Privacy
NoWinNoFee.com is a claims management company that helps people claim compensation for an accident or injury that wasn't their fault
With no win no fee agreements (also known as a Conditional Fee Arrangements, or CFAs), there are no upfront legal fees, which means anyone who has been involved in an accident that wasn’t their fault can gain access to justice without any financial risk. Your solicitor only gets a fee if your claim is successful. If your claim isn't successful, you won’t pay your solicitor any legal fees.
If your case is successful, typically you will pay 25% (including VAT) of your compensation to your solicitor, although they will discuss any fees before starting your case. To ensure your claim is risk free, your solicitor may take out an insurance policy on your behalf. If you terminate the agreement, you may have to pay fees for the time already spent on your claim, or due to: lack of cooperation, misleading your solicitor, missing medical or expert examinations, or not attending court hearings.
There are some instances where you are not required to use the services of a claims management company, and are able to claim yourself, for free, directly via the relevant ombudsman/compensation scheme. These include:
- Criminal injuries: The Criminal Injury Compensation Authority (England, Wales, and Scotland) or the Criminal Injury Compensation Scheme (Northern Ireland)
- Minor road accidents: The Official Injury Claim Portal
- Accidents involving uninsured drivers: The Motor Insurers' Bureau
Privacy Policy
Colour Ventures Limited B2C Privacy Policy
This B2C Privacy Policy explains how we collect, use, store, and protect Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller Information:
The Data Controller: Colour Ventures Limited.
Registered Office Address: Flannigan Edmonds Bannon, Linenhall Exchange, 1st Floor, 26 Linenhall Street, Belfast, Northern Ireland, BT2 8BG
Company Number: NI070913.
ICO Registration Reference: Z3503241.
Contact Information
Email: contact@nowinnofee.com
What Personal Data We Collect:
We may collect the following Personal Data:
|
Category |
Examples |
|
Identity Data |
Full name, date of birth, gender, identity verification documents (e.g. passport, driving license) |
|
Contact Data |
Home address, email address, phone number, preferred contact method |
|
Claim Information |
Details of your accident or injury, date and location of incident, nature of the claim, how the incident occurred, insurance or claim reference numbers |
|
Health or Vulnerability Data (Special Category Data) |
Health conditions, medical history, injury descriptions, and information provided to identify or support vulnerable circumstances |
|
Criminal Offence Data |
Information relating to suspected or confirmed fraud, impersonation, or unlawful behaviour (e.g. when reported by a partner or law enforcement agency) |
|
Representative Data |
Details of anyone authorised to act on your behalf, including their name, contact info, and evidence of authority (e.g. written permission or power of attorney) |
|
Technical and Usage Data |
IP address, browser type, device type, operating system, usage behaviour, cookies and analytics data collected via tools such as Google Analytics or WildJar |
|
Communication Records |
Recordings of telephone calls, emails, contact form submissions, live chat, and customer service interactions |
|
Referral Data |
Information received from law firms or other regulated partners who refer or update us about your claim status |
|
Complaint and Regulatory Data |
Information shared during complaint investigations or regulatory reviews, including data disclosed to the FCA, FOS, or ICO |
Lawfulness of Processing
To process your Personal Data, we must have an appropriate Lawful Basis. In other words, a legal basis or legal grounds to process your Personal Data is a requirement imposed by the UK GDPR. As such, we process your Personal Data based on and permitted by the following Lawful Bases:
- Consent (Article 6(1)(A) UK GDPR) – where you have given us clear and informed consent (e.g. to refer your details to a partner law firm).
- Legal Obligation (Article 6(1)(C) UK GDPR) – where we are required to process your personal data to comply with legal and regulatory requirements (e.g. FCA, ICO, Financial Ombudsman Service, call recording rules).
- Vital Interests (Article 6(1)(D) UK GDPR) – where processing is necessary to protect someone’s life, such as in an emergency.
- Legitimate Interests (Article 6(1)(F) UK GDPR) – where we or a third party have a legitimate business interest in processing your data, provided your rights and freedoms are not overridden.
Conditions for Processing (Special Category Data)
We are only permitted to process Special Category Data (e.g., health, ethnicity, beliefs, sexual orientation) if we have a Lawful Basis (Article 6 UK GDPR) and a condition under Article 9 UK GDPR. As such, we may rely on:
- Explicit Consent (Article 9(2)(a)) – where you clearly agree to provide and allow us to process sensitive information (e.g. vulnerability support or referral content).
- Vital Interests (Article 9(2)(C) UK GDPR) – where it is necessary to protect your life or someone else’s life and you are physically or legally unable to provide consent (e.g. in an emergency where we must contact emergency services based on disclosures made during a call).
- Legal Claims (Article 9(2)(F) UK GDPR) – where processing is necessary for the establishment, exercise, or defence of legal claims (e.g. complaints handling, disputes, litigation support or law firm referrals).
- Substantial Public Interest (Article 9(2)(G) UK GDPR), where supported by a condition in Schedule 1 of the Data Protection Act 2018:
- Schedule 1, Paragraph 6 – where we are required to process special category data to comply with regulatory requirements, including those imposed by the Financial Conduct Authority (FCA) or the Financial Ombudsman Service (FOS).
- Schedule 1, Paragraph 18 – where we identify and support vulnerable individuals as part of our duty to safeguard the economic well-being of persons at economic risk.
Conditions for Processing (Criminal Offence Data)
We may process data relating to criminal offences (e.g. fraud investigation information, allegations of impersonation, or law enforcement requests). This is known as criminal offence data under Article 10 UK GDPR.
- We will only process such data where:
- The processing is authorised by UK law
- One of the conditions in Schedule 1 of the Data Protection Act 2018 is met
- An appropriate policy document is in place, as required by law
We rely on the following conditions for processing criminal offence data:
- Schedule 1, Paragraph 10 – Processing is necessary for the prevention or detection of unlawful acts
- Schedule 1, Paragraph 14 – Processing is necessary for preventing fraud
- Schedule 1, Paragraph 12 – Legal claims or judicial acts (e.g. where part of dispute or litigation processes)
We maintain an appropriate policy document that outlines our procedures for safeguarding this data and our data retention and review practices.
Purposes for Processing
We will lawfully process your Personal Data for a variety of Purposes, some of which may include:
|
Purpose |
Lawfulness |
Personal Data |
|
Referral to a third-party law firm or regulated claims management company |
Consent (Article 6(1)(A) UK GDPR) Explicit Consent (Article 9(2)(A) UK GDPR) |
Name, contact information, claim details, health data (where voluntarily provided) |
|
Complaint handling and response, including referrals to the Financial Ombudsman Service |
Legal Obligation (Article 6(1)(C) UK GDPR) Legal Claims (Article 9(2)(F) UK GDPR) |
Name, contact info, complaint correspondence, call recordings, communications, special category data (if relevant) |
|
Responding to data protection rights requests |
Legal Obligation (Article 6(1)(C) UK GDPR)
|
Name, contact details, ID verification, and request details |
|
Verifying third-party authority (e.g. acting on behalf of another person) |
Legal Obligation (Article 6(1)(C) UK GDPR) Legitimate Interests (Article 6(1)(F) (necessary to validate authorisation and prevent misuse) |
Name, contact info, representative’s ID/authority documents |
|
Responding to service enquiries |
Legitimate Interests (Article 6(1)(F) (necessary to provide efficient support, services and response continuity) |
Name, contact details, communication content |
|
Supporting vulnerable individuals and offering tailored services |
Consent (Article 6(1)(A) UK GDPR) Substantial Public Interest (Article 9(2)(g), DPA 2018 Schedule 1, Paragraph 18) |
Health data, vulnerability characteristics, and support needs |
|
Regulatory compliance and internal audits (FCA, ICO, etc.) |
Legal Obligation (Article 6(1)(C) UK GDPR) Substantial Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6) |
All relevant personal data, including call recordings, communications, and complaint data |
|
Internal quality assurance and compliance monitoring |
Legitimate Interests (Article 6(1)(F) (necessary to ensure service quality and compliance) Substantial Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6)
|
Call recordings, notes, and audit observations, special category health data |
|
Hosting, backup, and disaster recovery |
Legitimate Interests (Article 6(1)(F) (necessary for data security, cyber-resilience, to meet regulatory expectations, secure data handling, including in relation to special category data) Public Interest (Article 9(2)(G) UK GDPR, DPA 2018 Schedule 1, Paragraph 6)
|
All personal data processed in the course of service provision |
|
Call tracking, workflow automation, analytics and system diagnostics |
Legitimate Interests (Article 6(1)(F) (necessary to provide services, facilitate the customer journey, monitor performance and technical troubleshooting) |
IP address, phone number, source of contact, technical info, website interaction data |
|
Website functionality and cookie-based tracking |
Consent (Article 6(1)(A) UK GDPR) Regulation 6(1) PECR Regulation 6(2) PECR |
Cookies, session data, browser/device information |
|
Emergency disclosures (e.g. to police, ambulance) |
Vital interests (Article 6(1)(D) UK GDPR) Vital Interests (Article 9(2)(C) UK GDPR) |
Name, contact details, health or location info if disclosed in emergency |
|
Fraud prevention and cooperation with law enforcement |
Legitimate Interests (Article 6(1)(F) UK GDPR) (necessary to prevent fraud and unlawful acts, impersonation, ensure service integrity, and support lawful investigations) Legal Obligation (Article 6(1)(C) UK GDPR) DPA 2018 Schedule 1, Paragraphs 10 (unlawful acts) and 14 (fraud) |
Name, contact info, IP address, call logs, communications |
Sources of Personal Data
We may obtain Personal Data about you from a variety of sources, depending on the purposes for Processing. Sources of Personal may include:
|
Source |
Third Party |
Data Collected from Third Party |
|
You (the data subject) |
No |
N/A |
|
Representatives that seek to and/or act on your behalf |
Yes |
Identity information, contact information, claim details, health or vulnerability information, proof of authority to act (e.g. power of attorney, written consent), complaint information, data protection right request information |
|
Regulators (The Financial Conduct Authority, The Information Commissioner’s Office, The Financial Ombudsman Service (Claims Management Ombudsman) |
Yes |
Identity information, contact information, complaint information, processing information, redress, and resolutions |
|
Law firms and regulated claims management companies |
Yes |
Statistical information, complaints information (forwarded complaints) |
|
Law enforcement, government agencies |
Yes |
Identity information, fraud investigation information, IP address, contact information, case references, and disclosure request information |
Disclosure of Personal Data
Where appropriate, your Personal Data may be disclosed to third parties, including Controllers, Processors and Sub-processors. As detailed within this Policy, disclosure of your Personal Data is contingent on purpose and Lawfulness of that Processing (Article 6 UK GDPR), including any further conditions that may need to be relied upon regarding Special Category Data (Article 9 UK GDPR) and/or Criminal Offence Data (Article 10 UK GDPR and Schedule 1, the UK Data Protection Act 2018).
As such, your Personal Data may be disclosed to the following third parties for the following purposes:
|
Third Party |
Data Disclosed |
Purpose |
Lawful Basis |
|
Law firms |
Full name, contact information |
To assess your claim and contact you about legal services |
Consent (Article 6(1)(A) UK GDPR) |
|
FCA-regulated claims management companies |
Full name, contact information |
To contact you to discuss a potential personal injury claim |
Consent (Article 6(1)(A) UK GDPR) |
|
Information Commissioner’s Office (ICO) |
Communications, investigation correspondence |
Data breach notifications |
Legal Obligation (Article 6(1)(C) UK GDPR) |
|
Police/Law enforcement |
Name, contact information, call recordings, referral data, IP address, and communications |
To prevent or detect crime (e.g. fraud, impersonation, criminal misuse of your service) |
Legitimate Interests (Article 6(1)(F) (necessary to maintain the integrity of services, to prevent fraud, to cooperate with law enforcement, to protect consumers) DPA 2018 Schedule 1 Paragraphs 10 and 14 |
|
Any personal data relevant to an investigation, including identifiers, case notes, communications and call recordings |
To comply with a lawful request, e.g., a court order, data access request, or production order. |
Legal Obligation (Article 6(1)(C) UK GDPR) DPA 2018 Schedule 1 Paragraphs 10 and 14 |
|
|
Call recordings, referral logs, and complaints data |
To comply with legal and regulatory obligations during joint investigations (e.g. FCA + police) |
Legal Obligation (Article 6(1)(C) UK GDPR) DPA 2018 Schedule 1 Paragraphs 6 and 10 |
|
|
Emergency services |
Full name, contact information, and health information |
Lifesaving/emergencies |
Vital interests (Article 6(1)(D) UK GDPR) & (Article 9(2)(D) UK GDPR) |
|
Cloud providers (e.g. AWS) |
All personal data we process |
To ensure we can securely store and recover personal data in the event of a technical failure, cyberattack, or other operational issue. |
N/A – Processor |
|
The Financial Ombudsman Service (Claims Management Ombudsman) |
Complaint details, full name, contact information, call recordings, communications, and third parties to whom your personal data was referred, health information, e.g., relating to the claim or vulnerability information, criminal offence data |
To investigate, resolve and defend against complaints escalated to the Claims Management Ombudsman |
Legal Obligation (Article 6(1)(C) UK GDPR) Legal Claims (Article 9(2)(F) UK GDPR) DPA Schedule 1 Paragraph 12 |
|
Call Recording Service Provider |
May include identity information, contact information, complaints information, data rights request information, claim information, vulnerability information |
To comply with rules imposed by the Financial Conduct Authority |
N/A – Processor |
|
Quality assurance and compliance monitoring |
N/A – Processor |
||
|
Complaint resolution |
N/A – Processor |
||
|
Telephone Number Validation Provider |
Telephone number |
|
N/A – Processor |
|
Call Tracking, Analytics and Contact Management Provider |
Telephone number, Caller ID, Source of the call (which marketing campaign you originated from, e.g., our website) |
To receive, allocate and respond to telephone calls, including identifying the marketing campaign source and real-time call analytics and reporting to manage and improve our service |
N/A – Processor |
|
Workflow Management Provider |
This may include name, contact information and anything you disclose to us concerning services or other purposes |
To automate workflows between applications to facilitate the provision of services |
N/A – Processor |
|
Website Host Provider |
IP address |
To deliver website content to your device, route traffic and maintain server security |
N/A – Processor |
|
Name, contact information |
Facilitates online data capture forms to provide requested services |
Consent (Article 6(1)(A) UK GDPR) |
|
|
Browser type, device information, and operating system |
Website access and support system diagnostics |
N/A – Processor |
|
|
|
Cookies and session data may be stored on or retrieved from your device to enable core website functionality, manage user sessions, remember preferences, and support analytics. |
Consent (Article 6(1)(A) UK GDPR) Regulation 6(1) PECR Regulation 6(2) PECR |
International Transfers of Personal Data
We may transfer Personal Data outside the UK/EEA to third countries when using Processors that may also use Sub-processors. In these circumstances, any transfers should be made where there is an adequacy decision. Where no adequacy decision applies, we and our Processors have Binding Corporate Rules (BCRs) and/or Standard Data Protection Clauses such as an International Data Transfer Addendum (an addendum to the EU’s Standard Contractual Clauses) or an International Data Transfer Agreement. Alternatively, these transfers may be made to a receiver that has signed up to an approved code of conduct or has a certification under an approved certification scheme. Alternatively, a transfer may be covered by an exception specified within the UK GDPR.
How We Protect Your Data:
We take reasonable steps to ensure the security of your Personal Data, including:
- Implementing physical, technical, and administrative safeguards
- Ensuring access to Personal Data is limited to authorised personnel
- Regular training for employees on data protection principles
Automated Decision-Making and Profiling
We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR. All employment-related decisions, including recruitment, performance evaluation, and disciplinary matters, involve meaningful human involvement.
Google Analytics
One of the third-party services we use on our Site is Google Analytics, a web analysis service provided by Google, to better understand your use of the Site and Services. Google Analytics collects information such as how often users visit the Websites, what pages they visit and what other sites they used prior to visiting. Google uses the data collected to track and examine the use of our Site, to prepare reports on its activities and share them with other Google services. Google may use the data collected on our Site to contextualise and personalise the ads of its own advertising network.
More information and opt out: Click here for Google’s privacy policy and here for more information about the kinds of cookies placed by Google. Click here for information about how Google uses data from its partners’ sites or apps, as well as different ways to opt out of Google cookies.
Google offers an opt-out mechanism for the web available here.
Data Retention Periods:
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. After this period, data will be securely deleted. To determine the appropriate retention period for Personal Data, We considers the amount, nature and sensitivity of the Personal Data, the potential risk, of harm from unauthorised use or disclosure of Personal Data, and the purposes for which we Process Personal Data and whether we can achieve those purposes through other means, including applicable legal requirements.
The following Data Retention Periods apply. Should you wish to find out more about retention periods, if you cannot locate information that you would expect, please use the contact information provided in this Policy.
|
Records |
Examples of Records |
Retention Period |
Reasoning & Justification |
|
Call recordings and electronic communications relating to claims management services |
Inbound and outbound emails, SMS, complaint correspondence, and inbound and outbound telephone calls, including VOIP. |
12 months from the latest of (1) the conclusion of the handling of the complaint by us or the Financial Ombudsman Service (2) the date of our last contact with you. |
FCA CMCOB 2.3.1R FCA CMCOB 2.3.6R |
|
Complaints records |
Complaint files, investigation notes, acknowledgement letters, written responses, final responses, summary resolution communications, Financial Ombudsman Service correspondence, redress, and resolutions. |
6 years following the conclusion/resolution of the complaint. |
Limitation Act 1980 DISP 2.8.2R DISP 2.8.9R |
|
Referrals to law firms |
Consent, data captured and shared, privacy policy at time of referral, recipient of personal data |
Up to 12 months post-referral. |
Article 12(1)(E) UK GDPR |
|
Vulnerabilities, e.g., characteristics of vulnerability (vulnerable customers) |
Special category health data, support needs, adjustments, signposted organisations, call recordings, electronic communications |
6 years from last contact |
Limitation Act 1980 Article 9(2)(G) UK GDPR DPA 2018 Schedule 1, Paragraph 18 |
|
Data Rights Requests and related records |
Requests, correspondence, ID verification, |
6 years from the date the request is closed |
SYSC 9 Limitation Act 1980 ICO Guidance on Accountability |
|
Quality assurance and compliance monitoring |
Call recordings, communication records, monitoring outcomes, notes and observations |
2 years |
SYSC 3.2.6R PRIN 2A.8 Article 5(2) UK GDPR |
|
Lead source (if we receive your data from third parties with your consent) |
Source/originating firm |
3 years |
FCA CMCOB 2.2.4R |
|
Consent records |
Webforms, timestamps, data captured, privacy policy provided at time of data capture, recipients of personal data, date consent withdrawn |
6 years from the date consent was given or withdrawn |
Article 5(2) UK GDPR Article 6(1)(A) UK GDPR |
Your Rights Under UK GDPR
Under the UK GDPR, individuals have several rights regarding their Personal Data. However, not all rights are absolute. Some may be restricted based on legal obligations, legitimate interests, or the rights of others. Keeping this in mind, you have the following rights regarding your Personal Data:
|
Right |
Summary |
Absolute? |
|
To be informed |
You have the right to clear information about how your data is used. |
Yes |
|
Of access |
You can request access to the Personal Data we hold about you. |
Not always – may be limited if it affects others’ rights or legal matters. |
|
To rectification |
You can ask us to correct or complete inaccurate data. |
Yes |
|
To erasure |
You can request the deletion of data in certain circumstances. |
Limited – doesn’t apply if we have legal or regulatory obligations. |
|
To restrict processing |
You can ask us to pause processing under certain conditions. |
Limited – only applies in specific scenarios. |
|
To data portability |
You can request your data in a portable format (if applicable). |
Limited – only for data processed by consent or contract. |
|
To object |
You can object to processing based on legitimate interests. |
Limited – we may override your objection with compelling grounds. |
|
Not to be subject to automated decisions |
You can object to decisions made solely by automated processing. |
Yes – unless based on contract, law, or explicit consent. |
To exercise your rights, please get in touch using the contact details provided. We will respond within one calendar month, unless the request is complex or multiple, in which case we may extend by a further two months (you will be informed).
Automated Decision-Making and Profiling
We do not use your personal data to carry out any automated decision-making that produces legal or similarly significant effects on you.
We also do not engage in profiling (i.e. automated processing of personal data to evaluate certain personal aspects, such as behaviour, preferences, or interests), unless this is clearly explained and consented to at the point of collection.
Should our approach change in the future, we will update this privacy notice accordingly and inform you if required by law.
Complaints
If you have any concerns about how we handle your Personal Data, we encourage you to contact us first so we can resolve the issue. It is also likely that the Information Commissioner’s Office will require that you first attempt to resolve the matter with us before it can assist.
Generally speaking, you can complain to us about our handling of your Personal Data if we:
- Have not responded to your request for your personal information
- Have not kept your information secure
- Hold inaccurate information about you (unless you provided it)
- Have unlawfully disclosed information about you
- Keep information about you for longer than is necessary
- Have collected information for one reason and use it for something else
- Have not upheld any of your data protection rights
However, you also have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Changes to the Privacy Policy:
We may update this Privacy Policy from time to time. Any changes will be reflected within this Privacy Policy, including the nature of the changes and the date on which they were made.
