The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.
The purpose of this privacy notice is to inform you on how your personal data is used by us here at Boundless when you engage with us or express an interest in membership, are a member or have been a member.
1) Who are we
In this policy whenever you see the words ‘we’, ‘us’, ‘our’, or ‘Boundless’, it refers to Boundless by CSMA, a trading name of Motoring & Leisure Services, a subsidiary of the Civil Service Motoring Association Limited (registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.
If you have any questions in relation to this privacy policy or how we use your personal data, you can contact us in any of the following ways:
- Email: membership@boundless.co.uk
- Post: Member Services, Boundless, Britannia House, 21 Station Street, Brighton BN1 4DE
- Telephone: 03301 230278 (Lines open: 8 - 6 Monday - Friday, 9 - 5 Saturday, closed Sunday)
We have a Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact Andrew Hunter directly at dpo@boundless.co.uk.
2) Our commitement to you
The security of personal information is extremely important to us and we are committed to protecting and respecting your privacy. In this notice we aim to be honest and clear about how we handle the information we collect from you or create about you. We will detail how we collect, use and safeguard your personal information and any conditions under which we may need to share personal information.
We will also cover how information may be used for marketing and communication activities, your choices in this regard, your privacy rights and how the law protects you.
We’ll never sell your personal data and will only share it with organisations we work with when necessary and the privacy and security of your data is assured.
We will keep this privacy policy updated to show you all the things we do with your personal data.
3) What personal data do we collect?
Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.
3a) Personal data provided by you
This includes information you give when interacting with us, for example when you make an application to become a member, contact us regarding your membership, renew your membership or make an enquiry. Usually information collected will include:
- Name, address, date of birth, email address, telephone number
- Password details when creating a website log-in
- Financial information, such as direct-debit details or card payment information
- If you are a Boundless member, then we will also collect your membership number
- Your comments, views and opinions regarding your experience
- Name and contact details when making an enquiry
There may be other times that we collect and process your information – we will inform you through additional privacy notices regarding these activities at the time.
If you buy membership as a gift, or recommend someone to join, both your details will be recorded and your association with that relationship will be recorded. Data that is provided through our recommend-a-friend scheme will be used to send a recommendation email on your behalf. This data will not be used for any other marketing purposes and will be deleted after a period of three months subject to them joining.
3b) Personal data we automatically collect
We may automatically collect the following information from your use of our website:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform and, if you access our website via your mobile device, we will collect your unique phone identifier.
- Usage data, meaning information about how you use our website, products and services, including, but not limited to, the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
- The terms that you use to search our website.
- When you engage with emails we send, technical information regarding your interaction with the email, such as opening or clicking anything within that email, the type of device used and email platform in use. This information is used to help understand how people engage with our emails. This data is viewed for statistical purposes only.
- We conduct research and analysis on the information we hold which can in turn create further personal data. For example, by analysing your interests and involvement with our work we may be able to build a profile which helps us decide which of our communications are likely to interest you.
Please note that certain services on our website are not available to you until you have registered to use our website. Further information regarding our website and cookies can be found in Section 6 and within our cookie policy.
3c) Personal data collected by your involvement with us
Your activities and involvement with us will result in personal data being created. This could include details of when you have attended an event, if you have registered an interest on our site or if you have purchased a product through one of our approved partners. In these cases, they will provide you with this information through their own privacy notices.
In certain cases, some of our approved partners may share details of your purchase with us. This data is then processed by us as we have a legitimate interest to ensure that benefits are only made available to our members. We will also use this data for other purposes set out in Section 4 but only when there are lawful reasons for doing so. In these cases, the provider will inform you if they are sharing your data with us and we will have contractual agreements and data sharing agreements in place.
We also collect and use aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal information but does not reveal your identity in any way. For example, we may aggregate your usage and device data to calculate the percentage of our website users accessing a specific feature of our website. Aggregated data is used for our own business purposes only.
3d) Information we generate
We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and which of our approved partners you transact with or show an interest in may be able to help us build a profile which will help us decide which of our communications are likely to interest you. We also ask you to inform us about specific interests which we will use to inform you of offers and benefits that may be of interest to you.
3e) Children and personal information
This website is not intended for use by children and we do not knowingly collect data relating to children. If we become aware that we are holding any information about children under the age of 13, we will take any actions necessary to comply with data protection legislation, including, if appropriate, deleting the information. If you become aware that your child (under 16) has provided their personal information to us without your consent, please let us know as soon as possible so that we can take appropriate action.
3f) Personal Data provided by a third party
We do not actively collect data about people from third parties other than in specific cases.
- If you have been recommended to join Boundless by another member, we will send you an email inviting you to join and, if you do not, we will delete your details after three months.
- If you have purchased a product or service as a boundless member we may receive some information about the purchase. We explain how this data may be used in the next section, 4d.
- If you have purchased a product through one of our partners and claimed a members’ discount but are not a member we will use your personal information to try and validate your membership (detailed further in the next section).
- If you set up a Direct Debit, we use a direct debit payment processor called Go Cardless and they will send us confirmation of a direct debit being created, amended or cancelled. Please refer to section 10 for more details.
4) How we use your personal data
Our primary goal in collecting personal information from you is to provide you with a smooth, efficient experience as a member, using our website and to service your account. We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 2018, GDPR and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.
Under these data-protection laws, we can only use your personal data if we have a proper reason for doing so, such as:
- to comply with our legal and regulatory obligations
- for the performance of our contract with you or to take steps at your request before entering into a contract
- for our legitimate interests or those of a third party, or
- where you have given consent
If we are asked by the police, law-enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.
Below are the key reasons we will process your data:
a) Application of membership and creation of an account
| Ref | Personal data processed | Purpose of processing | Lawful basis for processing |
|---|---|---|---|
| i | Title, name, address, date of birth, contact details, promo code, eligibility | Creation of an account | Carrying out our contractual obligations |
| ii | Email address, password | Creation of an online account to access boundless.co.uk | Carrying out our contractual obligations |
| iii | Title, name, email address | Sending confirmation email to you with account information | Carrying out our contractual obligations |
| iv | Name, email address (when provided by another member as part of our recommend- a-friend scheme) | To send you an email to invite you to join | Legitimate interest |
| v | Email provided at the start of the join journey online | To send you up to three emails to see if you experienced a problem or require help and to tell you more about us. | Legitimate interest – you can unsubscribe from the further communications from us though. |
| vi | Workplace or Industry Sector, email address | To validate your eligibility when applicable. | Legitimate Interest to membership eligibility. |
b) Servicing your account
| Ref | Personal data processed | Purpose of processing | Lawful basis for processing |
|---|---|---|---|
| i | Name, email address, account number | Sending emails regarding your account | Carrying out our contractual obligations |
| ii | Name, address, membership number, join data | Creation of data to send Boundless magazine | Carrying out our contractual obligations – you can opt out of receiving the magazine at any time |
| iii | Name, address, membership number, account information | Sending of account information, renewal documents and any important information regarding your membership | Carrying out our contractual obligations |
| iv | Name, membership number, address details, date of birth | Carrying our identify checks if you call or contact us | Carrying out our contractual obligations |
| v | Name, membership number, telephone number, membership dates | Contacting you regarding your account status | Carrying out our contractual obligations |
| vi | Name, membership number, payment details | Renewal of your membership | Carrying out our contractual obligations |
| vii | Name, membership number and named individuals name and email address | When you recommend a friend through our MGM scheme, we will use the information you provide to email your friend | Legitimate interest |
| viii | Name, email address and membership number | If a person recommends you, we will use your details to send you a reward | Legitimate interest |
| ix | Email address, name, membership number | To ask for feedback on the services or experiences of your membership | Carrying out our contractual obligations |
| x | End date of previous paid membership and the length of time between the new start date. | An automated process that indicates if a member is eligible for motor legal expenses or is not | Carrying out our contractual obligations |
| xi | Join date, contact details | To provide service calls regarding your account such as a welcome call | Carrying out our contractual obligations |
| xii | Name, email address | Sending of a voucher code to you | Carrying out our contractual obligations |
| xiii | Name, email address, membership number, membership scheme | To provide you with updates about any changes to the benefits or products your membership provides | Legitimate interest to you, to keep you informed what your subscription gives you |
c) Marketing Communications
| Ref | Personal data processed | Purpose of processing | Lawful basis for processing |
|---|---|---|---|
| i | Name, email address, account number | Sending emails regarding products and benefits | Consent – you can change your consent at any time |
| ii | Name, address, account number | Sending mail regarding products and benefits | Legitimate interest – to keep you informed of member benefits |
| iii | Name, address, membership number, product usage information | Sending emails regarding products and benefits | Consent – you can change your consent at any time |
| iv | Member status, usage data, technical data (eg IP address) when on our website | To deliver relevant website content and advertisements and measure the effectiveness of advertising | Consent – this is through our cookie consent |
| v | Email address | To utilise digital platforms such as Google ads for marketing purposes | Consent – you can opt out at any time |
| vi | Technical and usage data | To use data analytics to improve our website, marketing and member experience. | Legitimate interest |
d) Using Benefits and Products from Boundless and Third Parties
| Ref | Personal data processed | Purpose of processing | Lawful basis for processing |
|---|---|---|---|
| i | Name, contact details, account number, basic product information | Validating membership details to ensure only boundless members are accessing benefits | Legitimate interest |
| ii | Contact details | If we are unable to validate membership, we may use the information to contact the person | Legitimate interest |
| iii | Name, contact details, account number, basic product information | To inform members of other related products that they are interested in | Consent – this can be withdrawn at any time. |
| iv | Account number, basic product information | For reporting and analytical purposes | Contract |
| v | Membership number, payment method, product information | If you pay your annual membership fee through Britannia Rescue, they notify us of this fact | Contract |
| vi | Membership number, name, payment method and type of cover | If you pay your annual membership fee through Britannia Rescue, and your payment fails, they notify us of this fact | Contract |
| vii | Membership number, name, email address | In order to provide a smooth transition between us and some of our partner websites. | Legitimate Interest – to remove the need to create accounts with some partners. |
If you use the Boundless Shopping Discounts, we use a third party for the processing and fulfilment of your order. We have contracted SVM Global Limited (SVM) for the provision of this service to you and they act as a Data Processor for us. When you place an order on the site for a gift card, reloadable store card, ecard then you will be subject to the terms and conditions with SVM. For details of the processing they undertake please refer to their privacy notice which can be found at https://www.csmaclubgiftcards.co.uk/privacy_statement.
e) For research purposes or to ask for feedback
We carry out research with our members, website visitors, leisure guests, staff and volunteers for a variety of purposes such as to get feedback on their experience with us, or the club magazine articles or content, what products they would like to see. We use this feedback to help ensure members continue to have a voice in their membership, to improve the experiences we offer and ensure we know what you find relevant and interesting.
If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. Most of our research is conducted at an aggregate rather than individual level, for example the annual Member Survey. This means that survey results are not linked to an individual and results are viewed as an overall. We also have a Member Panel, made up of current members – those who wish to take part in this group will need to provide some information in order for us to identify who wants to be part of the Panel.
| Ref | Personal data processed | Purpose of processing | Lawful basis for processing |
|---|---|---|---|
| i | Email address, membership number | Enrolling you to our Member Panel if you decide you wish to be part of it. | Consent – you can opt out of being part of the panel at any time. |
| ii | Email address, membership number | To invite you to take part in polls, surveys and feedback. | Consent – you can opt out of being part of the panel at any time. |
| iii | Name, limited address details (town or city) | To use any testimonials you provide to us | Consent – this can be withdrawn at any time. |
| iv | Name, membership number, contact details | To respond to any enquiry you may have from our questions or surveys | Legitimate Interest – to respond to you directly |
There may be other times when you may choose to provide us with more information or when you engage with us for other reasons. We will provide additional information through a privacy notice in relation to that task when appropriate, such as if you purchase tickets to an event or book a boundless break.
5) Updating your data and marketing preferences
We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data or marketing preferences please contact us in the following ways:
Call Boundless:
Phone lines open: 8 - 6 Monday - Friday, 9 - 5 Saturday, closed Sunday. Calls may be monitored and recorded for training purposes.
Update online:
Log in to your account and amend your preferences, or if you haven’t yet registered for an online account visit boundless.co.uk/signup to create one.
Write to:
Member Services, Britannia House, 21 Station Street, Brighton, BN1 4DE
Verification, updating and amendment of personal data will take place within 30 days of receipt of your request.
To unsubscribe from marketing emails, simply either log onto your account via the website and amend your preferences, or you can click on the unsubscribe link that can be found at the bottom of all our marketing email communications.
6) Cookies and our website
Our various websites allow anyone to view them, and some data is collected (see section 2c). For full access to the website, members are required to log on to the site. This requires registration data to be collected and stored, consisting of email address, password and membership number.
Cookies are small text files stored on your computer when you visit certain websites. We use first-party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third-party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising.
In order to comply with the rules around cookies and other related tracking, our websites have a cookie management tool through One Trust, which places the control of data collection in your hands. Further information can be found in our cookie policy.
7) Keeping your personal data
We will only use your information for as long as it is required for the purpose it was collected for. If we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under other laws. We will, therefore, keep your personal data for as long as it is necessary once the primary purpose has expired:
- to respond to any questions, complaints or claims made by you or on your behalf
- to show that we have treated you fairly or to keep records required by law
In general terms, this means we will retain your data for seven years from the end date of your last membership in accordance with the Limitation Act 1980. We are also required to hold certain information regarding payments under the VAT Act 1994 and HMRC Notice 700/21 as well as under the consumer regulations. This act states either you or we may bring a claim for breach of contract within six years of the event giving rise to a breach. In order that we may defend or bring a breach of contract claim (and to comply with disclosure requirements) we keep your account record for seven years after the end of your last paid membership. This period takes into account the four-month period during which a claim form, issued on the last day of the limitation period, remains valid for service and for any extension for service which may be granted by the court.
When it is no longer necessary to retain your personal data, we will delete or anonymise it.
If we have received your personal information through our recommend-a-friend scheme, we will retain this data for three months, after which time your information will be deleted.
8) How we secure your data
Information system and data security is imperative to us to ensure that we are keeping our members safe. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. We have taken technical and organisational measures to secure your data, including:
- This website has a secure https:// address (URL). This means that a SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server
- We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Contracts will be in place to protect any personal data
- All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies
- We conduct privacy impact assessments in accordance with data-privacy guidelines
- We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data
- We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
- We require, through the use of contract and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures
- We invite third-party auditors to measure our compliance with a variety of regulations, including data privacy and for accounting purposes
- When we use Legitimate Interest as a legal basis for processing personal data, we conduct a Legitimate Interest Assessment in line with recommendations from the ICO. This balance test looks at the protection of your rights and data with our use of such data. These assessments are reviewed by our Data Protection Officer to ensure the rights of members is maintained.
9) Disclosing your information to third parties
When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data-sharing agreements. We do not sell or share your personal information for other organisations to use.
We use a number of third parties, whom provide their services to us for various reasons, such as SVM Global Ltd for the Boundless Shopping Card, or Mosaic as our Print and Mailing House. In these circumstance, we will remain the controller of any personal data and suitable contracts, data processing agreements and terms will be agreed between both parties.
Personal data collected and processed by us may be shared with the following groups where necessary:
- Boundless employees
- Third-party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website
Also, under strict contractually controlled conditions:
- Contractors
- Service providers providing services to us
- Advisors
- Agents
- Auditors
We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
10) Payment Information
When we request or collect a payment for membership subscription, we may use third parties to process payments on our behalf.
Cheques – we process cheques ourselves by marking a payment on your account and this is then processed by the banks.
Card Payments – We have an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme. As part of this, we ensure that out IT systems do not directly collect or store your payment card information, such as the full 16-digit number on the front of your card or the security code on the back.
We use Worldpay for any card payments. Online transactions are made through a ‘payment gateway’ provided by Worldpay and no payment card data is retained by us or our systems.
Direct Debit Payments – we use Go Cardless to collect and process all Direct Debit payments on our behalf. If you set up a new direct debit your details are collected in Go Cardless and you should see their privacy notice as they are also a Data Controller. All direct debit payers are covered under the Direct Debit Guarantee. Please refer to their privacy notice at www.gocardless.com/privacy.
11) Where your personal data is held
Information system and data security is imperative to us to ensure that we are keeping our members safe.
Your personal data is primarily held in our databases, which are Microsoft systems located in the EU. Your data may be held at our offices, third-party agencies, services providers, representatives and agents as described earlier.
We do not transfer or share any membership data outside of the European Economic Area (EEA).
12) Your rights
You have the following rights, which you can exercise free of charge:
| Access | The right to be provided with a copy of your personal information (the right of access) |
| Rectification | The right to require us to correct any mistakes in your personal information |
| To be forgotten | The right to require us to delete your personal information – in certain situations |
| Restriction of processing | The right to require us to restrict processing of your personal information – in certain circumstances, for example, if you contest the accuracy of the data |
| Data portability | The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations |
| To object |
The right to object:
|
| Not to be subject to automated individual decision-making |
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. Currently the only automated decision making is around Boundless members who qualify for motor legal expenses as part of their membership and those who do not. This is detailed in section 4b(x). |
| Right to withdraw consent | If you have given us your consent to use your personal information, you can withdraw your consent at any time. This might impact our ability to provide goods and services to you |
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- Send a written request by either email or letter to our Data Protection Officer (please see ‘Who We Are’)
- email, call or write to our Data Protection Officer (please see ‘Who We Are’)
- let us have enough information to identify you
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know what right you want to exercise and the information to which your request relates
13) How to complain
If you have any queries, concerns or wish to make a complaint you should contact our Membership Services Team on membership@boundless.co.uk or by calling 03301 230278. Alternatively, you can contact our Data Protection Officer with any query or concern about the use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at ico.org.uk/concerns/ or telephone: 0303 123 1113.
Changes to this privacy notice
We will amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website – www.boundless.co.uk/privacy
This privacy notice (v1.5) was last updated in August 2020 with a summary of the changes being:
- Amendment to section 4, a-vi regarding membership eligibility
- Amendment to section 4, d-vii regarding passing of data from our website to a partner site.
- Amendment to section 6 regarding our cookie policy .
- Addition to section 8 regarding how we conduct Legitimate Interest Assessments.
- Amendment to section 10 regarding our PCI DSS payment programme.
- Addition of section 4e regarding research and our member panel.
Do you need extra help?
If you would like this notice in another format (for example, large print or braille), please contact at info@boundless.co.uk or telephone: 03301 230374.