What we collect, what we do not, and why — in plain English.

1. Who is the data controller

The data controller is Muse Egypt Heritage Letters L.L.C., a domestic Egyptian limited-liability company registered at the Cairo Commercial Registry under number 318472 and with the Egyptian Tax Authority under registration 472-865-193. The registered office is at 47 Road 90 North, Fifth Settlement, New Cairo 11835, Egypt. The five directors are also the five editors named on the about page. For all data-protection matters, including subject-access requests, deletion requests and complaints, the point of contact is the editorial desk at [email protected] or by post at the office address. We do not appoint a separate Data Protection Officer because the company size is well below the threshold that requires one under the Egyptian PDPL.

2. What data we collect

Muse Egypt collects the minimum data needed to deliver the printed quarterly and the subscription you have chosen. The categories are listed below in plain language; each is matched with the legal basis under which we hold it.

• Subscriber data: name, postal address (required, because we post a printed publication), email address, and country. Legal basis: performance of the subscription contract.
• Subscription data: the tier you are on, the start date, the renewal date, the cancellation date if applicable, and the history of upgrades or downgrades. Legal basis: performance of the contract and Egyptian accounting law (which requires us to retain subscription records for seven years).
• Payment data: the last four digits of the card, the card brand, the country of the issuing bank, and a token returned by the payment processor that we use to charge future renewals. We do not see or store full card numbers, CVV codes or expiry dates — those are held by the payment processor under PCI DSS Level 1 obligations. Legal basis: performance of the contract.
• Correspondence: the content of any email or form submission you send to the desk, plus our reply, plus any letters you submit to the reader-correction column. Legal basis: legitimate interest in answering reader correspondence and Egyptian commercial-record retention.
• Server logs: standard web-server logs that record the IP address, the page requested, the time, the HTTP user-agent and the referrer (where applicable). Retained for 30 days for security and capacity planning, then deleted. Legal basis: legitimate interest in operating a secure website.

That is the complete list. We do not collect demographic data, browsing behaviour outside our domain, social-media identities, location beyond what the server-log IP and the postal address already give us, device fingerprints, biometric data, sensitive categories of data (health, religion, political affiliation), or anything else not on the list above. The postal address is the largest single piece of data we hold; it exists because we post a printed publication and would otherwise be unable to deliver the product.

3. How we collect it

Subscriber data is collected from you directly when you sign up for a tier or write to the desk. Subscription and payment data is collected at the moment of subscription, through the secure payment form embedded on the subscription page (the form is rendered by the payment processor; we never see the card data). Correspondence is collected when you write to us. Server logs are written automatically by the hosting provider when your browser requests a page from this domain.

We do not buy data lists, scrape email addresses or harvest contact details from any other source. The only way your data enters our systems is by your direct action — you signed up, you wrote in, or your browser made a request to the server.

4. Why we collect it

Each of the categories above maps to a specific operational purpose. We collect your name and postal address to deliver the printed quarterly. We collect your email to send the issue-dispatch Sunday notification, the correction-column alerts, and the renewal-notice email two weeks before each annual charge. We collect payment data because Egyptian commercial law requires us to bill you for a subscription you have agreed to and to retain the billing record. We retain correspondence because it would be unhelpful to lose the context of a conversation with a subscriber who writes again three months later.

We do not use any of this data for profiling, for cross-product targeting, for advertising, for resale to third parties, or for purposes beyond those described above. There is no marketing automation, no scoring, no segmentation beyond the tier you are on, and no algorithmic decision-making about subscribers.

5. Who sees the data

Inside the company, the five editors named on the about page have administrative access to the subscriber list. Reem Selim, the fact-checker, has full access (she runs the correspondence workflow). The four section editors have read access for the purpose of identifying subscribers writing in about specific letters. There is no separate marketing, growth or business-development function because we do not have those functions.

Outside the company, four named third parties see your data, each for a narrow operational purpose:

• Payment processor: a Cairo-licensed payment-services provider that handles card billing under PCI DSS Level 1. They see your card data (we do not); they store a token they return to us. No access to subscription content, correspondence or reading behaviour.
• Transactional email provider: a European Union-based email infrastructure provider that sends subscription receipts, dispatch notifications and replies. They see your email address, the email content and basic delivery metadata. No access to payment data, postal addresses or subscription history.
• Postal partner: the Egyptian Post and (for international subscriptions) the destination-country postal partner. They see your name and postal address printed on the dispatch envelope. They do not have access to any other data.
• Hosting provider: the company operating the servers from which this website is served. They see the standard server logs described in section 2.

We have written data-processing agreements with each of the four providers above, in the form required by their respective home-jurisdiction privacy laws. Copies are available on request to a data subject. We do not share data with any other third party — no marketing partner, no analytics provider, no advertising network, no social-media platform, no government agency outside the boundaries of a lawful Egyptian or court-issued international request.

6. International transfers

Because the transactional-email provider and the hosting provider are located outside Egypt, your data may cross borders. Transfers happen under standard contractual clauses approved by the European Commission and by the Egyptian PDPL implementing regulations — the legal mechanism most international companies now use after the Schrems II ruling and the equivalent Egyptian reforms. We do not transfer data to any country that the EU or the Egyptian Personal Data Protection Centre has flagged as not providing adequate protection.

7. How long we keep it

Subscriber data is retained for the duration of your subscription plus the period required by Egyptian commercial and tax law — currently seven years — after the subscription ends. Subscription and payment data is retained for the same seven-year period because the Egyptian Tax Authority can audit our books. Correspondence is retained for three years after the last message in the thread, then archived in cold storage for a further two years, then permanently deleted. Server logs are retained for thirty days and then deleted.

If you ask us to delete your data sooner, we will do so up to the point where Egyptian law allows. Specifically, we cannot delete subscription and payment data while the seven-year retention obligation is in force, because doing so would put the company in breach of accounting law. We will delete everything else — subscriber address, correspondence, server logs — promptly on request, and we will mark the financial records as belonging to a deleted-account holder so they are not used for any purpose beyond regulatory accounting.

8. Cookies and similar technologies

This site uses one strictly necessary first-party cookie that maintains your session if you are logged in to a subscriber account. The cookie is set on the muse-egypt.sbs domain only, expires when you close the browser tab if you have not ticked "remember me", and contains a random session identifier — no personal data. We do not use any third-party cookies, advertising cookies, analytics cookies, social-media cookies or behavioural cookies. We do not use local storage, indexedDB or any other persistent client-side storage beyond the session cookie.

Because we do not use non-essential cookies, this site does not display a cookie-consent banner. The applicable laws (the EU ePrivacy Directive and the equivalent provisions of the Egyptian PDPL) require consent only for non-essential cookies, and we have chosen the simpler path of not setting any.

9. Your rights as a data subject

Under the Egyptian PDPL and the GDPR you have a set of rights with respect to the data we hold about you. The rights are listed below with a short note on how to exercise each.

• Access: you can ask us for a copy of every piece of data we hold about you. We will provide it within thirty days, as a single document or downloadable archive. No fee for the first request in a calendar year.
• Rectification: you can ask us to correct inaccurate data. Subscriber address fields can also be corrected by you directly from inside your subscriber account.
• Erasure: you can ask us to delete your data, subject to the seven-year accounting retention discussed in section 7.
• Restriction: you can ask us to limit processing while a dispute is being resolved.
• Portability: we provide JSON exports of your subscriber record on request.
• Objection: you can object to processing based on legitimate interest. Our legitimate-interest processing is limited to security logs and answering correspondence; you can opt out of either by closing your account.
• Withdrawal of consent: consent-based processing can be withdrawn at any time by writing to the desk.
• Complaint to the supervisory authority: you may complain to the Egyptian Personal Data Protection Centre or, if you are an EU resident, to the supervisory authority in your member state of residence.

10. Security measures

The website is served over HTTPS only with TLS 1.3 and modern cipher suites. The subscriber database is encrypted at rest and accessible only over an authenticated VPN to the five editors. Database backups are encrypted and stored in a second Egyptian data centre. The payment processor handles card data under PCI DSS Level 1. Internal accounts use unique strong passwords with hardware security keys for two-factor authentication. A quarterly security review is run with a third-party Cairo-based information-security consultant.

11. Children

Muse Egypt is written for adults. We do not knowingly collect data from children under sixteen. If a parent or guardian believes that we have collected data from a child, please write to the desk and we will delete the data within 48 hours.

12. Changes to this notice

If we make a material change to this privacy notice, we will email every active subscriber at least thirty days before the change takes effect, summarise the change in plain language, and update the "last updated" date below. Minor changes will be made without notice. The current version of this notice is always the prevailing one.

13. Contact

For any matter related to this privacy notice — questions, subject-access requests, complaints, corrections — write to the editorial desk at [email protected] or by post at the office address. The relevant supervisory authority in Egypt is the Personal Data Protection Centre, established under PDPL Law 151 of 2020 and supervised by the Egyptian Ministry of Communications and Information Technology. If you are an EU resident you may also complain to your home-country supervisory authority.

Last updated: 1 June 2026. Effective from publication. Issued by Muse Egypt Heritage Letters L.L.C., New Cairo, Egypt, on the basis of Egyptian PDPL Law 151 of 2020 and the GDPR (Regulation EU 2016/679) for European Union readers.