Q: Do I have to accept cookies to use this site?

No. Strictly necessary cookies - for session security and form submission - are set without asking, because PECR regulation 6(4) permits this. Analytics and marketing cookies are not set unless you give consent through the cookie banner. You can decline non-essential cookies and continue to use the site.

Q: How do I change my cookie preference?

Use the cookie banner shown on first visit, or open the cookie settings link in the footer at any time. You can also clear or block cookies in your browser settings. Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.

Q: Do you set marketing cookies?

Not at launch. Marketing cookies are only set with your explicit consent and an updated banner. We will update this policy and the banner before any marketing or remarketing cookie is set.

Q: What is the lawful basis for the cookies you set?

Strictly necessary cookies are set in reliance on PECR regulation 6(4) and Article 6(1)(f) UK GDPR (legitimate interests in providing the service you asked for). Analytics and marketing cookies are set in reliance on Article 6(1)(a) UK GDPR (consent) and PECR regulation 6(1) (informed consent before storing or accessing information on the user's device).

Pre-launch notice. Final cookie audit to be confirmed before launch by the data protection officer. The cookie table below is a working draft and will be replaced with the audited list before the cookie banner is set live.

This policy explains the cookies and similar technologies we use on citygripclaims.co.uk, why we use them, the lawful basis we rely on under UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), and how you can manage your preferences. It complements our privacy policy, which covers personal data processing more generally.

01COOKIE

What cookies are

A cookie is a small text file that a website asks your browser to store on the device you are using. Cookies let a site recognise the same browser across pages and visits - for example, to keep you signed in to a form, to remember the cookie preferences you have already given, or to measure how often a page is read. PECR also covers technologies that work in similar ways, such as local storage, pixel tags, software development kits and device fingerprinting. Throughout this policy we use the word "cookies" as a shorthand for all of these.

Cookies can be first-party (set by the domain you are visiting - for example, citygripclaims.co.uk) or third-party (set by another domain, such as an analytics provider). They can be session cookies (which expire when you close the browser) or persistent cookies (which stay until they expire or you delete them).

Categories we use

We group the cookies we use, or may use, into three categories. The category determines whether consent is required and how long the cookie lasts.

1. Strictly necessary cookies

What they do: support core site functions you have asked for - session security, anti-forgery (CSRF) tokens, load balancing, remembering your cookie-consent choice itself, and keeping you signed in while you fill in the accident-evidence form.
Consent required: No. Set in reliance on PECR regulation 6(4) ("strictly necessary for the provision of an information society service explicitly requested by the user").
Retention: session cookies expire when you close the browser; the consent-record cookie persists for up to 12 months so we do not re-prompt you every visit.
Party: first-party (citygripclaims.co.uk).

2. Analytics cookies

What they do: let us measure how the site is used in aggregate - which pages are read, where users get stuck on the form, how long pages take to load. We use this to improve the service.
Consent required: Yes. Set only after you opt in through the cookie banner. UK GDPR Article 6(1)(a) consent plus PECR regulation 6(1) informed consent.
Retention: typically up to 13 months for the underlying visitor identifier, with shorter session IDs.
Party: first-party if we use a self-hosted analytics service; third-party if we use a hosted provider. We will list the specific provider in the table below once the choice is finalised.

3. Marketing cookies

What they do: measure the effectiveness of marketing campaigns, support remarketing audiences, and attribute claims-form completions to the campaign that brought you to the site.
Consent required: Yes - and explicit. UK GDPR Article 6(1)(a) plus PECR regulation 6(1). At launch, marketing cookies are not set without explicit consent and an updated banner notification.
Retention: typically up to 12 months.
Party: normally third-party (advertising platform domains).

At launch, only strictly necessary cookies are set without consent. The cookie banner is the gateway to analytics; marketing cookies require explicit consent and a banner update before anything is set.

Specific cookies we use

The table below is a working draft of the cookies we expect to set at launch. The final audit - including precise names, domains, retention and purpose - will be signed off by the data protection officer before the banner goes live.

Cookie	Category	Purpose	Retention	Party
cg_session	Strictly necessary	Session identifier for the accident-evidence form	Session	First-party
cg_csrf	Strictly necessary	Cross-site request forgery protection on form submission	Session	First-party
cg_consent	Strictly necessary	Records your cookie-consent choice so we do not re-prompt	12 months	First-party
cg_analytics_id	Analytics (consent)	Aggregate page-usage measurement	Up to 13 months	To confirm

Final cookie audit to be confirmed before launch by the data protection officer.

Lawful basis

Storing or accessing information on a user's device is governed by PECR regulation 6. Any related processing of personal data is also governed by UK GDPR. We rely on the following bases:

Strictly necessary cookies: PECR regulation 6(4) (no consent required) for the storage operation itself, and UK GDPR Article 6(1)(f) (legitimate interests in providing site security and the requested service) for any related processing of personal data.
Analytics cookies: PECR regulation 6(1) informed consent for the storage operation, and UK GDPR Article 6(1)(a) consent for any related processing of personal data. You can withdraw consent at any time.
Marketing cookies: PECR regulation 6(1) informed consent (with the higher explicit-consent standard) for the storage operation, and UK GDPR Article 6(1)(a) for any related processing.

02COOKIE

Managing your preferences

On your first visit you will see a cookie banner that explains the categories and lets you accept all, reject non-essential, or set category-by-category preferences. You can change your preference at any time from the cookie settings link in the footer.

You can also manage cookies in your browser settings. Most browsers let you view the cookies stored, delete them and block them from being set in future. Blocking cookies in the browser is more strict than declining them in our banner - it may stop the strictly-necessary cookies from working, in which case some site functions (for example, the accident form) will not work as expected.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

Section 3 of the walkthrough.

Third-party services

If we add analytics (for example, Google Analytics 4, Plausible or Fathom) or other third-party services, we will list them here with retention periods, international transfer details and links to the provider's own privacy notice. This page requires data protection officer sign-off before launch and before any third-party service is wired in.

Third parties acting as our processors are bound by written contracts that meet the requirements of UK GDPR Article 28. Where a provider acts as a controller in its own right (for example, an advertising platform), we tell you so and link to its policy.

04COOKIE

International transfers

Some analytics or marketing providers store data outside the UK and the EEA. Where that is the case, we rely on an adequacy decision under UK GDPR Article 45 if one is in place for the destination country, or on the UK International Data Transfer Agreement / the UK addendum to the EU standard contractual clauses under Article 46. The specific transfers in use will be listed in this section once the third-party choices are finalised by the data protection officer.

Per-cookie register (working draft)

The register below sets out the precise name of each cookie or local-storage item we expect to set at launch, the purpose, the retention period, whether the item is first or third party, the strictly-necessary classification and the lawful basis we rely on. The list will be re-verified by the data protection officer against the deployed banner before launch, in line with the ICO's expectation that organisations conduct and document a comprehensive cookie audit (see the ICO's guidance on the use of cookies and similar technologies at ico.org.uk).

Name	Purpose	Retention	Party	Strictly necessary	Lawful basis
cg_session	Session identifier for the accident-evidence form	Session	First-party	Yes	PECR reg 6(4); UK GDPR Art 6(1)(f)
cg_csrf	Cross-site request forgery token for form posts	Session	First-party	Yes	PECR reg 6(4); UK GDPR Art 6(1)(f)
cg_consent	Stores your cookie-banner choice so we do not re-prompt	12 months	First-party	Yes	PECR reg 6(4); UK GDPR Art 6(1)(c) (record-keeping)
cg_preferences	Stores UI preferences (e.g. text-size, region) you set	12 months	First-party	No (preference)	UK GDPR Art 6(1)(a) consent; PECR reg 6(1)
_vercel_speed_insights	Vercel Speed Insights performance sampling token	Session	First-party (hosted by Vercel)	No	UK GDPR Art 6(1)(a) consent; PECR reg 6(1)
_ga	Google Analytics 4 client identifier (if GA4 is enabled post-audit)	Up to 13 months	Third-party (Google)	No	UK GDPR Art 6(1)(a) consent; PECR reg 6(1)
_ga_<container-id>	GA4 session-state cookie tied to the measurement-ID container	Up to 13 months	Third-party (Google)	No	UK GDPR Art 6(1)(a) consent; PECR reg 6(1)
_gid	Legacy GA short-life visitor identifier (only if Universal Analytics tags survive on a sub-route)	24 hours	Third-party (Google)	No	UK GDPR Art 6(1)(a) consent; PECR reg 6(1)

Names shown with placeholder syntax (for example, the GA4 container-ID suffix) will be replaced with the live identifier in the published register. Where the final analytics or marketing choice does not include a vendor listed above, the row will be removed before launch rather than left in as a hypothetical.

PECR regulation 6 - the storage-and-access rule

The legal rule that controls cookies in the UK sits in regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426). Regulation 6(1) prohibits the storage of information, or the gaining of access to information already stored, on a user's terminal equipment unless the user has been given clear and comprehensive information about the purposes of the storage or access, and has given consent to it. The consent standard is the UK GDPR standard - a freely given, specific, informed and unambiguous indication of the user's wishes by a statement or clear affirmative action. Read the full text of regulation 6 at legislation.gov.uk.

There are two narrow exceptions in regulation 6(4). Storage or access is permitted without consent where it is "for the sole purpose of carrying out the transmission of a communication over an electronic communications network" (the communication-only carve-out) or where it is "strictly necessary for the provision of an information society service requested by the subscriber or user" (the strictly-necessary carve-out). The ICO reads the strictly-necessary exception narrowly - convenience or commercial benefit to the operator does not qualify. We apply that reading: the cookies we set without consent are limited to session security, anti-forgery tokens, and the record of your consent choice itself, all of which are needed to deliver the page or form you have asked for.

Regulation 5A, added in 2018, requires us to keep records of the consent we obtain and to be able to demonstrate that consent was given. We satisfy that by storing the timestamp, version and category-level state of the banner choice inside the cg_consent cookie itself, and by retaining the deployed banner copy in version control so any historical state can be reconstructed.

ICO position - January 2024 advertising-cookies enforcement and the 1 May 2024 guidance update

On 21 November 2023 the ICO wrote to the operators of the UK's most-visited websites warning that non-compliant cookie banners - banners that made it harder to reject cookies than to accept them - would face enforcement action. The follow-up update on 31 January 2024 reported on that work and reaffirmed the regulator's view that "Accept all" and "Reject all" must be available at the same level, with the same visual weight, on the first banner layer. See ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/01/our-approach-on-cookies/.

The ICO updated its formal guidance on cookies and similar technologies on 1 May 2024 to bring the published text in line with the enforcement position. The updated guidance is explicit that pre-ticked boxes, nudge patterns, colour-contrast tricks, confirm-shaming text and any other "dark pattern" that pushes a user towards accepting non-essential cookies will not constitute valid consent. What we do as a result: the live banner offers "Accept all" and "Reject all" as the only two first-layer choices, rendered as buttons of identical size, colour and prominence; a third "Manage preferences" link drops to a category-level dialogue; no category is pre-ticked; rejecting is one click, not a buried multi-step journey.

We also keep the banner copy short, plain and free of inducements to accept. There is no "Accept to view this article" wall and no consent-conditional content gating - the substance of the site, including the claim-intake form, is available whether you accept or reject non-essential cookies.

Browser-by-browser controls

If you want to inspect, delete or block cookies at the browser level - separate from the site banner - every major browser exposes a settings page. The addresses and routes below are the current paths as documented by each browser's official help centre.

Google Chrome (desktop): open chrome://settings/cookies to choose between allowing all cookies, blocking third-party cookies, or blocking all cookies. See support.google.com/chrome/answer/95647.
Mozilla Firefox: open about:preferences#privacy and use the "Cookies and Site Data" panel and the "Enhanced Tracking Protection" setting to block trackers and clear stored data. See support.mozilla.org.
Apple Safari (macOS): Safari menu, then Settings, then the Privacy tab, then "Manage Website Data" to view and remove stored cookies and cache entries. See support.apple.com.
Microsoft Edge: open edge://settings/content/cookies to control cookie storage; the "Tracking prevention" panel at edge://settings/privacy adds tracker-blocking on top.
Brave: open brave://settings/cookies. Brave's Shields feature blocks third-party cookies and known trackers by default; the Shields icon in the address bar exposes per-site controls.
Chrome on Android: tap the three-dot menu, then Settings, then "Site settings", then "Cookies". The same screen lets you block third-party cookies system-wide for the browser.
Safari on iOS / iPadOS: open the Settings app, scroll to Safari, then turn on "Block All Cookies" or "Prevent Cross-Site Tracking"; use "Clear History and Website Data" to wipe stored cookies. See support.apple.com/en-gb/HT201265.

Browser-level blocking is more aggressive than the banner-level reject. If you block all cookies in the browser, the strictly-necessary cookies we use to protect the claim-intake form (session and CSRF tokens) will not be set, and the form will not submit. We recommend declining non-essential cookies in our banner rather than blocking cookies altogether.

05COOKIE

What changes if you decline non-essential cookies

Declining non-essential cookies through the banner has a deliberately limited effect on the substance of the service. Strictly-necessary cookies continue to be set under the PECR regulation 6(4) carve-out, so the accident-evidence form, document-upload step, callback request form and contact form all continue to work end to end. The case-status pages, eligibility checker and policy library are unaffected.

What you lose if you decline: aggregate analytics (we can no longer see which pages you read or where you dropped out of a form), performance sampling (we lose the page-load data that helps us spot a slow route), and any cross-campaign attribution if marketing cookies are enabled in future. We do not use cookies for autofill of personal data on the claim-intake form; the form relies on your browser's own autofill, which is unaffected by either the banner or our cookies. Declining does not show different content, lengthen the form, or trigger additional verification steps - there is no penalty path for users who say no.

Withdrawing consent and DSARs for cookie-set data

Under UK GDPR Article 7(3) you have the right to withdraw your consent at any time, and we have to make withdrawing consent as easy as giving it. Use the "Cookie settings" link in the footer to open the banner again and switch any category off; the change takes effect immediately and any third-party tags whose consent has been withdrawn will stop firing on the next page load. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, in line with Article 7(3) second sentence. Read Article 7 at legislation.gov.uk.

If analytics or marketing cookies have set a pseudonymous identifier that is linked to you (for example, where you have logged in or submitted a form during the same session), you can exercise the right of access under UK GDPR Article 15 and ask for a copy of the data tied to that identifier. Email our data protection contact at dpo@citygripclaims.co.uk quoting the identifier value (visible in your browser's developer tools under Application, then Cookies) and we will respond within one calendar month, as required by Article 12(3). If you are not satisfied with our response you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Children and cookies

UK GDPR Article 8, as applied in the United Kingdom by section 9 of the Data Protection Act 2018, sets 13 as the minimum age at which a child can consent on their own behalf to the processing of personal data in the context of information society services offered directly to children. The ICO's Age-Appropriate Design Code ("Children's Code") goes further and applies a set of fifteen standards to any online service likely to be accessed by a child, including a default setting of "minimum data" and a presumption against profiling. See ico.org.uk.

CityGrip Accident Claims is a service for adults pursuing personal-injury and vehicle-damage claims after a road-traffic accident; it is not directed at children under 13 and the claim-intake forms ask for confirmation that the user is at least 18 (or that an adult is submitting on a minor's behalf). We do not knowingly set analytics or marketing cookies on a device used by a child under 13. If you believe a child has interacted with the site, contact our data protection contact and we will delete any associated cookie-set identifiers on request.

Third-party cookie opt-outs

Even where you have not given consent through our banner, third-party advertising and analytics ecosystems offer browser-level and device-level opt-outs that you can use independently of any one site. We list the most useful here so you have a single place to find them rather than searching from each provider's homepage.

Google Analytics opt-out browser add-on: tools.google.com/dlpage/gaoptout - a small extension that blocks the GA JavaScript from running in supported browsers, so the _ga and _ga_* cookies are never written by any site.
Your Online Choices (UK): youronlinechoices.com/uk - the European Digital Advertising Alliance's UK opt-out tool, which writes an opt-out signal for participating advertising networks.
IAB UK Transparency and Consent Framework: iabuk.com/policy/tcf - explains how the TCF consent string is constructed and read by ad-tech vendors; useful if you want to understand or audit a TCF banner on any site.
Network Advertising Initiative: optout.networkadvertising.org - a complementary opt-out covering many North American ad-tech vendors who may also serve UK traffic.

These tools sit on top of, not instead of, the banner: declining marketing cookies on our site will already prevent those tags from running on our pages. The opt-outs above protect you across the wider web.

DPIA, ROPA and our internal records

UK GDPR Article 30 requires every controller to maintain a written record of processing activities (ROPA). CityGrip Accident Claims maintains a ROPA that covers the processing carried out through cookie-set identifiers: the categories of data, the purposes, the retention periods, the recipients (in particular any third-party analytics or marketing processors) and the safeguards that apply to any international transfer. Read Article 30 at legislation.gov.uk.

Where a proposed cookie or tag is likely to result in a high risk to the rights and freedoms of users - for example, large-scale profiling or systematic monitoring - we carry out a Data Protection Impact Assessment under UK GDPR Article 35 before deployment, in line with the ICO's published criteria for when a DPIA is required. The DPIA outcome and the ROPA entry feed into the banner copy and the per-cookie register on this page, so what you see published here is the user-facing summary of an audited internal record. A high-level summary of the ROPA entry for cookie processing is available on request from our data protection contact below.

06COOKIEKey takeaway

Changes to this policy

We will update this policy when cookies are added, removed or change in purpose. The version number and the "last reviewed" date below tell you the state of this policy. Material changes - for example, the introduction of a new third-party analytics provider - will be highlighted on the cookie banner.

Version 1.0. Last reviewed: 15 May 2026.

Contact

If you have a question about this policy, or you want to exercise your data protection rights in relation to cookies and similar technologies, contact our data protection contact at dpo@citygripclaims.co.uk or write to us at 124 City Road, London, EC1V 2NX.

You can also complain to the Information Commissioner's Office, the UK's data protection regulator, at ico.org.uk.

This document requires sign-off by the Data Protection Officer prior to launch. Last reviewed: 15 May 2026.

Cookie policy