How Much Could You Claim?
Does your claim qualify? Get free, no obligation advice!
This B2C Privacy Policy explains how we collect, use, store, and protect Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The Data Controller: Claims.co.uk Limited.
Registered Office Address: 2 Park Street, 1st Floor, London, United Kingdom, W1K 2HX.
Company Number: 06843986.
ICO Registration Reference: Z3503238.
We may collect the following Personal Data:
| Category | Examples |
|---|---|
| Identity Data | Full name, date of birth, gender, identity verification documents (e.g. passport, driving license) |
| Contact Data | Home address, email address, phone number, preferred contact method |
| Claim Information | Details of your accident or injury, date and location of incident, nature of the claim, how the incident occurred, insurance or claim reference numbers |
| Health or Vulnerability Data (Special Category Data) | Health conditions, medical history, injury descriptions, and information provided to identify or support vulnerable circumstances |
| Criminal Offence Data | Information relating to suspected or confirmed fraud, impersonation, or unlawful behaviour (e.g. when reported by a partner or law enforcement agency) |
| Representative Data | Details of anyone authorised to act on your behalf, including their name, contact info, and evidence of authority (e.g. written permission or power of attorney) |
| Technical and Usage Data | IP address, browser type, device type, operating system, usage behaviour, cookies and analytics data collected via tools such as Google Analytics or WildJar |
| Communication Records | Recordings of telephone calls, emails, contact form submissions, live chat, and customer service interactions |
| Referral Data | Information received from law firms or other regulated partners who refer or update us about your claim status |
| Complaint and Regulatory Data | Information shared during complaint investigations or regulatory reviews, including data disclosed to the FCA, FOS, or ICO |
To process your Personal Data, we must have an appropriate Lawful Basis. In other words, a legal basis or legal grounds to process your Personal Data is a requirement imposed by the UK GDPR. As such, we process your Personal Data based on and permitted by the following Lawful Bases:
We are only permitted to process Special Category Data (e.g., health, ethnicity, beliefs, sexual orientation) if we have a Lawful Basis (Article 6 UK GDPR) and a condition under Article 9 UK GDPR. As such, we may rely on:
We may process data relating to criminal offences (e.g. fraud investigation information, allegations of impersonation, or law enforcement requests). This is known as criminal offence data under Article 10 UK GDPR.
We will only process such data where:
We rely on the following conditions for processing criminal offence data:
We maintain an appropriate policy document that outlines our procedures for safeguarding this data and our data retention and review practices.
We will lawfully process your Personal Data for a variety of Purposes, some of which may include:
| Purpose | Lawfulness | Personal Data |
|---|---|---|
| Referral to a third-party law firm or regulated claims management company | Consent (Article 6(1)(A) UK GDPR)
Explicit Consent (Article 9(2)(A) UK GDPR) |
Name, contact information, claim details, health data (where voluntarily provided) |
| Complaint handling and response, including referrals to the Financial Ombudsman Service | Legal Obligation (Article 6(1)(C) UK GDPR)
Legal Claims (Article 9(2)(F) UK GDPR) |
Name, contact info, complaint correspondence, call recordings, communications, special category data (if relevant) |
| Responding to data protection rights requests | Legal Obligation (Article 6(1)(C) UK GDPR)
|
Name, contact details, ID verification, and request details |
| Verifying third-party authority (e.g. acting on behalf of another person) | Legal Obligation (Article 6(1)(C) UK GDPR)
Legitimate Interests (Article 6(1)(F) (necessary to validate authorisation and prevent misuse) |
Name, contact info, representative’s ID/authority documents |
| Responding to service enquiries | Legitimate Interests (Article 6(1)(F) (necessary to provide efficient support, services and response continuity) | Name, contact details, communication content |
| Supporting vulnerable individuals and offering tailored services | Consent (Article 6(1)(A) UK GDPR)
Substantial Public Interest (Article 9(2)(g), DPA 2018 Schedule 1, Paragraph 18) |
Health data, vulnerability characteristics, and support needs |
| Regulatory compliance and internal audits (FCA, ICO, etc.) | Legal Obligation (Article 6(1)(C) UK GDPR)
Substantial Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6) |
All relevant personal data, including call recordings, communications, and complaint data |
| Internal quality assurance and compliance monitoring | Legitimate Interests (Article 6(1)(F) (necessary to ensure service quality and compliance)
Substantial Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6)
|
Call recordings, notes, and audit observations, special category health data |
| Hosting, backup, and disaster recovery | Legitimate Interests (Article 6(1)(F) (necessary for data security, cyber-resilience, to meet regulatory expectations, secure data handling, including in relation to special category data)
Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6)
|
All personal data processed in the course of service provision |
| Call tracking, workflow automation, analytics and system diagnostics | Legitimate Interests (Article 6(1)(F) (necessary to provide services, facilitate the customer journey, monitor performance and technical troubleshooting) | IP address, phone number, source of contact, technical info, website interaction data |
| Website functionality and cookie-based tracking | Consent (Article 6(1)(A) UK GDPR)
Regulation 6(1) PECR Regulation 6(2) PECR |
Cookies, session data, browser/device information |
| Emergency disclosures (e.g. to police, ambulance) | Vital interests (Article 6(1)(D) UK GDPR)
Vital Interests (Article 9(2)(C) UK GDPR) |
Name, contact details, health or location info if disclosed in emergency |
| Fraud prevention and cooperation with law enforcement | Legitimate Interests (Article 6(1)(F) UK GDPR) (necessary to prevent fraud and unlawful acts, impersonation, ensure service integrity, and support lawful investigations)
Legal Obligation (Article 6(1)(C) UK GDPR) DPA 2018 Schedule 1, Paragraphs 10 (unlawful acts) and 14 (fraud) |
Name, contact info, IP address, call logs, communications |
We may obtain Personal Data about you from a variety of sources, depending on the purposes for Processing. Sources of Personal may include:
| Source | Third Party | Data Collected from Third Party |
|---|---|---|
| You (the data subject) | No | N/A |
| Representatives that seek to and/or act on your behalf | Yes | Identity information, contact information, claim details, health or vulnerability information, proof of authority to act (e.g. power of attorney, written consent), complaint information, data protection right request information |
| Regulators (The Financial Conduct Authority, The Information Commissioner’s Office, The Financial Ombudsman Service (Claims Management Ombudsman) | Yes | Identity information, contact information, complaint information, processing information, redress, and resolutions |
| Law firms and regulated claims management companies | Yes | Statistical information, complaints information (forwarded complaints) |
| Law enforcement, government agencies | Yes | Identity information, fraud investigation information, IP address, contact information, case references, and disclosure request information |
Where appropriate, your Personal Data may be disclosed to third parties, including Controllers, Processors and Sub-processors. As detailed within this Policy, disclosure of your Personal Data is contingent on purpose and Lawfulness of that Processing (Article 6 UK GDPR), including any further conditions that may need to be relied upon regarding Special Category Data (Article 9 UK GDPR) and/or Criminal Offence Data (Article 10 UK GDPR and Schedule 1, the UK Data Protection Act 2018).
As such, your Personal Data may be disclosed to the following third parties for the following purposes:
| Third Party | Data Disclosed | Purpose | Lawful Basis |
|---|---|---|---|
| Law firms | Full name, contact information | To assess your claim and contact you about legal services | Consent (Article 6(1)(A) UK GDPR) |
| FCA-regulated claims management companies | Full name, contact information | To contact you to discuss a potential personal injury claim | Consent (Article 6(1)(A) UK GDPR) |
| Information Commissioner’s Office (ICO) | Communications, investigation correspondence | Data breach notifications | Legal Obligation (Article 6(1)(C) UK GDPR) |
| Police/Law enforcement | Name, contact information, call recordings, referral data, IP address, and communications | To prevent or detect crime (e.g. fraud, impersonation, criminal misuse of your service) | Legitimate Interests (Article 6(1)(F) (necessary to maintain the integrity of services, to prevent fraud, to cooperate with law enforcement, to protect consumers)
DPA 2018 Schedule 1 Paragraphs 10 and 14 |
| Any personal data relevant to an investigation, including identifiers, case notes, communications and call recordings | To comply with a lawful request, e.g., a court order, data access request, or production order. | Legal Obligation (Article 6(1)(C) UK GDPR)
DPA 201 8 Schedule 1 Paragraphs 10 and 14 |
|
| Call recordings, referral logs, and complaints data | To comply with legal and regulatory obligations during joint investigations (e.g. FCA + police) | Legal Obligation (Article 6(1)(C) UK GDPR)
DPA 2018 Schedule 1 Paragraphs 6 and 10 |
|
| Emergency services | Full name, contact information, and health information | Lifesaving/emergencies | Vital interests (Article 6(1)(D) UK GDPR) & (Article 9(2)(D) UK GDPR) |
| Cloud providers (e.g. AWS) | All personal data we process | To ensure we can securely store and recover personal data in the event of a technical failure, cyberattack, or other operational issue. | N/A – Processor |
| The Financial Ombudsman Service (Claims Management Ombudsman) | Complaint details, full name, contact information, call recordings, communications, and third parties to whom your personal data was referred, health information, e.g., relating to the claim or vulnerability information, criminal offence data | To investigate, resolve and defend against complaints escalated to the Claims Management Ombudsman | Legal Obligation (Article 6(1)(C) UK GDPR)
Legal Claims (Article 9(2)(F) UK GDPR) DPA Schedule 1 Paragraph 12 |
| Call Recording Service Provider | May include identity information, contact information, complaints information, data rights request information, claim information, vulnerability information | To comply with rules imposed by the Financial Conduct Authority | N/A – Processor |
| Quality assurance and compliance monitoring | N/A – Processor | ||
| Complaint resolution | N/A – Processor | ||
| Telephone Number Validation Provider | Telephone number | N/A – Processor | |
| Call Tracking, Analytics and Contact Management Provider | Telephone number, Caller ID, Source of the call (which marketing campaign you originated from, e.g., our website) | To receive, allocate and respond to telephone calls, including identifying the marketing campaign source and real-time call analytics and reporting to manage and improve our service | N/A – Processor |
| Workflow Management Provider | This may include name, contact information and anything you disclose to us concerning services or other purposes | To automate workflows between applications to facilitate the provision of services | N/A – Processor |
| Website Host Provider | IP address | To deliver website content to your device, route traffic and maintain server security | N/A – Processor |
| Name, contact information | Facilitates online data capture forms to provide requested services | Consent (Article 6(1)(A) UK GDPR) | |
| Browser type, device information, and operating system | Website access and support system diagnostics | N/A – Processor | |
| Cookies and session data may be stored on or retrieved from your device to enable core website functionality, manage user sessions, remember preferences, and support analytics. | Consent (Article 6(1)(A) UK GDPR)
Regulation 6(1) PECR Regulation 6(2) PECR |
We may transfer Personal Data outside the UK/EEA to third countries when using Processors that may also use Sub-processors. In these circumstances, any transfers should be made where there is an adequacy decision. Where no adequacy decision applies, we and our Processors have Binding Corporate Rules (BCRs) and/or Standard Data Protection Clauses such as an International Data Transfer Addendum (an addendum to the EU’s Standard Contractual Clauses) or an International Data Transfer Agreement. Alternatively, these transfers may be made to a receiver that has signed up to an approved code of conduct or has a certification under an approved certification scheme. Alternatively, a transfer may be covered by an exception specified within the UK GDPR.
How We Protect Your Data:
We take reasonable steps to ensure the security of your Personal Data, including:
We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR. All employment-related decisions, including recruitment, performance evaluation, and disciplinary matters, involve meaningful human involvement.
One of the third-party services we use on our Site is Google Analytics, a web analysis service provided by Google, to better understand your use of the Site and Services. Google Analytics collects information such as how often users visit the Websites, what pages they visit and what other sites they used prior to visiting. Google uses the data collected to track and examine the use of our Site, to prepare reports on its activities and share them with other Google services. Google may use the data collected on our Site to contextualise and personalise the ads of its own advertising network.
More information and opt out: Click here for Google’s privacy policy and here for more information about the kinds of cookies placed by Google. Click here for information about how Google uses data from its partners’ sites or apps, as well as different ways to opt out of Google cookies.
Google offers an opt-out mechanism for the web available here.
Data Retention Periods:
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. After this period, data will be securely deleted. To determine the appropriate retention period for Personal Data, We considers the amount, nature and sensitivity of the Personal Data, the potential risk, of harm from unauthorised use or disclosure of Personal Data, and the purposes for which we Process Personal Data and whether we can achieve those purposes through other means, including applicable legal requirements.
The following Data Retention Periods apply. Should you wish to find out more about retention periods, if you cannot locate information that you would expect, please use the contact information provided in this Policy.
| Records | Examples of Records | Retention Period | Reasoning & Justification |
|---|---|---|---|
| Call recordings and electronic communications relating to claims management services | Inbound and outbound emails, SMS, complaint correspondence, and inbound and outbound telephone calls, including VOIP. | 12 months from the latest of (1) the conclusion of the handling of the complaint by us or the Financial Ombudsman Service (2) the date of our last contact with you. | FCA CMCOB 2.3.1R
FCA CMCOB 2.3.6R |
| Complaints records | Complaint files, investigation notes, acknowledgement letters, written responses, final responses, summary resolution communications, Financial Ombudsman Service correspondence, redress, and resolutions. | 6 years following the conclusion/resolution of the complaint. | Limitation Act 1980
DISP 2.8.2R DISP 2.8.9R |
| Referrals to law firms | Consent, data captured and shared, privacy policy at time of referral, recipient of personal data | Up to 12 months post-referral. | Article 12(1)(E) UK GDPR |
| Vulnerabilities, e.g., characteristics of vulnerability (vulnerable customers) | Special category health data, support needs, adjustments, signposted organisations, call recordings, electronic communications | 6 years from last contact | Limitation Act 1980
Article 9(2)(G) UK GDPR DPA 2018 Schedule 1, Paragraph 18 |
| Data Rights Requests and related records | Requests, correspondence, ID verification, | 6 years from the date the request is closed | SYSC 9
Limitation Act 1980 ICO Guidance on Accountability |
| Quality assurance and compliance monitoring | Call recordings, communication records, monitoring outcomes, notes and observations | 2 years | SYSC 3.2.6R
PRIN 2A.8 Article 5(2) UK GDPR |
| Lead source (if we receive your data from third parties with your consent) | Source/originating firm | 3 years | FCA CMCOB 2.2.4R |
| Consent records | Webforms, timestamps, data captured, privacy policy provided at time of data capture, recipients of personal data, date consent withdrawn | 6 years from the date consent was given or withdrawn | Article 5(2) UK GDPR
Article 6(1)(A) UK GDPR |
Under the UK GDPR, individuals have several rights regarding their Personal Data. However, not all rights are absolute. Some may be restricted based on legal obligations, legitimate interests, or the rights of others. Keeping this in mind, you have the following rights regarding your Personal Data:
| Right | Summary | Absolute? |
|---|---|---|
| To be informed | You have the right to clear information about how your data is used. | Yes |
| Of access | You can request access to the Personal Data we hold about you. | Not always – may be limited if it affects others’ rights or legal matters. |
| To rectification | You can ask us to correct or complete inaccurate data. | Yes |
| To erasure | You can request the deletion of data in certain circumstances. | Limited – doesn’t apply if we have legal or regulatory obligations. |
| To restrict processing | You can ask us to pause processing under certain conditions. | Limited – only applies in specific scenarios. |
| To data portability | You can request your data in a portable format (if applicable). | Limited – only for data processed by consent or contract. |
| To object | You can object to processing based on legitimate interests. | Limited – we may override your objection with compelling grounds. |
| Not to be subject to automated decisions | You can object to decisions made solely by automated processing. | Yes – unless based on contract, law, or explicit consent. |
To exercise your rights, please get in touch using the contact details provided. We will respond within one calendar month, unless the request is complex or multiple, in which case we may extend by a further two months (you will be informed).
We do not use your personal data to carry out any automated decision-making that produces legal or similarly significant effects on you.
We also do not engage in profiling (i.e. automated processing of personal data to evaluate certain personal aspects, such as behaviour, preferences, or interests), unless this is clearly explained and consented to at the point of collection.
Should our approach change in the future, we will update this privacy notice accordingly and inform you if required by law.
If you have any concerns about how we handle your Personal Data, we encourage you to contact us first so we can resolve the issue. It is also likely that the Information Commissioner’s Office will require that you first attempt to resolve the matter with us before it can assist.
Generally speaking, you can complain to us about our handling of your Personal Data if we:
–
However, you also have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Changes to the Privacy Policy:
We may update this Privacy Policy from time to time. Any changes will be reflected within this Privacy Policy, including the nature of the changes and the date on which they were made.
When you submit your details, you'll be in safe hands. Our partners are National Accident Helpline (a brand of National Accident Law, a firm of personal injury solicitors regulated by the Solicitors Regulation Authority). They are the UK's leading personal injury service. Their friendly legal services advisers will call you to talk about your claim and give you free, no-obligation advice. National Accident Law may pay us a marketing fee for our services.
By submitting your personal data, you agree for your details to be sent to National Accident Law so they can contact you to discuss your claim.
If you win your case, your solicitor's success fee will be taken from the compensation you are awarded - up to a maximum of 25%. Your solicitor will discuss any fees before starting your case.
Our experts
