Legal Document

Privacy Policy

Effective date: 2 June 2026. This policy governs how Nile Heritage Consultants Ltd. collects, processes, stores, and protects personal data.

1. Data Controller

The data controller responsible for personal data collected through this website and through direct service engagements is:

Nile Heritage Consultants Ltd.
14 Sherif Street, Abdin District, Cairo, 11511, Egypt
Tax ID: 621-084-379 | Registry No.: 482916 (GAFI)
Email: [email protected]
Phone: +20 2 2393 7841

2. Legal Basis and Applicable Law

This policy is drafted in compliance with the Arab Republic of Egypt's Personal Data Protection Law No. 151 of 2020 (PDPL) and its Executive Regulations issued by Ministerial Decree No. 432 of 2021. For clients resident in the European Economic Area, we apply the General Data Protection Regulation (GDPR) as an additional standard. Where Egyptian law and GDPR requirements differ, the more protective standard applies.

We process personal data on one or more of the following legal bases: (a) performance of a contract or pre-contractual measures at your request; (b) compliance with a legal obligation applicable to Nile Heritage Consultants Ltd.; (c) legitimate interests pursued by the company, where not overridden by your interests or fundamental rights; (d) your freely given, specific, informed, and unambiguous consent, which you may withdraw at any time.

3. Data We Collect

We collect and process the following categories of personal data:

  • Enquiry data: Name, email address, telephone number, country of residence, interests described in your enquiry message, and the service package you indicate interest in. Collected when you submit the contact form on this website.
  • Service delivery data: Travel dates, group composition (number and ages of participants), special requirements (dietary, mobility, medical conditions relevant to site access), passport nationality (for permit applications), accommodation preferences, and photographic documentation consent preferences. Collected during the service engagement process.
  • Communication data: Records of email correspondence, video call arrangements, and meeting notes accumulated during the planning and delivery of your programme.
  • Payment data: Bank transfer confirmation references used to verify payment receipt. We do not store card numbers or banking credentials. Payment processing is handled by your own financial institution; we receive only confirmation of receipt.
  • Website usage data: This website does not install analytics trackers, advertising pixels, or third-party scripts. No behavioural or advertising data is collected through this site. Server access logs retained by the hosting provider for up to 30 days for security and diagnostic purposes are subject to the hosting provider's own privacy policy.

4. How We Use Your Data

We use personal data exclusively for the following purposes:

  • Responding to your enquiry and conducting the initial consultation.
  • Designing, quoting for, and delivering the consultancy programme you have requested.
  • Applying for site access permits and regulatory permissions on your behalf, where your personal details are required by the issuing authority.
  • Maintaining records of past engagements for clients who return for subsequent visits, so that new programmes build on previous experience rather than repeating it.
  • Sending our quarterly newsletter, if you have provided explicit consent to receive it. You may unsubscribe at any time using the link in each edition or by emailing us directly.
  • Complying with obligations under Egyptian commercial and tax law, including retaining financial records for the period required by law.

We do not use personal data for automated decision-making or profiling. We do not sell, rent, or share personal data with third parties for their own marketing purposes under any circumstances.

5. Data Sharing

Personal data may be shared with the following categories of third parties only to the extent necessary to deliver the service you have requested:

  • Egyptian government authorities: The Ministry of Tourism and Antiquities and the Supreme Council of Antiquities, when permit applications require submission of visitor details. These disclosures are made under Egyptian law governing heritage site access and are limited to the minimum information required by the permit application form.
  • Site guides and regional consultants: Licensed guides and consultants in our network who are assigned to accompany you will receive your name, contact number, and programme details. They are contractually bound to our data protection standards and may not use this information for any purpose other than the assigned engagement.
  • Vessel operators: For cruise bookings, the operating company receives guest names, passport nationalities, and dietary requirements as required by Egyptian maritime regulations.
  • Accommodation providers: Where we coordinate accommodation booking on your behalf, name and nationality data are shared with the relevant hotel or property as required for the reservation.

No personal data is transferred to entities outside Egypt or the EEA without appropriate safeguards in place.

6. Data Retention

Enquiry data for which no service engagement results is retained for 12 months from the date of submission, after which it is deleted. Service engagement data — correspondence, itineraries, permit records, and programme notes — is retained for a period of 5 years from the date of the last engagement, in compliance with Egyptian commercial record-keeping requirements. Financial records including invoices and payment confirmations are retained for 7 years as required by Egyptian tax law. If you are a returning client and have not engaged with us for more than 5 years, your personal record is archived to a restricted-access storage location and not actively processed until you re-engage.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of data we hold, subject to our legal retention obligations.
  • Right to restriction: Request that we restrict processing of your data while a dispute about its accuracy or lawful basis is resolved.
  • Right to data portability: Request a copy of data you have provided to us in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, send a written request to [email protected] with the subject line "Data Subject Request". We will acknowledge your request within 5 business days and respond substantively within 30 days. If your request is complex, we will inform you and extend this period by a further 60 days where permitted by applicable law.

8. Security Measures

We implement technical and organisational measures appropriate to the risk level of the data we process. These include: encrypted email transmission (TLS) for all outbound and inbound correspondence; password-protected, access-controlled file storage for client records; staff training on data protection obligations under Egyptian PDPL; and physical security at our office premises in Abdin District. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant authority within the timeframe required by applicable law.

9. Cookies and Tracking

This website does not use cookies for analytics, advertising, or tracking purposes. The only technically necessary cookies that may be set are those required for basic website function (session management for form submission). No third-party cookies are loaded by this website. No pixel codes, analytics scripts, or advertising networks are integrated into any page on this domain.

10. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16 without verified parental or guardian consent. If you believe a child has submitted data to us without consent, please contact us immediately and we will delete the data promptly.

11. Third-Party Links

This website may contain links to external resources such as the websites of heritage sites, government authorities, and academic institutions. We are not responsible for the privacy practices of these third-party sites, and this policy does not apply to them. We encourage you to review the privacy policies of any external sites you visit.

12. Supervisory Authority

If you believe your data protection rights have not been observed, you have the right to lodge a complaint with the Egyptian Personal Data Protection Centre (PDPC) established under Law No. 151 of 2020. EEA residents may also contact their local data protection supervisory authority. We would, however, request that you contact us directly in the first instance so that we may attempt to resolve your concern without a formal complaint being necessary.

13. Updates to This Policy

We review this policy annually or whenever there is a significant change to our data processing activities or to applicable law. Material changes will be communicated to existing clients by email at least 14 days before taking effect. The effective date at the top of this document will be updated whenever the policy is revised. Continued use of our services after a revision takes effect constitutes acceptance of the updated policy. If you do not accept a material revision, you have the right to terminate your engagement with us without penalty for the portion of the service not yet delivered.