Privacy Notice
Effective: 16 July 2026. Version: 1.0.
This notice explains how
WislPort Compliance Limited (registered in Gibraltar, company number 124227)
— trading as EnableGRC — (“we”, “us”, “our”) collects,
uses, and protects personal data when you visit our website, contact us,
or engage our services. We are the data controller for
the personal data described below.
We take data protection seriously — we advise our own clients on ISO 27001 and GDPR compliance, and we hold ourselves to the same standard. This notice is written to be understood, not to be clever.
1. Who we are
| Legal entity | WislPort Compliance Limited (registered in Gibraltar, company number 124227) |
| Trading as | EnableGRC |
| Registered office | G02, Eurocity, Gibraltar, GX11 1AA |
| EU presence | Tallinn, Estonia (via e-Residency) |
| Primary supervisory authority | Gibraltar Regulatory Authority (GRA) |
| Contact for data protection | privacy@enablegrc.ai |
For the purposes of the UK GDPR and EU GDPR, we act as data controller for the personal data described in this notice. Where we provide services to clients, the contractual terms of engagement may designate us as a processor for specific datasets — in those cases, the client’s own privacy notice governs.
2. What personal data we process
We process the following categories:
2.1 Information you give us directly
| Data | Context | Lawful basis |
|---|---|---|
| Name, email, company, role | Booking an intro call, emailing us | Legitimate interests (responding to a business enquiry); ultimately necessary for contract if we engage |
| Phone number | Optional on booking form | Consent (provided at booking) |
| Message content | What you write in your message or enquiry | Legitimate interests |
| Meeting notes and outcomes | Recorded during and after calls for continuity | Legitimate interests |
2.2 Information collected automatically when you visit the site
| Data | Purpose | Lawful basis |
|---|---|---|
| Aggregated, anonymised page views | Understand which content is useful (via Plausible Analytics — cookieless, no IP retained) | Legitimate interests |
| Server logs (IP address, user agent, timestamp) | Site security, incident investigation; retained 30 days | Legitimate interests |
We do not use advertising cookies, tracking pixels, or cross-site identifiers. See our Cookie Policy for details.
2.3 Information we receive from third parties
- LinkedIn / referrals: if you reach us through an introduction or a LinkedIn connection, the introducer’s data and the context of the referral may be retained alongside your enquiry.
3. How we use your data
We use personal data for the following purposes:
- Responding to enquiries — if you book a call or email, we use your data to reply, prepare for the meeting, and follow up.
- Providing services — once you become a client, to deliver the engagement, invoice, and maintain working records.
- Firm administration — billing, accounting, tax compliance, and internal audit evidence.
- Regulatory compliance — satisfying our own obligations (AML, anti-bribery, tax, ISO management system records).
- Security — monitoring and protecting the website, email, and client-facing systems against attack.
We do not use personal data for marketing profiling, automated decision-making, or sale to third parties.
4. Who we share your data with
Personal data is accessed only by the people who need it: our team, and a small number of trusted service providers (processors) who operate under GDPR-compliant Data Processing Agreements.
| Processor | Purpose | Location / data residency |
|---|---|---|
| Microsoft 365 (Exchange Online, SharePoint, OneDrive) | Email, document storage, calendar | EU datacentres (Ireland / Netherlands) |
| HubSpot | CRM, meeting scheduling, deal tracking | EU data residency option enabled |
| Plausible Analytics | Cookieless, anonymous site analytics | EU (Germany) |
| Cloudflare | DNS, content delivery, bot protection | Global edge; no personal data stored beyond edge logs |
QuickBooks |
Invoicing and bookkeeping | United Kingdom |
| Stripe / bank providers | Payment processing for invoices | UK / EU |
We share personal data with these processors only to the extent necessary for the stated purpose. We do not sell personal data.
We may disclose personal data if legally required (court order, regulator request, criminal investigation). We will challenge overbroad requests and notify the data subject where not legally prohibited.
5. International transfers
Where data leaves the EU/UK (for example, to a US-based third-party subprocessor), we rely on the following safeguards:
- Adequacy decisions (UK–EU; EU–UK)
- Standard Contractual Clauses (SCCs) with equivalent safeguards for US or third-country transfers
- Supplementary measures where SCCs alone are insufficient
6. How long we keep data
| Data | Retention | Reason |
|---|---|---|
| Enquiries that do not convert | 12 months | So we can recognise you if you come back |
| Client engagement records | 6 years after engagement ends | Professional services retention standard; tax / audit |
| Financial and tax records | 7 years | Statutory |
| Internal audit + management review records | Minimum 5 years | ISO 27001 / 9001 evidence standards |
| Website analytics (Plausible) | Aggregated indefinitely; no per-user data retained | Legitimate interest |
| Server logs | 30 days | Security investigation window |
After the retention period, data is deleted or irreversibly anonymised.
7. Your rights
Under UK and EU GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase data where we no longer have a basis to hold it
- Restrict processing (temporarily freeze use pending a decision)
- Portability of data you provided us
- Object to processing based on legitimate interests
- Withdraw consent where consent was the basis (e.g. phone number on booking)
- Not be subject to automated decisions (not applicable — we don’t make automated decisions)
To exercise any right, email
privacy@enablegrc.ai. We will respond
within 30 days. We may ask you to verify your identity
so we don’t disclose data to the wrong person.
If you are not satisfied with our response, you have the right to complain to:
- Gibraltar Regulatory Authority (GRA) —
https://www.gra.gi/(primary) - UK Information Commissioner’s Office (ICO) —
https://ico.org.uk/(if you are in the UK) - Your local EU supervisory authority — if you are in the EU
8. Security
We maintain an Information Security Management System (ISMS) that is currently in certification for ISO 27001. Controls include access control, encryption in transit and at rest, incident response, staff security training, and regular audit. The full Statement of Applicability is available to clients under NDA.
9. Changes to this notice
We may update this notice to reflect changes in law, practice, or our services. The current version is shown at the top. Material changes will be notified via the site (banner) and, where we have a direct relationship with you, by email.
10. Contact
| General | hello@enablegrc.ai |
| Data protection queries | privacy@enablegrc.ai |
| Postal | G02, Eurocity, Gibraltar, GX11 1AA |