Privacy policy
Effective 1 January 2026 · Museum Pass Egypt Co., 42 Sheraton Road, Hurghada 84511, Egypt
1. Data controller
Museum Pass Egypt Co. (ETA Tax ID 718-946-203, GAFI Registry 541907) operates the website museum-pass.sbs and the Sheraton Road walk-in desk. For privacy inquiries email [email protected] or call +20 65 344 8921 during office hours Sunday through Thursday 08:00–19:00 Egypt time.
2. Scope
This policy covers personal data collected through our contact form, email, phone, walk-in consultations, and payment records related to route planning services. It does not govern third-party excursion operators, airlines, or hotels you book separately—even when we recommend them in dossiers.
3. Categories of data we collect
Identity and contact: name, email, phone, resort name, travel dates, party composition, ages of children, activity preferences.
Travel documents: passport copies only when domestic flights or certain operator manifests require them; certification numbers for dive planning when relevant.
Payment: bank transfer references, card receipt metadata—we do not store full card numbers on our servers.
Technical: basic server logs (IP address, browser type, timestamp) retained thirty days for security.
4. Purposes and legal bases
We process data to prepare route dossiers, issue ETA-compliant invoices, coordinate pickups with operators, respond to corrections, and comply with Egyptian tax record-keeping. Contract performance covers paid planning tiers; legitimate interest covers fraud prevention and service improvement; consent covers optional marketing emails you may opt into separately.
5. How the contact form works
Submissions use POST method and are handled by our coordinators—not sold to lead brokers. JavaScript displays a processing message before redirecting to thank-you.html; no payment occurs through the form itself. Form data lands in encrypted mailbox storage accessible only to assigned coordinators.
6. Retention periods
- Quote requests without payment: deleted twelve months after last contact.
- Paid planning dossiers: retained seven years for tax audit per Egyptian regulations.
- Passport copies: deleted thirty days after travel completion unless a flight dispute extends need.
- Server logs: thirty days.
7. Sharing with third parties
We share minimum necessary data with coach, boat, and airline operators only after you approve a written frame. Transfers include names, pickup points, and manifest requirements. We do not share data for unrelated marketing. Payment processors receive only transaction amounts and receipt details.
8. International transfers
Our primary systems reside in Egypt. Email may route through international providers; we choose vendors with standard contractual clauses where applicable. EU and UK guests may request transfer summaries by email.
9. Security measures
Office workstations use disk encryption; passport attachments live in password-protected folders with access limited to Nadia Saeed and Yasmine El-Khouly for flight dossiers. Walk-in paper forms are shredded after digitization within five business days.
10. Your rights
You may request access, correction, deletion (where not conflicting with tax retention), restriction, or portability by emailing [email protected] with proof of identity. We respond within thirty days. You may lodge complaints with the Egyptian Personal Data Protection Centre when operational.
11. Cookies and tracking
This site does not use advertising cookies, analytics pixels, or social trackers. No Facebook Pixel, Google Analytics, or similar scripts load on any page. Functional storage is limited to what your browser caches normally.
12. Children
Parents submit data about minors for pickup logistics. We do not market to children. Age information schedules appropriate activities only.
13. Changes
Material updates appear on this page with a revised effective date. Continued use after changes constitutes acceptance for new processing where consent is not required.
14. Contact for privacy requests
Museum Pass Egypt Co.42 Sheraton Road, Hurghada 84511, Egypt
Tax ID (ETA): 718-946-203 | GAFI Registry: 541907
Email: [email protected]
Tel: +20 65 344 8921
15. Marketing communications
We send itinerary updates and correction notices related to your booking. Promotional newsletters require separate opt-in checked at payment—not pre-ticked by default. Unsubscribe links appear in every marketing email; transactional route emails continue until travel completes because they carry safety timing updates.
16. Automated decision-making
We do not use automated profiling or credit scoring. Coordinator assignment follows human specialty rules described on the contact page. No algorithmic pricing surges based on browser type or nationality.
17. Data breach notification
If a breach affecting your passport copy or payment metadata occurs, we notify affected guests within seventy-two hours with remediation steps and Egyptian authority contacts when legally required. To date no such breach has occurred at our Sheraton Road office systems.
18. Walk-in paper forms
Guests who complete paper briefs receive digitization within five business days; originals shred unless you request return pickup. Paper carries the same retention rules as digital dossiers once scanned.
19. Third-party links
Our guides link only to internal pages and mailto/tel URIs—no external analytics or social widgets. Operator websites we mention textually are not embedded; we avoid referrer leakage to unverified domains.
20. Glossary
Personal data means any information relating to an identified or identifiable guest. Processing includes collection, storage, deletion, and sharing with excursion operators after approval. Controller is Museum Pass Egypt Co. for all processing described here.
21. Law enforcement requests
Egyptian authorities may request data under valid legal process. We review warrants with local counsel before disclosure beyond statutory minimums. Guests receive notice when law permits informing them about requests concerning their dossiers.
22. Processor relationships
Email hosting and encrypted storage vendors act as processors under contract clauses requiring deletion upon our instruction. No processor may use guest data for independent marketing. Lists reviewed annually.
23. Anonymous analytics absence
Because we operate without web analytics, we cannot provide browsing history—we simply never collected it. Server logs remain the only technical metadata as described in section three.
24. Consent withdrawal
Marketing opt-out immediate; transactional travel messages continue until itinerary completion for safety. Withdrawal of planning consent mid-itinerary may limit our ability to coordinate operator changes on your behalf.
25. Supervisory authority contact
Data subjects may contact the Egyptian Personal Data Protection Centre as supervisory authority when operational. Museum Pass Egypt Co. cooperates with lawful investigations while advocating minimal disclosure consistent with guest privacy.
26. Record of processing activities
We maintain internal registers listing processing purposes, categories, recipients, retention, and security measures described in this policy—available to auditors and regulators upon lawful request, not published publicly to reduce social engineering risk.
27. Version history
January 2026 rewrite expanded passport retention, walk-in shredding, and marketing opt-in clarity. Prior July 2023 policy archived offline for seven-year tax alignment. Material changes notify active guests by email when addresses remain valid.
28. Data minimization examples
Boat manifests receive names and hotel only—not full passport scans unless coast guard requests for specific routes. Payment receipts exclude card numbers beyond last four digits when processors supply them. Feedback forms anonymize quotes in public guide updates unless testimonial permission granted separately.
29. Guest access requests
Email [email protected] with identity verification via reply-from-same-address or passport number last four digits matching dossier. Export delivered within thirty days as PDF summary of stored fields—not raw operator emails containing third-party data without their consent.
30. Children's data
Parents provide child names and ages for life jacket sizing and coach seat planning. We do not market to minors. School group manifests may list student names with institution consent forms held by organizing teachers—we store copies only when group-coordinator contracts require chaperone liability documentation.
31. Data retention disputes
If you believe we retain data beyond stated periods, email [email protected] with subject line Retention Review. We audit within fourteen days and confirm deletion timestamps or legal hold reasons tied to tax audit windows.
32. Contact data accuracy
Guests responsible for typos in email addresses on forms—undeliverable quotes bounce to spam queues reviewed weekly. Phone numbers with missing country codes delay callback; include +XX format when possible.
33. Complaint escalation
Privacy complaints unresolved at coordinator level escalate to Yasmine El-Khouly within five business days with written response summarizing findings and remediation steps taken or planned.
34. Third-party operator privacy
Once dossiers transfer minimum manifest data to boats or coaches, those operators become independent controllers for their safety logs. We contractually require deletion after trip completion but cannot audit every partner daily—guests may request our operator contact list to pursue direct deletion requests.
35. Policy language
This policy is published in English—the working language of our international guest correspondence. Arabic summary available on request for local legal review without replacing English version as primary contract text.