1) Who are we
In this policy whenever you see the words ‘we’, ‘us’, ‘our’, or ‘Boundless’, it refers to Boundless by CSMA, a trading name of Motoring & Leisure Services, a subsidiary of the Civil Service Motoring Association Limited (registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.
- Email: firstname.lastname@example.org
- Post: Member Services, Boundless, Britannia House, 21 Station Street, Brighton BN1 4DE
- Telephone: 03301 230278 (8am – 6pm Monday to Friday, 9am – 5pm Saturday, closed Sunday)
We have a Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact Andrew Hunter directly at email@example.com.
2) Our commitement to you
The security of personal information is extremely important to us and we are committed to protecting and respecting your privacy. In this notice we aim to be honest and clear about how we handle the information we collect from you or create about you. We will detail how we collect, use and safeguard your personal information and any conditions under which we may need to share personal information.
We will also cover how information may be used for marketing and communication activities, your choices in this regard, your privacy rights and how the law protects you.
We’ll never sell your personal data and will only share it with organisations we work with when necessary and the privacy and security of your data is assured.
3) What personal data do we collect?
Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.
3a) Personal data provided by you
This includes information you give when interacting with us, for example when you make an application to become a member, contact us regarding your membership, renew your membership or make an enquiry. Usually information collected will include:
- Name, address, date of birth, email address, telephone number
- Password details when creating a website log-in
- Financial information, such as direct-debit details or card payment information
- If you are a Boundless member, then we will also collect your membership number
- Your comments, views and opinions regarding your experience
- Name and contact details when making an enquiry
There may be other times that we collect and process your information – we will inform you through additional privacy notices regarding these activities at the time.
If you buy membership as a gift, or recommend someone to join, both your details will be recorded and your association with that relationship will be recorded. Data that is provided through our recommend-a-friend scheme will be used to send a recommendation email on your behalf. This data will not be used for any other marketing purposes and will be deleted after a period of three months subject to them joining.
3b) Personal data we automatically collect
We may automatically collect the following information from your use of our website:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform and, if you access our website via your mobile device, we will collect your unique phone identifier
- Usage data, meaning information about how you use our website, products and services, including, but not limited to, the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number
- The terms that you use to search our website
- When you engage with emails we send, technical information regarding your interaction with the email, such as opening or clicking anything within that email, the type of device used and email platform in use. This information is used to help understand how people engage with our emails. This data is viewed for statistical purposes only
3c) Personal data collected by your involvement with us
Your activities and involvement with us will result in personal data being created. This could include details of when you have attended an event, if you have registered an interest on our site or if you have purchased a product through one of our approved partners. In these cases, they will provide you with this information through their own privacy notices.
In certain cases, some of our approved partners may share details of your purchase with us. This data is then processed by us as we have a legitimate interest to ensure that benefits are only made available to our members. We will also use this data for other purposes set out in Section 4 but only when there are lawful reasons for doing so. In these cases, the provider will inform you if they are sharing your data with us and we will have contractual agreements and data sharing agreements in place.
We also collect and use aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal information but does not reveal your identity in any way. For example, we may aggregate your usage and device data to calculate the percentage of our website users accessing a specific feature of our website. Aggregated data is used for our own business purposes only.
3d) Information we generate
We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and which of our approved partners you transact with or show an interest in may be able to help us build a profile which will help us decide which of our communications are likely to interest you. We also ask you to inform us about specific interests which we will use to inform you of offers and benefits that may be of interest to you.
3e) Children and personal information
This website is not intended for use by children and we do not knowingly collect data relating to children. If we become aware that we are holding any information about children under the age of 13, we will take any actions necessary to comply with data protection legislation, including, if appropriate, deleting the information. If you become aware that your child (under 16) has provided their personal information to us without your consent, please let us know as soon as possible so that we can take appropriate action.
3f) Personal Data provided by a third party
We do not actively collect data about people from third parties other than in specific cases.
- If you have been recommended to join Boundless by another member, we will send you an email inviting you to join and, if you do not, we will delete your details after three months.
- If you have purchased a product through one of our partners and claimed a members’ discount but are not a member we will use your personal information to try and validate your membership (detailed further in the next section).
- If you set up a Direct Debit. We use a third party to process Direct Debit payments and they will send us confirmation of a Direct Debit being created, amended or cancelled. Please refer to section 10 for further details.
4) How we use your personal data
Our primary goal in collecting personal information from you is to provide you with a smooth, efficient experience as a member, using our website and to service your account. We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 2018, GDPR and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.
Under these data-protection laws, we can only use your personal data if we have a proper reason for doing so, such as:
- to comply with our legal and regulatory obligations
- for the performance of our contract with you or to take steps at your request before entering into a contract
- for our legitimate interests or those of a third party, or
- where you have given consent
If we are asked by the police, law-enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.
Below are the key reasons we will process your data:
a) Application of membership and creation of an account
|Ref||Personal data processed||Purpose of processing||Lawful basis for processing|
|i||Title, name, address, date of birth, contact details, promo code, eligibility||Creation of an account||Carrying out our contractual obligations|
|ii||Email address, password||Creation of an online account to access boundless.co.uk||Carrying out our contractual obligations|
|iii||Title, name, email address||Sending confirmation email to you with account information||Carrying out our contractual obligations|
|iv||Name, email address (when provided by another member as part of our recommend- a-friend scheme)||To send you an email to invite you to join||Legitimate interest|
b) Servicing your account
|Ref||Personal data processed||Purpose of processing||Lawful basis for processing|
|i||Name, email address, account number||Sending emails regarding your account||Carrying out our contractual obligations|
|ii||Name, address, membership number, join data||Creation of data to send Boundless magazine||Carrying out our contractual obligations – you can opt out of receiving the magazine at any time|
|iii||Name, address, membership number, account information||Sending of account information, renewal documents and any important information regarding your membership||Carrying out our contractual obligations|
|iv||Name, membership number, address details, date of birth||Carrying our identify checks if you call or contact us||Carrying out our contractual obligations|
|v||Name, membership number, telephone number, membership dates||Contacting you regarding your account status||Carrying out our contractual obligations|
|vi||Name, membership number, payment details||Renewal of your membership||Carrying out our contractual obligations|
|vii||Name, membership number and named individuals name and email address||When you recommend a friend through our MGM scheme, we will use the information you provide to email your friend||Legitimate interest|
|viii||Name, email address and membership number||If a person recommends you, we will use your details to send you a reward||Legitimate interest|
|ix||Email address, name, membership number||To ask for feedback on the services or experiences of your membership||Carrying out our contractual obligations|
|x||End date of previous paid membership and the length of time between the new start date.||An automated process that indicates if a member is eligible for motor legal expenses or is not||Carrying out our contractual obligations|
|xi||Join date, contact details||To provide service calls regarding your account such as a welcome call||Carrying out our contractual obligations|
c) Marketing Communications
|Ref||Personal data processed||Purpose of processing||Lawful basis for processing|
|i||Name, email address, account number||Sending emails regarding products and benefits||Consent – you can change your consent at any time|
|ii||Name, address, account number||Sending mail regarding products and benefits||Consent – you can change your consent at any time|
|iii||Name, address, membership number, product usage information||Sending emails regarding products and benefits||Legitimate interest and consent|
|iv||Member status, usage data, technical data (eg IP address) when on our website||To deliver relevant website content and advertisements and measure the effectiveness of advertising||Consent – this is through our cookie consent|
|v||Email address||To utilise digital platforms such as Google ads for marketing purposes||Consent – you can opt out at any time|
|vi||Technical and usage data||To use data analytics to improve our website, marketing and member experience.||Legitimate interest|
d) Using Benefits and Products from Boundless and Third Parties
|Ref||Personal data processed||Purpose of processing||Lawful basis for processing|
|i||Name, contact details, account number, basic product information||Validating membership details to ensure only boundless members are accessing benefits||Legitimate interest|
|ii||Contact details||If we are unable to validate membership, we will use the information to contact||Legitimate interest|
|iii||Name, contact details, account number, basic product information||To inform members of other related products that they are interested in||Consent – this can be withdrawn at any time.|
|iv||Account number, basic product information||For reporting and analytical purposes||Contract|
|v||Membership number, payment method, product information||If you pay your annual membership fee through Britannia Rescue, they notify us of this fact||Contract|
|vi||Membership number, name, payment method and type of cover||If you pay your annual membership fee through Britannia Rescue, and your payment fails, they notify us of this fact||Contract|
There may be other times when you may choose to provide us with more information or when you engage with us for other reasons. We will provide additional information through a privacy notice in relation to that task when appropriate, such as if you purchase tickets to an event.
5) Updating your data and marketing preferences
We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or marketing preferences please contact us in the following ways:
Phone lines open 8am – 6pm Monday to Friday, 10am – 4pm Saturday. Calls may be monitored and recorded for training purposes.
Member Services, Britannia House, 21 Station Street, Brighton, BN1 4DE
Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.
To unsubscribe from marketing emails, simply either log onto your account via the website and amend your preferences, or you can click on the unsubscribe link that can be found at the bottom of all our marketing email communications.
6) Cookies and our website
Our various websites allow anyone to view them, and some data is collected (see section 2c). For full access to the website, members are required to log on to the site. This requires registration data to be collected and stored, consisting of email address, password and membership number.
Our website contains links to approved partner websites and may from time to time link to partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these sites will operate under their own privacy notices. We do not accept any responsibility or liability for these policies. We advise users to read the privacy notices of other websites before registering any personal data: this privacy notice applies solely to the personal data collected by Boundless.
7) Keeping your personal data
We will only use your information for as long as it is required for the purpose it was collected for. If we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under other laws. We will, therefore, keep your personal data for as long as it is necessary once the primary purpose has expired:
- to respond to any questions, complaints or claims made by you or on your behalf
- to show that we have treated you fairly or to keep records required by law
In general terms, this means we will retain your data for seven years from the end date of your last membership in accordance with the Limitation Act 1980. We are also required to hold certain information regarding payments under the VAT Act 1994 and HMRC Notice 700/21 as well as under the consumer regulations. This act states either you or we may bring a claim for breach of contract within six years of the event giving rise to a breach. In order that we may defend or bring a breach of contract claim (and to comply with disclosure requirements) we keep your account record for seven years after the end of your last paid membership. This period takes into account the four-month period during which a claim form, issued on the last day of the limitation period, remains valid for service and for any extension for service which may be granted by the court.
When it is no longer necessary to retain your personal data, we will delete or anonymise it.
If we have received your personal information through our recommend-a-friend scheme, we will retain this data for three months, after which time your information will be deleted.
8) How we secure your data
Information system and data security is imperative to us to ensure that we are keeping our members safe. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. We have taken technical and organisational measures to secure your data, including:
- This website has a secure https:// address (URL). This means that a SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server
- We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Contracts will be in place to protect any personal data
- All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies
- We conduct privacy impact assessments in accordance with data-privacy guidelines
- We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data
- We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
- We require, through the use of contract and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures
- We invite third-party auditors to measure our compliance with a variety of regulations, including data privacy and for accounting purposes
9) Disclosing your information to third parties
When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data-sharing agreements. We do not sell or share your personal information for other organisations to use.
Personal data collected and processed by us may be shared with the following groups where necessary:
- Boundless employees
- Third-party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website
Also, under strict contractually controlled conditions:
- Service providers providing services to us
10) Payment Information
When we request or collect a payment for membership subscription, we may use third parties to process payments on our behalf.
Cheques – we process cheques ourselves by marking a payment on your account and this is then processed by our bank.
Card Payments – we use Worldpay for handling all card payment data. We do not store any card payment data ourselves, in line with PCI DSS requirements.
Direct Debit Payments – we use a third party, Go Cardless, to collect and process any Direct Debit payments on our behalf. Under the GDRP they are a separate data controller in their own right and you should refer to their privacy notice at www.gocardless.com/privacy. Section 3f of this notice highlights that Go Cardless share information regarding Direct Debit Instructions and payments, to allow us to service your account. Data is limited to Direct Debit information and your membership number.
11) Where your personal data is held
Information system and data security is imperative to us to ensure that we are keeping our members safe.
Your personal data is primarily held in our databases, which are Microsoft systems located in the EU. Your data may be held at our offices, third-party agencies, services providers, representatives and agents as described earlier.
We do not transfer or share any membership data outside of the European Economic Area (EEA).
12) Your rights
You have the following rights, which you can exercise free of charge:
|Access||The right to be provided with a copy of your personal information (the right of access)|
|Rectification||The right to require us to correct any mistakes in your personal information|
|To be forgotten||The right to require us to delete your personal information – in certain situations|
|Restriction of processing||The right to require us to restrict processing of your personal information – in certain circumstances, for example, if you contest the accuracy of the data|
|Data portability||The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations|
The right to object:
|Not to be subject to automated individual decision-making||
The right not to be subject to a decision based solely on automated
processing (including profiling) that produces legal effects concerning
you or similarly significantly affects you.
Currently the only automated decision making is around Boundless members who qualify for motor legal expenses as part of their membership and those who do not. This is detailed in section 4b(x).
|Right to withdraw consent||If you have given us your consent to use your personal information, you can withdraw your consent at any time. This might impact our ability to provide goods and services to you|
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- Send a written request by either email or letter to our Data Protection Officer (please see ‘Who We Are’)
- email, call or write to our Data Protection Officer (please see ‘Who We Are’)
- let us have enough information to identify you
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know what right you want to exercise and the information to which your request relates
13) How to complain
If you have any queries, concerns or wish to make a complaint you should contact our Membership Services Team on firstname.lastname@example.org or by calling 03301 230278. Alternatively, you can contact our Data Protection Officer with any query or concern about the use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at ico.org.uk/concerns/ or telephone: 0303 123 1113.
Changes to this privacy notice
We will amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website – www.boundless.co.uk/privacy
This privacy notice (v1.4 Dec 19) was last updated on 16th December 2019 with a summary of the changes being:
- Amendment to section 3f regarding Direct Debits
- Introduction of section 10 regarding payment handling, to clarify how payments are handled.