Data Protection & Information Collection
Last updated: 18 July 2026
This document sets out how WebOpen collects, handles, and protects information about individuals and businesses that interact with our services. It supplements our Privacy Policy and is governed by the Gibraltar General Data Protection Regulation (Gibraltar GDPR) and the Data Protection Act 2004.
1. Scope of Information Collection
We collect information in the following contexts:
- Public website interactions — form submissions, email enquiries, and service requests (e.g. AI Visibility Audit).
- Backoffice platform use — account registration, project management, invoicing, and team collaboration features for authorised users.
- Client onboarding — business details, authorised representatives, and contractual information.
- Third-party integrations — data imported or synced from connected services (e.g. Google Search Console, domain registrars) with your authorisation.
2. Sources of Information
- Directly from you — when you fill out forms, send emails, or use our backoffice tools.
- Publicly available sources — domain registration data, public business listings, and open web data for AI visibility audits.
- Third-party services — where you authorise us to access external platforms on your behalf.
3. Purposes of Information Collection
We collect and process information for the following purposes:
- To deliver the services you request (website builds, audits, backoffice platforms).
- To manage projects, generate quotes and invoices, and communicate about ongoing work.
- To provide customer support and respond to enquiries.
- To maintain and improve the security, performance, and functionality of our systems.
- To comply with legal, regulatory, and tax obligations in Gibraltar.
4. Consent and Withdrawal
Where our processing is based on your consent (for example, when you request an AI Visibility Audit and tick the consent checkbox), you may withdraw that consent at any time by contacting us at trl@webopen.io. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
5. Accuracy of Information
We rely on you to provide accurate and up-to-date information. If any information you have provided changes, please notify us promptly so we can keep our records accurate.
6. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. Our AI-powered tools (e.g. visibility audits) produce analytical reports based on public and provided data, but any decisions based on those reports are made by human reviewers.
7. Children's Data
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
8. Data Subject Access Requests (DSARs)
You have the right to request confirmation of whether we process your personal data, and if so, to access that data and receive information about how it is being processed. To submit a DSAR, email us at trl@webopen.io with the subject line "Data Subject Access Request".
- We will verify your identity before disclosing personal data.
- We will respond within one calendar month, or up to three months for complex requests, with an explanation of any delay.
- We provide the information free of charge unless the request is manifestly unfounded or excessive.
9. Breach Notification
In the unlikely event of a personal data breach, we will assess the risk to your rights and freedoms. Where the breach is likely to result in a high risk, we will notify affected individuals without undue delay. We will also notify the Gibraltar Regulatory Authority (GRA) within 72 hours of becoming aware of the breach, where required by law.
10. Data Processor Arrangements
Where we engage processors (e.g. cloud hosting providers, email services), we enter into written contracts that require the processor to:
- Process personal data only on documented instructions from us.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate security measures.
- Not engage sub-processors without our prior authorisation.
- Assist us in ensuring compliance with data subject rights and breach notification obligations.
- Return or delete all personal data at the end of the service provision.
11. Contact
For any questions about this Data Protection & Information Collection notice, or to exercise your rights, contact:
Tom Robert Lopes
204 Imperial Ocean Plaza
Gibraltar GX11 1AA
Email: trl@webopen.io
This page is maintained by WebOpen to explain our information collection and data protection practices. It does not constitute legal advice.