Privacy policy

Privacy at Muse Quick — what we collect, what we don't, and why

This is the privacy policy of Muse Quick Field Guide L.L.C. (Egyptian Commercial Registry 271856, ETA Tax ID 684-159-723), the company that operates the website at muse-quick.sbs. It explains what data the site collects, how it is stored, who it is shared with, and what rights readers have under Egyptian Personal Data Protection Law 151 of 2020 and the European Union General Data Protection Regulation. We have written this in plain English because we are an editorial publication that values plain English and because the law in most jurisdictions now requires a privacy notice that an ordinary reader can actually understand.

If you only read one paragraph: we are a small Cairo publication that runs on reader subscriptions. We do not sell, rent, swap or share personal data with any third party, ever. We do not run advertising and we do not deploy advertising trackers, behavioural pixels, social-media tracking widgets, A/B testing scripts, heatmap recorders or session replay tools. The only third parties that ever see your data are the payment processor that handles subscription billing, the transactional-email provider that sends your receipts and the desk reply, and the hosting provider that serves the cards. Each of them is named below, with a link to their own privacy notice.

1. Who is the data controller

The data controller is Muse Quick Field Guide L.L.C., a domestic Egyptian limited-liability company registered at the Cairo Commercial Registry under number 271856 and with the Egyptian Tax Authority under registration 684-159-723. The registered office is at 31 Hassan El Akbar Street, Mohandessin, Giza 12411, Egypt. The four directors are also the four editors named on the about page. For all data-protection inquiries, including subject-access requests, deletion requests and complaints, the point of contact is the editorial desk at [email protected] or by post at the office address. We do not use a separate Data Protection Officer because the company size is below the threshold that requires one under the Egyptian PDPL.

2. What data we collect

Muse Quick collects the minimum data needed to deliver the cards and the subscription you have chosen. The categories are listed below in plain language; each is matched with the legal basis under which we hold it.

  • Account data: name, email address, optional phone number, country, and (for Field Plus subscribers) postal address for the printed booklet. Legal basis: performance of the subscription contract.
  • Subscription data: the tier you are on, the start date, the renewal date, the cancellation date if applicable, and the history of upgrades or downgrades. Legal basis: performance of the contract and Egyptian accounting law (which requires us to retain subscription records for seven years).
  • Payment data: the last four digits of the card, the card brand, the country of the issuing bank, and a token returned by the payment processor that we use to charge future renewals. We do not see or store full card numbers, CVV codes or expiry dates — those are held by the payment processor under PCI DSS Level 1 obligations. Legal basis: performance of the contract.
  • Correspondence: the content of any email or form submission you send to the desk, plus our reply. Legal basis: legitimate interest in answering reader inquiries and Egyptian commercial-record retention.
  • Server logs: standard web-server logs that record the IP address, the page requested, the time, the HTTP user-agent and the referrer (where applicable). These are retained for 30 days for security and capacity-planning purposes and then deleted. Legal basis: legitimate interest in operating a secure website.

That is the complete list. We do not collect demographic data, browsing behaviour outside our domain, social-media identities, location beyond what the server-log IP already gives us, device fingerprints, biometric data, sensitive categories of data (health, religion, political affiliation), or anything else not on the list above.

3. How we collect it

Account data is collected from you directly, when you sign up for a tier or write to the desk. Subscription and payment data is collected at the moment of subscription, through the secure payment form embedded on the subscription page (the form is rendered by the payment processor; we never see the card data). Correspondence is collected when you write to us. Server logs are written automatically by the hosting provider when your browser requests a page from this domain.

We do not buy data lists, scrape email addresses, or harvest contact details from other sources. The only way your data enters our systems is by your direct action — either you signed up, you wrote to us, or your browser made a request to the server.

4. Why we collect it

Each of the categories above maps to a specific operational purpose. We collect your name and email to deliver the Sunday-morning new-card email and the Wednesday correction alerts, and to identify you when you write to the desk. We collect the postal address for Field Plus subscribers only because we cannot post a printed pocket booklet without one. We collect payment data because the law requires us to bill you for a subscription that you have agreed to. We retain correspondence because it would be unhelpful to lose the context of a conversation with a reader who writes again three months later.

We do not use any of this data for profiling, for cross-product targeting, for advertising, for resale to third parties, or for purposes beyond the operational ones described above. There is no marketing automation, no scoring, no segmentation beyond the tier you are on, and no algorithmic decision-making about you.

5. Who sees the data

Inside the company, only the four editors named on the about page have administrative access to subscriber data. There is no separate marketing, growth or business-development function, because we do not have those functions. Engy Darwish, our fact-checker, has read-only access to correspondence (to triage corrections) but does not see payment data. The other three editors have full administrative access.

Outside the company, three named third parties see your data, each for a narrow operational purpose:

  • Payment processor: a Cairo-licensed payment-services provider that handles card billing under PCI DSS Level 1. They see your card data (we do not). They store a token that they return to us. They do not have access to your subscription content, your correspondence or your reading behaviour.
  • Transactional email provider: a European Union-based email infrastructure provider that sends your subscription receipts, the Sunday-morning emails, the Wednesday correction alerts and our replies. They see your email address, the email content and basic delivery metadata. They do not have access to payment data, postal addresses or subscription history.
  • Hosting provider: the company that operates the servers from which this website is served. They see the standard server logs described in section 2. They do not have access to the subscriber database, correspondence or payment data.

We have written data-processing agreements with each of the three providers above, in the form required by their respective home-jurisdiction privacy laws. Copies of those agreements are available on request to a data-subject. We do not share data with any other third party — no marketing partner, no analytics provider, no advertising network, no social-media platform, no government agency outside the boundaries of a lawful Egyptian or court-issued international request.

6. International transfers

Because the transactional email provider and (depending on routing) the hosting provider are located outside Egypt, your data may cross borders. The transfers happen under standard contractual clauses approved by the European Commission and by the Egyptian PDPL implementing regulations, which is the legal mechanism most international companies now use after the Schrems II ruling and the equivalent Egyptian reforms. We do not transfer data to any country that the EU or the Egyptian Personal Data Protection Centre has flagged as not providing adequate protection.

7. How long we keep it

Account data is retained for the duration of your subscription plus the period required by Egyptian commercial and tax law — currently seven years — after the subscription ends. Subscription and payment data is retained for the same seven-year period because the Egyptian Tax Authority can audit our books and ask for proof of revenue. Correspondence is retained for three years after the last message in the thread, then archived in cold storage for a further two years, then permanently deleted. Server logs are retained for thirty days and then deleted.

If you ask us to delete your data sooner, we will do so up to the point where Egyptian law allows. Specifically, we cannot delete subscription and payment data while the seven-year retention obligation is in force, because doing so would put the company in breach of accounting law. We will delete everything else — account data, correspondence, server logs — promptly on request, and we will mark the financial records as belonging to a deleted-account holder so they are not used for any purpose beyond regulatory accounting.

8. Cookies and similar technologies

This site uses one strictly necessary first-party cookie that maintains your session if you are logged in to a subscriber account. The cookie is set on the muse-quick.sbs domain only, expires when you close the browser tab if you have not ticked "remember me", and contains a random session identifier — no personal data. We do not use any third-party cookies, advertising cookies, analytics cookies, social-media cookies or behavioural cookies. We do not use local storage, indexedDB, web SQL or any other persistent client-side storage beyond the session cookie.

Because we do not use non-essential cookies, this site does not display a cookie consent banner. The applicable laws (the EU ePrivacy Directive and the equivalent provisions of the Egyptian PDPL) require consent only for non-essential cookies, and we have chosen the simpler path of not setting any.

9. Your rights as a data subject

Under the Egyptian PDPL and the GDPR you have a set of rights with respect to the data we hold about you. The rights are listed below, with a short note on how to exercise each.

  • Access: you can ask us for a copy of every piece of data we hold about you. We will provide it within thirty days, as a single document or downloadable archive. There is no fee for the first request in a calendar year.
  • Rectification: you can ask us to correct inaccurate data. Account fields can also be corrected by you directly from inside your subscriber account.
  • Erasure: you can ask us to delete your data, subject to the seven-year accounting retention discussed in section 7.
  • Restriction: you can ask us to limit the processing of your data while a dispute is being resolved.
  • Portability: you can ask for your data in a portable, machine-readable format. We provide JSON exports on request.
  • Objection: you can object to processing that is based on legitimate interest. The legitimate-interest processing we do is limited to security logs and to answering correspondence; you can opt out of either by closing your account.
  • Withdrawal of consent: consent-based processing (the email newsletters) can be withdrawn at any time by clicking the unsubscribe link in any email or by writing to the desk.
  • Complaint to the supervisory authority: you can complain to the Egyptian Personal Data Protection Centre (the supervisory authority under PDPL Law 151 of 2020) or, if you are an EU resident, to the supervisory authority in your member state of residence.

10. Security measures

The website is served over HTTPS only, with TLS 1.3 and modern cipher suites. The subscriber database is encrypted at rest and accessible only over an authenticated VPN to the four editors. Database backups are encrypted and stored in a second Egyptian data centre. The payment processor handles card data under PCI DSS Level 1 obligations. Internal accounts use unique strong passwords with hardware security keys for two-factor authentication. We run a quarterly security review with a third-party Cairo-based information-security consultant.

11. Children

Muse Quick is written for adults. We do not knowingly collect data from children under the age of 16. If a parent or guardian believes that we have collected data from a child, please write to the desk and we will delete the data within 48 hours.

12. Changes to this policy

If we make a material change to this privacy policy, we will email every active subscriber at least thirty days before the change takes effect, summarise the change in plain language, and update the "last updated" date below. Minor changes (such as a clarification of language or a correction to a typo) will be made without notice. The current version of this policy is always the authoritative one.

13. Contact

For any matter related to this privacy policy — questions, subject-access requests, complaints, corrections — write to the editorial desk at [email protected] or by post at the office address. The relevant supervisory authority in Egypt is the Personal Data Protection Centre, established under PDPL Law 151 of 2020 and supervised by the Egyptian Ministry of Communications and Information Technology. If you are an EU resident you may also complain to your home-country supervisory authority — most readers will know which authority that is, but we are happy to help find the right one.

Last updated: 1 June 2026. Effective from publication. Issued by Muse Quick Field Guide L.L.C., Cairo, Egypt, on the basis of Egyptian PDPL Law 151 of 2020 and the GDPR (Regulation EU 2016/679) for European Union readers.