Who we are

We are Boomerang Digital Limited, 2 Saxon Business Park, Owen Avenue, Hessle, England, HU13 9PD.

Company Registration Number: 02993612

Our responsibilities

If you are a visitor to our website, or interact with us on social media, we act as the ‘data controller’ of personal data.

This means we determine how and why your data is processed.

We are registered as a data controller at the UK Information Commissioner’s Office under number Z5087366.

We are responsible for the processing of personal data that we have received in accordance with the UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018, the Data Use and Access Act 2025 and the Personal Electronic Communications Regulation (PECR).

What is MASS?

MASS is a digital Self-Exclusion solution which allows people to enrol in the Motorway Service Areas (MSA) AGC Self-Exclusion Scheme either in-venue or via our MASS self-enrolment application.

There are 4 types of Self-Exclusion that may be offered to you during your enrolment, these are:

• Standard Self-Exclusion

This is the default radius-based exclusion type offered by all MSA venues.

This would exclude you in line with the selections you make when completing your self-exclusion.

For example, you can select to be excluded from MSA venues within a radius of between 50 and 200 kilometres.

• National MSA Self-Exclusion

This would exclude you across all MSA venues that participate in MASS.

• Company (Brand) Exclusion

This would exclude you across all venues operated by a single MSA Operating Company

• Single Site Exclusion

This would exclude you ONLY from your selected ‘main’ venue if enrolling via our MASS application, or the venue in which you are completing your self-exclusion

Participating Operators

The following Motorway Service Area operators currently participate in MASS:

• Roadchef
• Welcome Break
• Moto Hospitality
• Extra (Playnation-Genda)
• EG On The Move
• Certus Energy

Participation in MASS means that venues operated by these organisations may be included within the scope of your self-exclusion, depending on the exclusion type you select.

The list of Participating Operators may be updated from time to time. A current list is maintained on the MASS website and/or MASS App.

Our Customers

We provide MASS to Operators of Adult Gaming Centres within MSA’s in the United Kingdom and the Republic of Ireland. These are referred to as our Customers.

We refer to our Customers premises as Venues.

Our role in your privacy as a Self-Excluder

If you are providing Personal Data to us, either directly to us or via our Customers to enable us to enrol you on MASS, this Privacy Notice applies to you.

Please Note

• If you are visiting our website, please refer to our standard Privacy Policy.

Our responsibilities

• Our responsibilities as a Data Controller (and Joint Controller)
• Whilst you are completing your Self-Exclusion at a Venue or via our MASS application, we act as a ‘Joint Controller’ of your data together with our Customers. This means that we are jointly determining with our Customers the means and purposes of processing your Personal Data to enable us to provide the Self-Exclusion Service to you.
• When you have completed the enrolment of your Self-Exclusion on MASS, we act as a ‘Data Controller’ of your data. This means we determine why and how your Personal Data is processed to enable us to provide the ongoing Self-Exclusion Service to you.
• If your Self-Exclusion requires us to share your exclusion data with Customers, we act as a ‘Joint Controller’ of your data with those Customers. This means we jointly determine with our Customers the purposes and means of processing your personal data.

Your responsibilities

Please read this Privacy Notice

If you follow any external links to webpages that are not part of MASS, our Motorway AGC Self-Exclusion Scheme, please read the respective Privacy Notice(s) for the site you are visiting.

This may include other National Self-Exclusion Schemes, Gambling Support Sites or Information Sites that we share with you upon request following enrolling for your Self-Exclusion.

Having self-excluded, it is your responsibility not to breach the terms and conditions of your self-exclusion. These terms and conditions can be found here Terms & Conditions.

When we collect data

We will collect data from you:

• If you Self-Exclude with MASS via our Customers, they will digitally complete a Self-Exclusion in Venue with your assistance, using a Tablet or a PC
• If you Self-Exclude via our MASS application, you will digitally complete a Self-Exclusion enrolment using a web-browser or smartphone application.

Types of data we may collect when you are registering for Self-Exclusion using MASS

• Self-Exclusion Data
• Email Address
• Title
• Gender
• Name
• Address
• Mobile Number (optional)
• Photo
• Date of Birth
• Signature
• Vehicle Registration Number(s)
• Photographic ID
  • Photographic ID is captured for the purpose of verifying your identity only and deleted once verified.

Types of data we DO NOT collect

• Any data relating to racial or ethnic origin.

Determination of Self Exclusion data as Special Category Data

To allow us to provide Self-Exclusion to you, we require you to provide us a photo of yourself. We have determined that due to the specialist nature of technical processing of the photo but specifically the categorisation of Self-Exclusion data as health data that this data is to be treated as Special Category Data. We will ensure we have the appropriate technical and organisational measures and processes in place to securely manage this data.

Purposes for which we process your data

We collect your data solely for the purpose of providing and managing your Self-Exclusion request. This includes the sending of emails and texts that may contain information relating to gambling support services and organisations.

How and why we use your data

Data protection law requires that we only use your data for specific purposes and where we have a lawful basis to do so. Here are the purposes why we process your data:

• Providing MASS to our Customers (as a Joint Controller)
• Processing of your Self-Exclusion record at your request, to enable Boomerang Digital to deliver, support and improve MASS.
• Sharing of your Self-Exclusion record with our other Customers who participate in MASS enabling them to manage and monitor any visits that would be in breach of your Self-Exclusion
• To ensure our Customers can meet their legal obligations under the Gambling Regulations Licence Conditions and Code of Practice (LCCP) to manage and maintain an effective Self Exclusion Scheme. As part of our continuous improvement plan to ensure the effectiveness of the scheme in identifying Self-Excluders who may attempt to access a restricted venue, we process live data of Self-Exclusion records to monitor and enhance the accuracy of our systems. This includes the use of facial detection and recognition technology, which is now operational in certain venues, to further improve and support the Self-Exclusion scheme. Where facial recognition technology is in use, clear signage is displayed in the relevant venues to inform visitors. Those Customers using facial recognition technology provide details of how and where it is being used in their respective Privacy Notices. Please refer to these for further information.
• Ensuring Self-exclusion policies and procedures and Self-Excluders instructions are adhered to.
• Protecting vulnerable adults from potential harm caused through Gambling.
• Subject to the terms you have selected within your self-exclusion record, as a joint controller, we will share your personal data with our Customers as detailed in the ‘Our Customers’ section of this policy.
• Our lawful basis for processing your personal data in this context is our legitimate interests and in relation to special category data, the substantial public interest. To support this lawful basis, we have conducted a Legitimate Interest Assessment and specifically a balancing test, to ensure that the rights of the self-excluder are not being overridden.

Here is what each “lawful basis” means:

• Legitimate Interests (Article 6.1.f UK GDPR)
• The processing of your personal data is necessary for the purposes of our legitimate interests and that of our Customers in providing a Self-Exclusion Scheme to protect vulnerable people from potential harm caused through gambling. We know that you would reasonably expect us to be processing your personal data and that we are doing so to prevent you from harm. We have therefore concluded, in the context of all the distinct types of Self-Exclusion listed at the beginning of this Privacy Notice, that when balancing your interests with our legitimate interests that the processing of your personal data is proportionate and not intrusive.

• Substantial Public Interest (Article 9.2.g UK GDPR)
• The processing of special category data is necessary for the purposes of ensuring the integrity of the data being processed within MASS to ensure Customers can accurately recognise those individuals that have self-excluded and protect vulnerable people from potential harm caused through gambling. Specifically, we believe the conditions in paragraphs 18 and 19 of Schedule 1 of the DPA 2018, namely safeguarding children and individuals at risk and safeguarding the economic wellbeing of certain individuals are applicable to those who have self-excluded. We believe that the substantial public interest can be applied to all the different types of Self-Exclusion listed at the beginning of this Privacy Notice.

Your privacy choices and rights

Your rights

• You can exercise your rights by sending us an email at dataprotection@boomerangdigital.co.uk.
• You have the right to access information we hold about you
• This includes the right to ask us for supplementary information about:
• the categories of data we’re processing.
• the purposes of data processing.
• the categories of third parties to whom the data may be disclosed.
• how long the data will be stored (or the criteria used to determine that period).
• your other rights regarding our use of your data.
• You have the right to be ‘forgotten’ by us following the expiry of your Self-Exclusion
• You can do this by asking us to erase any data we hold about you if it is no longer necessary for us to hold the data for purposes of your Self-Exclusion UNLESS we have a legal obligation to retain your data.
• You have the right to the rectification of your data if it is inaccurate and we will notify you when your data has been corrected.
• You have the right to restrict processing of your data under certain circumstances.
• You have the right to data portability which means you can receive your personal data in a structured, commonly used and machine-readable format.
• You have the right to object to the processing of your data.
• You have the right not to be subject to a decision based on automated processing, including profiling.
• You have the right to lodge a complaint regarding our use of your data
• Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the UK Information Commissioner’s Office, either by calling their helpline or as directed on their website at ico.org.uk.

We will provide you with the information you request within one month of your request and receiving confirmation of your identity, unless doing so would adversely affect the rights and freedoms of others (e.g. another person’s confidentiality or intellectual property rights) or conflict with our obligations to maintain the integrity of a National Self-Exclusion Scheme which is governed by the Gambling Commission.

We will tell you if we can’t meet your request for any reason.

How secure is the data we collect?

We have physical, technical and organisational procedures in place to appropriately safeguard and secure the data we collect.

• All data is stored in a secure ISO 27001 facility by AWS (Ireland).
• All data traffic is encrypted with SHA-256 RSA Encryption.
• We have Always-On Network Flow Monitoring.
• We have DDos protection services provided by AWS, including Automated Mitigation and all APIs are protected using a Throttling middleware.
• We have IP Attack Prevention in the form of Rack Attack Preventative Implemented.

However, please remember:

• You provide personal data at your own risk: unfortunately, no data transmission across the internet is guaranteed to be 100% secure.

If you believe your personal data may have been exposed to a data breach, please contact us immediately on dataprotection@boomerangdigital.co.uk.

Where do we store the data?

The data we collect is processed in our Data Centre hosted in Ireland, in our offices in Northampton (UK), Hessle (UK) and also in data processing facilities operated by the third parties identified below.

By submitting your data, you agree to this transfer, storing or processing by us. If we transfer or store your information outside the EEA in this way, we will take steps to ensure that your rights continue to be protected as outlined in this Privacy Notice.

How long do we store your data?

The duration of your Self-Exclusion Agreement is the period set when submitting your exclusion (Exclusion Period), plus a maximum 6 months (Thinking Period) followed by an additional 24 hours (Cooling Off Period).

We will stop actively using any personal/identifiable data following the end of your Self-Exclusion Agreement plus a further 6 months, during which period it is archived, after which your personal data will be anonymised.

Other Third parties who process your data

Businesses often use third parties to help them host their application, communicate with customers, power their emails etc. We contract with third parties who we believe are the best in their field at what they do.

When we do this, sometimes it is necessary for us to share your data with them to get these services to work well.

Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Notice.

If third party providers (processors) are established outside of the EU/EEA, we shall ensure that we contract only with third-party providers that are in countries that ensure adequate levels of protection based on the European Commission’s adequacy decision. Where data is transferred to the USA, we ensure that the organisation has certified with the US / EU Data Privacy Framework and the US-UK Data Bridge.

Here are the details of our main third-party service providers, and what data they collect, or we share with them, where they store the data and why they need it:

• Amazon Web Services, Ireland
• We host our MASS AGC Self-Exclusion Scheme on AWS Data Centres in Ireland.
• Google, USA
• We use a service called Google Vision to detect a face in a Self-Exclusion Image as part of our quality control and validation processes.
• No image data is stored by Google.
• Cookies
• We only use cookies in the management of self-exclusion data to identify the login credentials of staff members accessing the system. No other cookies are used.