Because we work with schools, students and young people, we hold some personal data, and a good deal of it concerns children. We take that responsibility seriously and keep things simple and minimal: we hold only what running a visit or a pass requires, treat children's information with particular care, and keep nothing longer than necessary. This notice is written plainly so any teacher, parent or student can understand it without needing a lawyer, because a privacy notice that cannot be read protects no one. Last reviewed June 2026.
The data controller is the Upper Egypt Learning Trust S.A.E., 8 Sharia al-Markaz, Qena 83511, Qena Governorate, Egypt, VAT (ETA) 657-203-148. Data questions go to [email protected], where the team handles them.
For a school visit, we deal with the school and the teacher, not directly with the children: we hold the teacher's contact details, the school's details, and the visit's date and numbers. We do not ask for or hold a list of individual pupils' names — the school manages its own pupils. For a student pass held by an individual student, we hold the student's name, contact details and, where the student is a minor, a parent or guardian's contact and consent. When you contact us, we hold your message and reply details.
This is the part we treat most carefully. Where a student pass is for someone under eighteen, we require a parent or guardian to set it up and give consent, and we hold the minimum about the young person needed to issue the pass and run the holiday programmes safely. We never collect more about a child than is necessary, never use a child's data for anything but the learning service they are enrolled in, and never share it for marketing or with any third party for their own purposes. A parent or guardian can ask to see, correct or delete their child's data at any time, and we act on it promptly.
For school visits, the basis is our agreement with the school to deliver the visit. For student passes, it is the agreement to provide the pass, with parental consent where the student is a minor. For enquiries, it is your consent and our legitimate interest in replying. We never process anyone's data, child or adult, for advertising — we run none.
School-visit records are kept for the school year and a reasonable period after for our accounts, then deleted. Student-pass records are kept while the pass is active and for a short period after it lapses, then deleted; a minor's data is deleted promptly once it is no longer needed for the pass. Enquiry messages are deleted within a year. We keep only what Egyptian law requires for accounts, and no more.
Inside the trust, only the staff who need data to run a visit or a pass can see it. Outside, the only parties who touch it are our payment processor (for fees and subscriptions) and the partner museums (only what a visit genuinely requires — typically the booking and numbers, not children's names). We never sell, rent or share personal data for anyone else's marketing.
When a school visits a partner museum, the museum is told what it needs to receive the group — the school, the date, the numbers, the teacher contact. It is not given a list of children's names, because it does not need one. The museum confirms the booking; it does not build a record of individual pupils.
The site runs no advertising network, no identifying analytics, no social trackers, and sets no non-essential cookies, so there is no cookie banner. It is a set of static pages; the only data it transmits is what you type into a form and choose to send.
We sometimes photograph visits and holiday programmes to show the trust's work. Where children may appear, we seek consent through the school or the parent first, never identify a child by name without specific permission, and will remove any image on request. A parent or school can tell us in advance that a child should not be photographed, and we honour it.
You — or a parent on a child's behalf — can ask what we hold, ask us to correct it, ask us to delete it (except what we must keep for accounts), and withdraw consent. Write to us and we will respond within thirty days, free of charge. Because we hold little, most requests are quick to satisfy.
We protect what we hold with access controls and encryption in transit, and by holding little of value to an attacker — no card numbers stored by us, and only the minimum about any child. The pass is designed so a single record cannot be cloned into many valid entries.
School-visit fees and student-pass subscriptions are taken through a regulated payment channel. Card details are entered into the processor's secure system, not ours; we never see or store a full card number, keeping only the record of payment our accounts require. This is the key point about your money with us: the sensitive payment data does not live on the trust's systems at all.
As a small trust working with children, we have deliberately kept what we hold to the minimum the programmes need. We build no profile of any student, track no individual child's visits beyond confirming a valid entry, and keep no dormant database for some future purpose. With children's data especially, the safest data is the data we never collected — so our restraint is itself a protection. We would want a body working with our own children to behave exactly this way, and we hold ourselves to that standard.
Email from us is about a booking, a pass, requested resources, or a reply to a message — never marketing. We do not run a promotional mailing list and we do not pass any address, least of all a child's, to anyone for theirs. A teacher or parent can ask us to stop all non-essential email at any time, and we will, while still sending what a live booking or pass genuinely requires.
Schools have their own data-protection and safeguarding duties toward their pupils, and our approach is designed to fit alongside them rather than cut across them. On a school visit, the school remains responsible for its pupils and their data; we deal with the school and the teacher, hold no list of individual pupils, and ask the school only for what a visit genuinely needs. If a school's own policy requires anything specific of us — a data agreement, particular handling of a consent form — we are glad to accommodate it. We see ourselves as a partner to the school's safeguarding, never a gap in it.
To be concrete: school-visit records are kept for the school year and a reasonable period after for accounts, then deleted. Student-pass records are kept while the pass is active and a short while after, then deleted, with a minor's data removed as soon as it is no longer needed. Enquiry messages go after a year. We keep only what Egyptian accounting law requires, and a child's data never longer than the service they were enrolled in requires. If you ask us to delete what we are not obliged to keep, we do it promptly.
If we change how we handle data we will update this page and its date. If you are unhappy with how data — especially a child's — has been handled, raise it with us first so we can put it right; you also keep the right to complain to the data-protection authority in your country. Reach us through the contact page, and a real person at the trust will respond.