Skip to content
UK accident support 24/7
0330 043 3409
CityGripAccident Claims

Legal - version 2.0

Privacy policy

How CityGrip Accident Claims collects, uses, shares and protects personal data - in line with UK GDPR, the Data Protection Act 2018 and ICO guidance.

  • UK GDPR aligned
  • DPA 2018 aligned
  • No data sold
  • ICO complaint route
24/7

UK response

Recovery dispatch and live claim handlers, 365 days a year.

UK cities

45+

Direct coverage

Response

<60m

First contact SLA

Cost

£0

Upfront to driver

Pre-launch notice. This document requires sign-off by the Data Protection Officer prior to launch. Version 2.0, effective 15 May 2026. CityGrip Accident Claims is a UK accident claim management that operates outside the FCA claims-management regulated perimeter; some retention periods below are voluntarily modelled on the FCA Handbook timetable as a quality standard.

This policy explains how Citygrip LTD, trading as CityGrip Accident Claims, collects, uses, shares and protects personal data in connection with our UK accident management services and this website. It is written to satisfy the transparency requirements of UK GDPR Articles 13 and 14 and the Data Protection Act 2018, and is read together with our cookie policy and our vulnerable customer policy.

Who we are

Citygrip LTD, trading as CityGrip Accident Claims, is the data controller for personal data collected through this website and our claims-handling operations. The registered office is 124 City Road, London, EC1V 2NX. Companies House number: TBC.

Our data protection contact is dpo@citygripclaims.co.uk. The data protection contact handles all data-rights requests, queries about this policy, and notifications about possible breaches. Our ICO registration number will be published here once registration is confirmed: TBC. CityGrip Accident Claims is a UK accident claim management that operates outside the FCA claims-management regulated perimeter; any references in this policy to FCA Handbook rules describe standards we voluntarily model on rather than rules that directly bind us.

We are the controller for personal data we collect to provide our own services. Where we refer your matter to a panel solicitor or other regulated partner with your consent, that firm becomes a separate controller for the data it holds about you for its own purposes - its own privacy notice will apply and we will tell you who they are at the point of referral.

Categories of personal data we process

We process the following categories of personal data. Not all categories apply to every customer - for example, special-category data is only collected where it bears on the claim or the support you need.

  • Identity data: name, date of birth, gender, driving-licence details where relevant, signature.
  • Contact data: postal address, email address, telephone numbers, preferred communication channel and times.
  • Claim data: the circumstances of the accident, date, time, location, parties involved, witness details, photographs, police reference numbers, your account of events and any documents you give us.
  • Vehicle data: registration, make, model, year, mileage, service history, MOT history, current value, photographs and engineer reports.
  • Financial data: insurance policy details, premium and excess information, bank account details for any payment we receive on your behalf, invoices and credit-hire agreements.
  • Special-category data: health information relating to injury sustained in the accident, fit-notes, medical reports and rehab assessments; and vulnerability indicators you tell us about so we can support you. We process this only with an Article 9 condition (typically explicit consent under Article 9(2)(a) or the establishment, exercise or defence of legal claims under Article 9(2)(f)).
  • Technical and form-audit data: IP address, device and browser identifiers, form version, timestamps and a saved PDF of submitted forms - used for security and audit.
  • Communications data: emails, letters, file notes from calls, SMS messages and (where notice is given before the call) call recordings.

Lawful bases

We rely on the following lawful bases under UK GDPR Article 6, with the Article 9 conditions noted where special-category data is involved.

  • Contract - Article 6(1)(b). Handling your accident claim and providing the services you have asked for (recovery, storage, repair coordination, replacement vehicle, insurer communication). Pre-contract enquiries fall under the same basis.
  • Legal obligation - Article 6(1)(c). Record-keeping obligations under tax law and anti-money-laundering law where they apply.
  • Legitimate interests - Article 6(1)(f). Coordinating with partners (insurers, recovery agents, engineers, panel solicitors) on your behalf; fraud prevention; staff training and quality assurance; IT and physical security; defending legal claims. Our legitimate-interests assessment balances these against the rights and freedoms of data subjects and is available on request.
  • Consent - Article 6(1)(a) and Article 9(2)(a). Sharing with regulated injury-claim partners; marketing communications where we send them; processing of health and vulnerability data. Consent is recorded separately and can be withdrawn at any time.
  • Legal claims - Article 9(2)(f). Processing of special-category data necessary for establishing, exercising or defending legal claims arising from the accident.

Where the data comes from

Most of the personal data we hold about you comes directly from you - by phone, by email, in writing, or through the accident-evidence form. We also receive data from other sources in the ordinary course of handling a claim:

  • The at-fault driver's insurer and your own insurer.
  • The recovery operator and storage yard handling your vehicle.
  • The engineer carrying out the inspection or valuation.
  • Repairers and credit-hire providers handling the physical work.
  • Medical reporting agencies and clinicians (where you have agreed to a medical report for an injury claim).
  • The Ministry of Justice / Official Injury Claim portal where an OIC claim has been started.
  • The Motor Insurers' Bureau where the other driver is uninsured or untraced.
  • Witnesses, police forces and CCTV operators where evidence is requested.
  • Publicly available sources such as Companies House for business customers.

Who we share data with

We share personal data only with named categories of recipient, and only as far as needed to deliver the service or meet a legal obligation. We do not sell personal data and we do not share it for unrelated marketing.

  • Insurers. Your own insurer and the at-fault driver's insurer (and their loss adjusters and panel solicitors).
  • Panel solicitors. SRA-regulated solicitor firms we refer injury matters to with your specific consent. Their privacy notices apply to data they hold as controllers.
  • Recovery, storage, repair and engineering partners. Operators carrying out the physical work on your vehicle under contract.
  • Credit-hire providers. Where a replacement vehicle is provided on credit-hire terms.
  • Motor Insurers' Bureau. Where the other driver is uninsured or untraced and an MIB claim is necessary.
  • Regulators and authorities. The ICO, the SRA, the Legal Ombudsman, the ASA, HM Revenue & Customs and law-enforcement bodies acting on lawful written requests. Where an authorised partner we introduced you to (an SRA-regulated solicitor or an FCA-authorised firm) is involved, their regulator may also receive data in the ordinary course of that partner’s own supervision.
  • Professional advisers. Our lawyers, accountants, auditors and insurers where they need access in order to advise us.
  • Service providers (processors). IT hosting, cloud storage, secure document handling, SMS and email delivery, call-recording providers and analytics - bound by written Article 28 contracts.
01PRIVACY

International transfers

We aim to keep personal data within the UK and the EEA. Where a processor stores or accesses data outside the UK/EEA, we rely on a UK adequacy decision under UK GDPR Article 45 if one applies, or otherwise on the UK International Data Transfer Agreement / the UK addendum to the EU standard contractual clauses under Article 46. You can ask us for a list of countries involved and the safeguards in place.

Retention periods

We do not keep personal data longer than we need to. The following retention periods apply:

  • Claim records: 7 years from the date the file is closed. This is voluntarily modelled on the FCA Handbook records-retention period applicable to authorised claims-management firms (including DISP complaint records) and aligned with the limitation period for breach of contract under the Limitation Act 1980.
  • Financial and tax records: 6 years from the end of the tax year, as required by HMRC and the Companies Act.
  • Complaint records: at least 6 years from the date of the final response, in line with DISP 1.9.
  • Vulnerability flags and health data: only for as long as the file is open and any subsequent retention period required for regulatory or legal reasons; then deleted or strongly de-identified.
  • Call recordings: typically 12 months, longer where the recording is referenced in a complaint or legal claim.
  • Marketing data: until you withdraw consent or 24 months of inactivity, whichever is sooner.

Retention periods are reviewed annually and can be configured in our admin panel by the data protection contact.

Your rights

Subject to the conditions in UK GDPR, you have the following rights in relation to personal data we hold about you:

  • Access - a copy of the personal data we hold and supporting information (Article 15). Normally within one month of request, free of charge.
  • Rectification - correction of inaccurate or incomplete data (Article 16).
  • Erasure - deletion where the data is no longer needed, consent is withdrawn, or there is no overriding legal basis to keep it (Article 17). Erasure rights are limited where we are subject to a legal retention obligation.
  • Restriction - limiting how we use the data while a dispute is resolved (Article 18).
  • Portability - a machine-readable copy of data you provided to us where processing is based on consent or contract and is automated (Article 20).
  • Objection - to processing based on legitimate interests, on grounds relating to your particular situation, and to direct marketing at any time (Article 21).
  • Withdraw consent - at any time where processing is based on consent (Article 7). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to dpo@citygripclaims.co.uk or to the registered office. We may need to confirm your identity before we act on a request. We will respond within one month of receipt, extendable by a further two months for complex or numerous requests with notice.

02PRIVACY

Automated decision-making

We do not make decisions about you with legal or similarly significant effects that are based solely on automated processing. Human staff review and decide each material step in a claim - for example, whether to accept a file, what services to offer, whether to refer to a panel solicitor and the basis for any final response to a complaint. Where we use automated tools (for example, to triage incoming forms or to flag potential fraud indicators), they support a human decision rather than replace it.

PRIVACY

03

Section 3 of the walkthrough.

Marketing consent and PECR

If we send you electronic marketing, it is only where you have given a specific, freely given, informed and unambiguous opt-in (UK GDPR Article 4(11) and PECR regulation 22). Marketing consent is captured separately, is not pre-ticked, is not bundled into the contract, and can be withdrawn at any time using the unsubscribe link in every marketing message or by writing to our data protection contact.

Cookies

We use cookies and similar technologies. The detail - categories, lawful basis, retention, third parties and how to manage your preferences - is in our cookie policy. Strictly necessary cookies are set without consent under PECR regulation 6(4); analytics and marketing cookies are only set with your consent.

04PRIVACY

Call recording and CCTV

Where we record calls, we tell you at the start of the call. The lawful basis is your continued use of the call after notice (consent under Article 6(1)(a)) together with our legitimate interest in training, quality assurance, dispute resolution and fraud prevention (Article 6(1)(f)). Recordings are stored securely, accessed only by colleagues who need them, and retained for the period in the schedule above.

The registered office is covered by limited CCTV for physical security. Footage is retained for 30 days and accessed only on incident, lawful request or as part of an investigation.

05PRIVACY

Security

We use a combination of organisational and technical measures appropriate to the risk: HTTPS for all web traffic, encryption at rest for stored documents, signed URLs and time-limited tokens for document access, role-based access controls, multi-factor authentication for admin staff, audit logs of access to customer records, regular vulnerability reviews of the platform, and staff training on data protection. Breaches that are likely to result in a risk to data subjects are reported to the ICO within 72 hours under UK GDPR Article 33; where the risk to affected individuals is high, we will also tell those individuals directly under Article 34.

Access to claim files is granted on a least-privilege basis: handlers see only the records they are working on, partners see only the records relating to their part of the job, and senior staff with system-administration access are subject to additional logging and review. Removable media is not used in routine handling. Devices issued to staff are managed centrally, encrypted and remotely wipe-able. Physical visitor access to the registered office is logged.

We carry out a data protection impact assessment (DPIA) under UK GDPR Article 35 for any new processing that is likely to result in a high risk to data subjects - for example, before introducing a new analytics platform that handles claim data, or before changing how vulnerability flags are stored. DPIAs are reviewed by the data protection contact and signed off before the processing starts.

06PRIVACYKey takeaway

Children

Our services are aimed at adult drivers and adult passengers. We do not knowingly collect personal data from anyone under 13. Where a claim involves a child passenger (for example, a minor injured in the accident the customer is contacting us about), data about the child is processed in connection with the legal claim under Article 9(2)(f) UK GDPR, with the consent of a person with parental responsibility recorded on the file.

Special-category data - extra safeguards

Health information and vulnerability indicators are special-category data under UK GDPR Article 9. We apply extra safeguards beyond the standard controls: access is restricted to the colleagues who need it for the specific task; the records are flagged so they are excluded from routine bulk exports; explicit consent is obtained at the point of collection unless an alternative Article 9 condition applies (such as the establishment, exercise or defence of legal claims); and the records are deleted or strongly de-identified once they are no longer needed for the purpose for which they were collected.

Our vulnerable customer policy explains in more detail how vulnerability data is identified, recorded and used. See vulnerable customer policy.

Complaints to the ICO

You can complain to us at any time using the channels in our complaints policy. You also have an independent right to complain to the Information Commissioner's Office, the UK regulator for information rights, at ico.org.uk. You do not need to complain to us before going to the ICO, although we would welcome the chance to put things right.

07PRIVACY

How we use partner-provided data and fraud prevention

We receive information from insurers, recovery agents, engineers, repairers, medical reporters and other partners as a normal part of running a claim. Where that information is personal data about you, we record it on your file and use it for the same purposes as data we collect from you directly. Where a partner gives us information that contradicts what we have been told - for example, a salvage value that differs from an earlier estimate - we will raise it with you in writing rather than acting on it without explanation.

In common with the rest of the UK motor-claims industry, we participate in cross-industry fraud prevention. We may share limited personal data with fraud prevention agencies and insurer-shared databases (for example the Claims and Underwriting Exchange, CUE, and the Insurance Fraud Bureau) where we have a reasonable basis to suspect that a claim is fraudulent. The lawful basis is our legitimate interest in preventing fraud, and the substantial public interest condition under Schedule 1 of the Data Protection Act 2018 for any special-category data involved. Honest claimants are not affected.

08PRIVACY

Use of data for service improvement and training

We use claim data - anonymised or aggregated wherever practicable - to review and improve our service. Examples include reviewing how long it takes a recovery agent to attend, how many claims are settled within target times, and which steps in the form most often trigger a customer query. Where colleagues are trained using real-world examples, the examples are de-identified so the customer cannot be recognised from them.

Call recordings and call notes are used for staff coaching and quality assurance. Only the colleagues involved in the coaching see the recording; wider sharing is not part of routine training. Where a customer asks for a call recording to be deleted, we will do so unless it is needed to defend a complaint, comply with a regulatory record-keeping rule, or for the establishment, exercise or defence of a legal claim.

PRIVACY

09

Section 9 of the walkthrough.

Joint controllers, processors and sub-processors

Our IT and operational service providers act as processors on our behalf under written contracts that meet the requirements of UK GDPR Article 28. The contracts oblige the processor to process the data only on our documented instructions, to use appropriate security measures, to assist us with data-subject requests, and to delete or return the data at the end of the contract. Sub-processors are only engaged with our authorisation.

In some scenarios we act as a joint controller with another organisation - for example, where a fleet operator instructs us to handle claims for its drivers, and the operator continues to make some of the decisions about the personal data. In those cases a joint-controller arrangement under UK GDPR Article 26 sets out who is responsible for what, with the essence of the arrangement available to the data subjects affected.

10PRIVACY

Changes to this policy

We will update this policy when our processing changes - for example, if we add a new processor, change retention periods, or take on a new type of regulated activity. The version number and the "last reviewed" date below tell you the state of this policy. Material changes will be notified to affected customers by email or letter.

Version 2.0. Last reviewed: 15 May 2026.

This document requires sign-off by the Data Protection Officer prior to launch. Last reviewed: 15 May 2026.