What the Sohag desk records, what it deletes, and the rights you retain.
Last reviewed 5 June 2026. The Tariff & Threshold Index — published by Sohag Visitor Equity Press S.A.E. — collects personal information through three channels: the contact form, the subscription system, and accessibility-feedback submissions. This notice describes what we collect, how long we keep it, who else sees it and the rights you retain. The data officer named at the foot answers questions.
1. The data controller.
Sohag Visitor Equity Press S.A.E., an Egyptian joint-stock company registered at the Sohag Commercial Registry under number 38/2017, with Egyptian Tax Authority VAT identifier 739-216-845, at 16 Sharia Gamal Abdel Nasser, El-Karnak district, Sohag 82511. The legal representative is Heba el-Kafrawi, founder and majority shareholder.
2. The data officer.
Khaled el-Saggar, finance and student-card editor, holds the data officer role at the Index since 2021 when the role was formalised under the Egyptian Personal Data Protection Law preparations. Reach him on [email protected] with subject line "data request" or by office telephone during opening hours. He handles access, correction, deletion and portability requests personally.
3. What we collect.
From the contact form: name, email, optional affiliation, optional subscription tier, museum of interest where applicable, topic of message, message body. Lawful basis: consent and pre-contractual interest.
From subscriptions: name, email, optional institutional affiliation, postal address for institutional and printed-digest subscribers, country, and a record of annual payments. Lawful basis: contract.
From fee-correction and accessibility-feedback submissions: the submitter's name, contact details, the museum and date of the relevant visit, the specific reading challenged, the source citation supporting the corrected reading, and the desk's eventual disposition. Submissions are retained as part of the corrections-log permanent record.
From accessibility-audit subject readers (wheelchair-using and disabled visitors who send observations from their own visits): the contributor's name and country, the date of the visit, the museum visited, and the observation. Contributions are credited in the bulletin by first name and country only with the contributor's consent.
From the website: standard request logs at the hosting provider. Lawful basis: legitimate interest in server security. No cookies, no analytics scripts, no tracking pixels.
4. What we do not collect.
We do not collect payment instruments. We do not collect health data (other than the accessibility-need category from contributors who choose to disclose it, held only with the contributor's consent). We do not collect religious affiliation or political views. We do not collect location data beyond the country the reader tells us. We do not buy mailing lists. We do not enrich your record with third-party data.
5. Who else sees this information.
Contact-form messages, subscription records and feedback submissions are visible to the five editors and the administrator. The mail server is hosted in Frankfurt by a German provider under a written processor agreement. Subscription payment records are visible to the cooperative's bank (Banque Misr, Sohag branch) and PayPal where applicable. The El-Minia Cultural Foundation sees aggregate annual subscriber numbers in our grant reports, not individual identities.
6. International transfers.
Because the mail server is in Germany, email passes through the EU. The processor agreement reflects standard EU contractual clauses. Subscription records and corrections log are held in Sohag on encrypted local storage with an off-site mirror in Cairo. There is no transfer outside Egypt for storage purposes.
7. How long we keep your information.
Contact-form messages that do not lead to a subscription or feedback submission — twelve months, then deleted from the editorial mailbox.
Subscription records — duration of subscription plus seven years (Egyptian commercial-law retention). After seven years personal name and postal address are erased.
Fee-correction and accessibility-feedback submissions — retained indefinitely as part of the corrections log (the cooperative's permanent editorial record). Submitter identity is published openly in the log entry unless the submitter has requested anonymity at the time of submission.
Email correspondence with subscribers — duration of subscription year plus two years, then archived offline; offline archives erased after seven years.
Server logs — fourteen days by the hosting provider. Aggregate access counts kept indefinitely with no identifying information.
8. Your rights.
Under Egyptian Personal Data Protection Law (Law 151/2020) and the EU GDPR where it applies, you have rights of access, portability, rectification, erasure, restriction, objection and withdrawal of consent. The data officer handles requests within thirty days, free of charge.
9. Security measures.
Encrypted disks at the Sohag office, encrypted off-site mirror in Cairo, TLS for all mail-server connections, encrypted backups, access-controlled to the chair and the data officer. The office is locked outside opening hours.
10. Accessibility-audit subject data.
The annual accessibility audit involves visiting each museum with an audit-partner consultant who is a wheelchair-using or otherwise disabled visitor. The audit partner's identity is recorded in the audit log internally but is not published in the audit findings without the audit partner's explicit consent for the specific publication. The audit partner's contact details are held only for the duration of the cooperative's working relationship with them.
11. EDRA partnership data sharing.
The Egyptian Disability Rights Association partnership involves the cooperative sharing the draft annual audit with the EDRA before publication. The shared draft includes the museum findings but not the audit partner's identity. The EDRA's feedback is returned to the cooperative and is incorporated where appropriate; the EDRA does not retain a copy of the published audit beyond the standard reference filing.
12. Subscriber telemetry.
We do not embed read-receipt pixels in the monthly bulletin. We do not track which museums a subscriber's bulletin pages open. The only behavioural measure is the aggregate open-rate from the mail-server provider, a single percentage per month with no identifying information.
13. Data breaches.
If a breach occurs likely to result in a risk to your rights, we notify you within seventy-two hours and notify the Egyptian Personal Data Protection Centre in the same window. One minor incident has been logged since 2018, involving a misaddressed bulletin; summarised in the corresponding year's transparency note.
14. Cookies.
This website sets no cookies. No analytics cookie, no consent cookie, no preference cookie. Browser session storage and local storage are not used.
15. Children's data.
The Index is not addressed to children and is not knowingly subscribed by any reader under sixteen. The student half-price subscription is available to readers identified as university students through their student identifier.
16. Profiling and automated decisions.
We do not run profiling. Every reply is composed by a human; every subscription action and every certificate dispatch is taken by a human. The tariff tables are curated by people.
17. Reader-mail and bulletin attributions.
The monthly bulletin's reader-mail section attributes letters by first name and country of residence only. Surnames, postal addresses and email addresses are never published.
18. Changes to this notice.
This notice is reviewed every June. Material changes are notified to active subscribers by email at least thirty days before they take effect.
19. Annual external audit.
Since 2021 the Index has commissioned an annual external audit of its data-protection practice by an independent Egyptian data-protection consultant. The audit reviews the cooperative's data-collection points, retention practice, security measures, and the data-officer's response record. The audit report is published in summary form in the December transparency note and is available in full to subscribers and to the Egyptian Personal Data Protection Centre on request. The four annual audits (2021 through 2024) have all returned positive findings; one 2023 audit recommendation, on encryption-key rotation, was implemented within ninety days.
20. Whistleblower protection.
The cooperative's editorial work occasionally surfaces information that has not been publicly disclosed by a museum or by a government body. Where such information reaches us through a whistleblower channel — typically a museum staff member, a Supreme Council employee, or a visiting reader who has observed something the institution may prefer not to publicise — we treat the information source with strict confidentiality. The data officer holds the whistleblower-channel records separately from the regular editorial archive, with access restricted to the data officer and the chair. We have received seven such submissions since 2019; none has been the basis of a published Index report without the source's explicit consent. The full whistleblower-protection protocol is appended to the methodology document.
21. Contact for any data question.
Khaled el-Saggar, data officer, Sohag Visitor Equity Press S.A.E.
Email: [email protected] · subject "data request"
Telephone: +20 93 6175 408 · Sunday, Tuesday, Thursday 10:00–14:00 Cairo time
Postal: 16 Sharia Gamal Abdel Nasser, El-Karnak district, Sohag 82511, Egypt.