Privacy notice

Privacy at QPass — what we collect, what we do not, and why.

This is the privacy notice of QPass Museum Cards & Reviews L.L.C. (Egyptian Commercial Registry 462981, ETA Tax ID 195-738-426), the company that operates the website at qpassmuseum.lat and posts the printed half-year visit-letter to QPass Plus and Editor's Pass subscribers. It explains what data the publication collects, how it is stored, who it is shared with, and what rights subscribers have under the Egyptian Personal Data Protection Law 151 of 2020 and the European Union General Data Protection Regulation.

If you only read one paragraph: we are a small Heliopolis publication that runs on subscription revenue. We do not sell, rent, swap or share personal data with any third party. We do not run advertising and we do not deploy advertising trackers, behavioural pixels, social-media tracking widgets, A/B testing scripts, heatmap recorders or session replay tools. The only third parties that ever see your data are the payment processor that handles subscription billing, the printer that produces the visit-letter, the postal carrier that posts it, and the hosting provider that serves the website. Each is named below.

1. The data controller

The data controller is QPass Museum Cards & Reviews L.L.C., a domestic Egyptian limited-liability company registered at the Cairo Commercial Registry under number 462981 and with the Egyptian Tax Authority under registration 195-738-426. The registered office is at 23 Cleopatra Street, Heliopolis, Cairo 11341, Egypt. The four directors are also the four editors named on the about page. For data-protection inquiries, including subject-access requests, deletion requests and complaints, the point of contact is the editorial desk at [email protected] or by post at the office address. We do not appoint a separate Data Protection Officer because the company is below the size threshold that requires one under the Egyptian PDPL.

2. What data we collect

QPass collects the minimum data needed to deliver the pass you have chosen. The categories are listed below in plain language; each is matched with the legal basis under which we hold it.

  • Account data: name, email address, optional phone number, country, and (for QPass Plus and Editor's Pass) postal address for the printed visit-letter. Legal basis: performance of the subscription contract.
  • Subscription data: the pass you are on, the start date, the renewal date, the pause history if applicable, and the upgrade-downgrade history. Legal basis: performance of the contract and Egyptian accounting law (seven-year retention).
  • Payment data: the last four digits of the card, the card brand, the country of the issuing bank, and a token returned by the payment processor. We do not see or store full card numbers, CVV codes or expiry dates — those are held by the payment processor under PCI DSS Level 1 obligations. Legal basis: performance of the contract.
  • Correspondence: the content of any email, postal letter or form submission you send to the desk, plus our reply. Legal basis: legitimate interest in answering subscriber correspondence and Egyptian commercial-record retention.
  • Server logs: standard web-server logs that record the IP address, the page requested, the time, the HTTP user-agent and the referrer (where applicable). Retained for 30 days for security and capacity-planning, then deleted. Legal basis: legitimate interest in operating a secure website.

That is the complete list. We do not collect demographic data, browsing behaviour outside our domain, social-media identities, location beyond what the server-log IP already gives us, device fingerprints, biometric data, sensitive categories of data (health, religion, political affiliation), or anything else not on the list above.

3. How we collect it

Account data is collected from you directly, when you sign up for a pass or write to the desk. Subscription and payment data is collected at the moment of subscription through the secure payment form embedded on the subscription page (the form is rendered by the payment processor; we never see the card data). Correspondence is collected when you write to us, by email or by post. Server logs are written automatically by the hosting provider when your browser requests a page from this domain. We do not buy data lists, scrape email addresses, or harvest contact details from any other source.

4. Why we collect it

Each of the categories above maps to a specific operational purpose. We collect your name and email to identify you when you write to the desk and to dispatch the Sunday-morning new-card email. We collect the postal address for QPass Plus and Editor's Pass subscribers because we cannot post a printed visit-letter without one. We collect payment data because the law requires us to bill you for a subscription you have agreed to and to keep accounting records of the transaction. We retain correspondence because it would be unhelpful to lose the context of a conversation with a subscriber who writes again three months later. We do not use any of this data for profiling, for cross-product targeting, for advertising, for resale to third parties, or for purposes beyond the operational ones described above.

5. Who sees the data

Inside the company, only the four editors named on the about page have administrative access to subscriber data. There is no separate marketing, growth or business-development function. Nadia Tantawy, the fact-checker, has read-only access to correspondence (to triage corrections) but does not see payment data. The other three editors have full administrative access. Outside the company, four named third parties see your data, each for a narrow operational purpose:

  • Payment processor: a Cairo-licensed payment-services provider that handles card billing under PCI DSS Level 1. They see your card data (we do not). They store a token that they return to us. They do not have access to your subscription content, your correspondence or your postal address.
  • Printer: a long-standing Cairo printer who produces the half-year visit-letter. They receive the postal-address dispatch labels each cycle and a working subscriber-count list as a checksum. They do not have access to payment data, email content or correspondence.
  • Postal carrier: Egyptian Postal Authority handles domestic dispatch; an international postal-broker handles the international run. Both see your postal address on the label, but no other data.
  • Hosting provider: operates the servers from which this website is served. They see the standard server logs described in section 2. They do not have access to the subscriber database, correspondence or payment data.

We have written data-processing agreements with each of the four providers above, in the form required by their respective home-jurisdiction privacy laws. We do not share data with any other third party — no marketing partner, no analytics provider, no advertising network, no social-media platform, no government agency outside the boundaries of a lawful Egyptian or court-issued international request.

6. International transfers

Because the international postal-broker, the payment processor, and (depending on routing) the hosting provider are located outside Egypt, your data may cross borders. The transfers happen under standard contractual clauses approved by the European Commission and by the Egyptian PDPL implementing regulations, which is the legal mechanism most international companies now use after the Schrems II ruling and the equivalent Egyptian reforms. We do not transfer data to any country that the EU or the Egyptian Personal Data Protection Centre has flagged as not providing adequate protection.

7. How long we keep it

Account data is retained for the duration of your subscription plus the period required by Egyptian commercial and tax law — currently seven years — after the subscription ends. Subscription and payment data is retained for the same seven-year period because the Egyptian Tax Authority can audit our books and ask for proof of revenue. Correspondence is retained for three years after the last message in the thread, then archived in cold storage for a further two years, then permanently deleted. Server logs are retained for thirty days and then deleted. If you ask us to delete your data sooner, we will do so up to the point where Egyptian law allows. We cannot delete subscription and payment data while the seven-year retention obligation is in force, because doing so would put the company in breach of accounting law. We will delete everything else promptly on request.

8. Cookies and similar technologies

This site uses one strictly necessary first-party cookie that maintains your session if you are logged in to a subscriber account. The cookie is set on the qpassmuseum.lat domain only, expires when you close the browser tab if you have not ticked "remember me", and contains a random session identifier — no personal data. We do not use any third-party cookies, advertising cookies, analytics cookies, social-media cookies or behavioural cookies. We do not use local storage, indexedDB or any other persistent client-side storage beyond the session cookie. Because we do not use non-essential cookies, this site does not display a cookie consent banner.

9. Your rights as a data subject

Under the Egyptian PDPL and the GDPR you have a set of rights with respect to the data we hold about you. The rights are listed below.

  • Access: you can ask for a copy of every piece of data we hold about you. We provide it within thirty days.
  • Rectification: you can ask us to correct inaccurate data. Account fields can also be corrected by you directly from inside your subscriber account.
  • Erasure: you can ask us to delete your data, subject to the seven-year accounting retention discussed in section 7.
  • Restriction: you can ask us to limit processing of your data while a dispute is being resolved.
  • Portability: you can ask for your data in a portable, machine-readable format. We provide JSON exports on request.
  • Objection: you can object to processing based on legitimate interest.
  • Withdrawal of consent: consent-based processing can be withdrawn at any time by clicking the unsubscribe link in any email or by writing to the desk.
  • Complaint to the supervisory authority: you can complain to the Egyptian Personal Data Protection Centre or, if you are an EU resident, to the supervisory authority in your member state of residence.

10. Security measures

The website is served over HTTPS only, with TLS 1.3 and modern cipher suites. The subscriber database is encrypted at rest and accessible only over an authenticated VPN to the four editors. Database backups are encrypted and stored in a second Egyptian data centre. The payment processor handles card data under PCI DSS Level 1 obligations. Internal accounts use unique strong passwords with hardware security keys for two-factor authentication. We run a half-yearly security review with a third-party Cairo-based information-security consultant.

11. Children

QPass is written for adults. We do not knowingly collect data from children under the age of 16. If a parent or guardian believes that we have collected data from a child, please write to the desk and we will delete the data within 48 hours.

12. Changes to this notice

If we make a material change to this privacy notice, we will email every active subscriber at least thirty days before the change takes effect, summarise the change in plain language, and update the "last updated" date below. Minor changes (a clarification of language or a correction to a typo) will be made without notice. The current version is always the operative one.

13. Contact

For any matter related to this privacy notice — questions, subject-access requests, complaints, corrections — write to the editorial desk at [email protected] or by post at the office address. The supervisory authority in Egypt is the Personal Data Protection Centre, established under PDPL Law 151 of 2020. EU residents may also complain to their home-country supervisory authority.

Last updated: 1 June 2026. Issued by QPass Museum Cards & Reviews L.L.C., Heliopolis, Cairo, Egypt, on the basis of Egyptian PDPL Law 151 of 2020 and the GDPR (Regulation EU 2016/679) for European Union readers.