Privacy policy

Effective 27 June 2026 · Alexandria Museum Pass Desk LLC · Tax ID 801-547-293

1. Controller identity

Alexandria Museum Pass Desk LLC, registered with GAFI under registry number 516738, operates museumpass-1.cyou and processes personal data from its office at 18 Saad Zaghloul Street, Alexandria, Alexandria Governorate 21500, Egypt. Data protection enquiries: [email protected] or +20 3 4872 6190.

2. Scope

This policy covers data collected through our website contact form, email threads, phone calls, and walk-in visits at Saad Zaghloul Street. It does not govern third-party museum ticket counters, payment gateways operated by banks, or cruise line shore desks you interact with independently.

3. Categories of data collected

We may process: full name, email address, telephone number, travel dates, party composition, hotel district or ship name, mobility requirements, museum preferences, pass tier selection, payment reference numbers for invoicing, and correspondence content you voluntarily provide. We do not collect government ID numbers unless required for corporate invoicing you initiate.

4. Purposes of processing

Data is used to draft museum pass itineraries, call venues for availability verification, issue invoices with ETA Tax ID, respond to support questions, and maintain accounting records under Egyptian commercial law. We do not use your data for behavioural advertising or sell lists to hotel brokers.

5. Legal bases

Processing rests on contract performance when you request a paid pass plan, consent when you tick the contact form checkbox linking to this policy, and legitimate interest for fraud prevention and service improvement analytics limited to aggregate counts without personal identifiers.

6. Retention periods

Active itinerary projects: retained until thirty days after your stated departure date unless you request earlier deletion. Invoices and payment records: seven years per Egyptian tax regulations. Marketing enquiries without purchase: deleted after eighteen months of silence. Contact form spam filtered by manual review is deleted immediately.

7. Sharing with third parties

We share necessary details with museum venue desks only when you authorise hold requests—typically name, party size, and date window. Hosting providers storing website files may process server logs with IP addresses for security. We do not transfer data outside Egypt except when you use email providers whose servers route internationally; minimise sensitive content in email if that concerns you.

8. Cookies and tracking

museumpass-1.cyou does not deploy Google Analytics, Meta Pixel, or third-party advertising cookies. The site may store strictly functional preferences in session storage when form scripts run locally. No cookie banner is shown because non-essential cookies are absent.

9. Security measures

Office workstations use password locks and encrypted disks. Email mailboxes require two-factor authentication for staff accounts. Paper route sheets are shredded after digitisation unless you request physical pickup. No system is perfectly secure; report suspected breaches promptly so we can rotate credentials and notify affected clients.

10. Your rights

You may request access, correction, deletion, restriction, or portability of personal data we hold by emailing [email protected] with subject line Privacy Request. We respond within thirty days. You may withdraw consent for future marketing messages without affecting completed contracts. You may lodge complaints with Egypt's Personal Data Protection Centre when applicable regulations enter force for your case category.

11. Children

Services are directed at adults planning travel. If a parent submits data about minors for itinerary pacing, we process only what is necessary for museum capacity notes and do not market to children.

12. Automated decision-making

We do not use automated profiling to deny services. Coordinators manually review every pass request. Form submission triggers a client-side redirect simulation without scoring algorithms.

13. Policy updates

We post revisions on this page with a new effective date. Material changes affecting active clients are emailed when we have a current address on file. Continued use after notice constitutes acceptance for non-material edits.

14. Contact for privacy matters

Alexandria Museum Pass Desk LLC
18 Saad Zaghloul Street
Alexandria, Alexandria Governorate 21500
Egypt
Tax ID (ETA): 801-547-293
GAFI Registry: 516738
[email protected]

Return to contact or home.

15. International data transfers

Email providers and hosting infrastructure may route messages through servers outside Egypt. If you correspond from corporate addresses in the EU or UK, your employer's policies may impose additional safeguards. We minimise sensitive attachments and encourage password-protected PDF itineraries only when clients request them.

16. Marketing communications

We send itinerary drafts and invoice messages related to your request. We do not subscribe you to newsletter lists without separate opt-in. Seasonal museum closure alerts go only to clients with active projects inside affected date ranges.

17. Data breach notification

If we detect unauthorised access to itinerary archives or contact databases, we will notify affected clients by email within seventy-two hours with steps taken and recommended precautions. Egyptian regulatory notification will follow when legal obligations apply to our business category.

18. Processor agreements

Hosting vendors process server logs under contract terms requiring reasonable security. We do not sell data to brokers. Museum venues act as independent controllers when you purchase tickets directly from them—we cannot control their receipt practices.

19. Archival research use

Anonymised timing statistics (for example average Qaitbay queue wait in April) may appear in internal training slides without names or email addresses. Opt out by stating "no analytics use" in your first contact form message.

20. Governing language

This policy is published in English for international visitors. Egyptian commercial law governs disputes. Courts in Alexandria Governorate have jurisdiction unless mandatory consumer protections in your home country require otherwise for B2C contracts you initiate from abroad.

21. Detailed processing register

Contact form submissions create a row in our itinerary CRM with timestamp, pass tier, and travel date range. Coordinators append phone call logs when museums are contacted—logs contain date, venue name, and outcome, not full conversation transcripts unless you request recording compliance notes.

Invoice PDFs store billing name, address if provided, EGP amounts, Tax ID 801-547-293, and payment reference. Accounting exports purge card details after settlement; we do not store full PAN numbers on local disks.

Walk-in visitors may sign a paper intake sheet photographed into the CRM then shredded within seven days after digitisation unless you request a physical copy.

22. Your rights in practice

Access requests receive a PDF summary of fields we hold within thirty days. Deletion requests after itinerary delivery remove marketing copies but may retain invoice rows for statutory tax retention. Restriction requests pause non-essential follow-up emails while an active dispute is reviewed by a supervisor at Saad Zaghloul Street.

23. Contact form field purposes

Name and email identify your thread and deliver PDF itineraries. Phone enables same-day pivot calls for Coordinator tier clients during closures. Pass tier select routes your request to the correct coordinator skill set. Message body stores travel dates and museum priorities in CRM notes retained until thirty days after departure unless deletion requested. Consent checkbox timestamp is logged as proof of policy acceptance.

24. Third-party museum counters

When you purchase tickets at Bibliotheca or Graeco-Roman counters, those venues may collect name or nationality for statistics. We do not control their forms. Ask venue staff directly if you want their receipt discarded or anonymised per their policies.

25. Supervisory authority contact

Egypt Personal Data Protection Centre oversight applies as regulations mature. Until full registration requirements bind our category, direct privacy disputes to [email protected] with supervisor escalation within five business days.

26. Document retention schedule

CRM threads: travel date plus thirty days. Invoices: seven years. Marketing inquiries without purchase: eighteen months. Spam submissions: immediate delete. Phone pivot logs: ninety days anonymised.

27. Law enforcement requests

We respond to valid Egyptian court orders for itinerary records when legally compelled. Clients receive notice when law permits. Voluntary disclosure to police without order is limited to imminent harm situations documented internally.

28. Data minimisation practice

We do not collect passport numbers in contact forms. Hotel names are optional. Reduce shared personal data in email threads when possible—we only need party size and dates for sequencing.

Privacy requests sent to [email protected] with subject Privacy Request route to the same supervisor who signs final pass sheets.

29. Consent withdrawal

You may withdraw marketing consent anytime without affecting paid itinerary delivery already in progress. Withdrawal applies forward-only; we cannot unsend PDFs already delivered. Email [email protected] with subject Consent Withdrawal and we flag your CRM row within two business days. Supervisor confirmation is emailed back for your records. Paper walk-in intake sheets follow the same retention rules as digital CRM rows described in section 26. Questions about children’s data should reference section 11 above.