registering any personal data: this privacy notice applies solely to the personal data collected by Boundless.

8 Your rights

You have the following rights, which you can exercise free of charge:

Access The right to be provided with a copy of your personal information (the right of access)
Rectification The right to require us to correct any mistakes in your personal information
To be forgotten The right to require us to delete your personal information—in certain situations
Restriction of processing The right to require us to restrict processing of your personal information—in certain circumstances, for example, if you contest the accuracy of the data
Data portability The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object The right to object:
—at any time to your personal information being processed for direct marketing (including profiling);
—in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Send a written request by either email or letter to our Data Protection Officer (please see ‘who are we’)
  • let us have enough information to identify you;
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  • let us know what right you want to exercise and the information to which your request relates.

9 How to complain

If you have any queries, concerns or wish to make a complaint you should contact our Membership Services Team on or by calling 03301 230 278. Alternatively, you can contact our Data Protection Officer with any query or concern about the use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113

10 Additional Help

If you would like this notice in another format (for example, large print or braille), please contact at or telephone: 03301 230 278.

11 Changes to this policy

We will amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect and you’re your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website.

This privacy notice (v0.4Jun19) was last updated on 12th June 2019 with a summary of the changes being:

  • 6a Disclosing your information to third parties update to include third party use relating to membership reviews.