What the Aswan desk records, what it deletes, and the rights you retain.
Last reviewed 4 June 2026. The Ostraca & Papyrus Field Journal — published by Elephantine Epigraphy Press S.A.E. — collects personal information through three channels: the contact form, the subscription system, and the commissioned-reading service. This notice describes what we collect, how long we keep it, who else sees it and the rights you retain.
1. The data controller.
Elephantine Epigraphy Press S.A.E., an Egyptian joint-stock company registered at the Aswan Commercial Registry under number 27/2016, with Egyptian Tax Authority VAT identifier 624-380-571, at 8 Sharia al-Sail, Souk district, Aswan 81511. The legal representative is Mostafa el-Kanawati, founder and majority shareholder.
2. The data officer.
Bilal Sherif, research and digital edition editor, holds the data officer role at the journal since 2022 when the role was formalised under the Egyptian Personal Data Protection Law preparations. Reach him on [email protected] with subject "data request" or by office telephone. He handles access, correction, deletion and portability requests personally.
3. What we collect.
From the contact form: name, email, optional affiliation, optional subscription tier, corpus of interest where applicable, topic of message, message body. Lawful basis: consent and pre-contractual interest.
From subscriptions: name, email, institutional affiliation, postal address for Researcher and Institutional subscribers (printed issues), country, annual payment records. Lawful basis: contract.
From commissioned-reading requests: requester's name and contact details, institutional affiliation, the specific item description, the provenance documentation supplied, photographic plates of the item supplied digitally, the eventual transcription and apparatus. Lawful basis: contract.
From correction and disagreement submissions: submitter's name and email, edition identifier, original and corrected readings, the paleographic argument and source citations. Retained as part of the corrections log permanent record.
From the website: standard request logs at the hosting provider. Lawful basis: legitimate interest in server security. No cookies, no analytics scripts, no tracking pixels.
4. What we do not collect.
We do not collect payment instruments. We do not collect health data, religious affiliation (other than Father Tawadros's institutional context as the Coptic editor, which is publicly known), political views, or any other special-category data. We do not buy mailing lists. We do not enrich your record with third-party data.
5. Who else sees this information.
Contact-form messages, subscription records and commissioned-reading files are visible to the five editors and the administrator. The mail server is hosted in Frankfurt by a German provider under a written processor agreement; the provider's name is available on request. Subscription payment records are visible to the cooperative's bank (Commercial International Bank, Aswan branch) and PayPal where applicable.
6. International transfers.
Because the mail server is in Germany, email passes through the EU. The processor agreement reflects standard EU contractual clauses. Subscription and corrections records are held in Aswan on encrypted local storage with an off-site mirror in Cairo. No transfer outside Egypt for storage purposes.
7. How long we keep your information.
Contact-form messages not leading to a subscription or commission — twelve months, then deleted.
Subscription records — duration of subscription plus seven years (Egyptian commercial-law retention). After seven years personal name and postal address are erased; the anonymised payment-flow record is retained for statistical purposes.
Commissioned-reading files — retained indefinitely as part of the journal's editorial archive (the file is the basis of a permanent paleographic edition). The requester's identity is removed from any published version unless they have consented to identification; the full record (including identity) is retained in encrypted local storage available only to the editorial board.
Correction and disagreement submissions — retained indefinitely in the corrections log. The submitter's identity is published openly in the log entry unless the submitter has requested anonymity at the time of submission.
Email correspondence with subscribers — duration of subscription year plus two years, then archived offline. Offline archives erased after seven years.
Server logs — fourteen days by the hosting provider. Aggregate access counts kept indefinitely with no identifying information.
8. Your rights.
Under Egyptian Personal Data Protection Law (Law 151/2020) and the EU GDPR where it applies, you have at any time the rights of access, portability, rectification, erasure, restriction, objection and withdrawal of consent. The data officer handles requests within thirty days, in writing, free of charge.
9. Security measures.
Encrypted disks at the Aswan office; encrypted off-site mirror in Cairo; TLS for all client connections; encrypted backups; access-controlled to the chair and the data officer. The office is locked outside opening hours and shares the building's security arrangements with the ground-floor glassware shop.
10. Photographs of items submitted for commissioned reading.
Where a commissioning institution supplies photographic plates of items for the journal's reading, the photographs are retained as part of the editorial archive. The institution's identity is published in the eventual edition unless the institution has requested anonymity; in that case the edition is published with a generic "Egyptian university collection" designation and the institutional identity is held only in the editorial archive.
11. Institutional excavation partnership data.
The four working excavation projects supply us with material from their excavations under the institutional consent process described in the methodology. The projects' internal inventory numbers, the excavation context information and the institutional director's correspondence on each item are held in the journal's editorial archive. This material is shared with the institutional teams as required by the consent process; it is not shared with any party outside the journal-institution relationship.
12. Subscriber telemetry.
We do not embed read-receipt pixels in the quarterly issue. We do not track which editions a subscriber opens. The only behavioural measure is the aggregate open-rate of the email distribution, calculated by the mail-server provider as a single percentage per quarter.
13. Data breaches.
If a breach occurs likely to result in a risk to your rights, we notify you by email within seventy-two hours and notify the Egyptian Personal Data Protection Centre in the same window. One minor incident has been logged since 2017, involving a misaddressed printed issue. Summarised in the December transparency note.
14. Cookies.
This website sets no cookies. There is no analytics cookie, no consent cookie, no preference cookie. The browser's session storage and local storage are not used.
15. Children's data.
The journal is not addressed to children and is not knowingly subscribed by any reader under sixteen.
16. Profiling and automated decisions.
We do not run profiling. Every reply is composed by a human; every paleographic reading is produced by a human editor. As stated in the methodology, the journal does not use generative AI for transcription or for translation.
17. Whistleblower protection.
The journal occasionally receives information from sources outside the formal institutional partnership channels — typically from researchers who have observed something the institutional teams may prefer not to publish. We treat such information sources with strict confidentiality. The data officer holds the whistleblower-channel records separately, with access restricted to the data officer and the chair. We have received four such submissions since 2019; none has been the basis of a published edition without the source's consent.
18. Annual external audit.
Since 2022 the cooperative commissions an annual external audit of its data-protection practice by an independent Egyptian consultant. The audit reviews collection points, retention practice, security measures and the data officer's response record. Reports are summarised in the December transparency note and available in full to the Egyptian Personal Data Protection Centre on request.
19. Changes to this notice.
This notice is reviewed every June. Material changes are notified to active subscribers by email at least thirty days before they take effect.
20. Institutional excavation partnership confidentiality.
The four working partnerships involve material that is not yet in the public scholarly record. The journal's confidentiality obligations to the institutional projects are documented in the master partnership agreements (renewed every five years and discussed in summary at the December transparency note). The obligations cover material the institutional teams have not yet released for our publication, the working drafts of the institutional academic publications where shared with us for fact-check, and the institutional teams' internal working hypotheses that may not survive into the eventual canonical publication. None of this material is held in our editorial archive in identifiable form beyond the working duration of the relevant per-item edition cycle; the institutional teams hold the canonical records.
21. Contact for any data question.
Bilal Sherif, data officer, Elephantine Epigraphy Press S.A.E.
Email: [email protected] · subject "data request"
Telephone: +20 97 2438 906 · Tuesday, Wednesday, Saturday 10:00–14:00 Cairo time
Postal: 8 Sharia al-Sail, Souk district, Aswan 81511, Egypt.