Version 0.9-draft-2026-05-17
Effective: TO BE SET ON PUBLICATION · Last updated: Sun May 17 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Privacy Policy
Effective Date: [TO BE SET ON PUBLICATION] Version: 0.9 (draft) Last Updated: 17 May 2026
1. Who We Are
ABC — Alumni Benefit Community ("ABC", "we", "us", "our") is a private online platform operated by [LEGAL ENTITY NAME — Egyptian LLC], an independent Egyptian limited liability company registered in the Arab Republic of Egypt under Commercial Registration No. [CR NUMBER], with its registered office at [REGISTERED ADDRESS, Cairo, Egypt].
ABC is an independent and autonomous Egyptian LLC technology company. ABC is not affiliated with, endorsed by, sponsored by, partnered with, operated by, owned by, or controlled by the American University in Cairo (AUC). ABC does not represent AUC in any way, shape, or form. ABC does not solicit funds on behalf of AUC. Any reference to AUC on the Platform is made under nominative fair use solely to identify the alumni community ABC serves. The AUC name, logos, and trademarks remain the property of AUC.
For privacy enquiries, contact:
- Data Protection Officer: [DPO NAME], [dpo@abc-community.org]
- General privacy contact: [privacy@abc-community.org]
- EU Representative (under GDPR Article 27): [EU REP NAME AND ADDRESS — TBA]
- UK Representative (under UK GDPR Article 27): [UK REP NAME AND ADDRESS — TBA]
- Postal: [REGISTERED ADDRESS, Cairo, Egypt]
You have the right to lodge a complaint with the Egyptian Personal Data Protection Centre (PDPC) at https://pdpc.gov.eg, with your local European supervisory authority (a directory is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en), or with the UK Information Commissioner's Office at https://ico.org.uk.
2. Scope
This Privacy Policy applies to your use of the ABC platform at [abc-community.org] and any subdomains, mobile applications, or related services (the "Platform"). It explains what personal data we collect, why, how we use it, who we share it with, how long we keep it, and your rights.
ABC is open only to verified alumni of the American University in Cairo aged 18 and over. We do not knowingly process data of children under 18.
3. What Data We Collect
3.1 Data you provide directly
| Category | Examples |
|---|---|
| Identification | Full name, AUC graduation year, AUC school, AUC major |
| Contact | Email address, phone number, WhatsApp number (optional), residence location, work location |
| Professional | Work experience, skills, languages, education history beyond AUC |
| Profile media | Profile photo, social media URLs (LinkedIn, Twitter/X, Instagram, Facebook, personal website) |
| Verification documents | Government-issued ID (PDF or image) or AUC alumni proof document |
| Content you create | Posts, questions, answers, comments, endorsements, marketplace listings, event RSVPs, job postings (including proxy postings), connection requests |
| Direct communications | Messages to other members, messages to ABC support |
3.2 Data we collect automatically
| Category | Examples |
|---|---|
| Technical | IP address, device type, browser type and version, operating system, language preference, timezone |
| Usage | Pages visited, features used, search queries within the Platform, login timestamps |
| Cookies and similar technologies | See our Cookie Policy |
3.3 Data we receive from third parties
If you sign in via a third-party identity provider, we receive the information that provider shares with us (typically name and email). We do not receive your password.
4. Why We Use Your Data and on What Legal Basis
We process your personal data only for the purposes set out below and only where we have a valid lawful basis under the Egyptian Personal Data Protection Law (Law 151/2020), the EU General Data Protection Regulation, and the UK GDPR.
| Purpose | Data used | Lawful basis (EU/UK GDPR) | Lawful basis (PDPL) |
|---|---|---|---|
| Create and operate your account; authenticate you | Identification, contact, technical | Contract (Art. 6(1)(b)) | Contractual necessity |
| Display your profile in the member directory | Identification, contact, professional, profile media | Contract (Art. 6(1)(b)) | Contractual necessity |
| Verify your AUC alumni status | Verification documents | Consent (Art. 6(1)(a)) + explicit consent for any sensitive data (Art. 9(2)(a)) | Explicit written consent |
| Power Marketplace, Jobs Board, Q&A, Events, Sub-communities | Content you create, profile data | Contract (Art. 6(1)(b)) | Contractual necessity |
| Connect you with other members; endorsements | Identification, profile, content | Contract (Art. 6(1)(b)) | Contractual necessity |
| Click-to-WhatsApp links | Phone or WhatsApp number | Consent (Art. 6(1)(a)) | Explicit consent |
| Send service emails (transactional) | Email address | Contract (Art. 6(1)(b)) | Contractual necessity |
| Send marketing emails and newsletters | Email address | Consent (Art. 6(1)(a)) + PECR Reg. 22 | Explicit consent + marketing licence |
| Security, fraud detection, abuse prevention | Technical, usage, content | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Moderation and enforcement of the Acceptable Use Policy | All categories as relevant | Legitimate interest (Art. 6(1)(f)) and legal obligation | Legitimate interest and legal obligation |
| Aggregated analytics (non-identifying) | Technical, usage | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Comply with legal obligations and respond to lawful requests | As required | Legal obligation (Art. 6(1)(c)) | Legal obligation |
You may withdraw your consent at any time where consent is the basis. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. Verification Documents — Special Handling
We treat verification documents (government ID or AUC alumni proof) with extra care:
- Storage: encrypted at rest in a separate restricted storage bucket.
- Access: limited to our Data Protection Officer and named verification reviewers under strict need-to-know.
- Audit: every access is logged with timestamp, accessing user, and justification.
- Retention: documents are deleted within 30 days of successful verification. Failed or appealed verifications may be retained for up to 90 days. After deletion only a non-reversible verification flag and a hash of the document remain.
- No reuse: verification documents are never used for any other purpose and never shared with third parties except where required by law.
Government-ID-bearing documents constitute sensitive personal data under PDPL Article 1 and special-category data under GDPR Article 9 where they reveal information about national origin. We process them only on the basis of your explicit written consent at the point of upload.
6. Click-to-WhatsApp Links
ABC profiles include optional click-to-WhatsApp links. When you click one of these links:
- Your browser connects to WhatsApp / Meta Platforms, Inc. servers.
- Meta receives metadata about the click, including your IP address, the destination phone number, your device and browser information, and the referring page.
- The content of any subsequent WhatsApp conversation is end-to-end encrypted and is not visible to ABC.
- ABC has no control over Meta's processing of click metadata. Meta is an independent data controller.
If you do not wish to share this data with Meta, do not click WhatsApp links and contact members by email or phone instead. Meta's privacy practices are described at https://www.whatsapp.com/legal/privacy-policy and https://www.facebook.com/privacy/policy.
7. Who We Share Your Data With
7.1 Other members
Your profile is visible to other verified ABC members. You can adjust visibility of certain fields in your account settings.
7.2 Service providers (subprocessors)
We share data with the following service providers under written data processing agreements:
| Provider | Role | Location |
|---|---|---|
| Supabase (Supabase Pte. Ltd.) | Database, authentication, file storage | EU (Ireland, eu-west-1) |
| Vercel (Vercel Inc.) | Hosting, edge network | EU and global edge |
| Amazon Web Services (AWS SES) | Transactional and marketing email delivery | EU (Ireland, eu-west-1) |
| Termly | Cookie consent management | US (data processed via EU-SCC DPA) |
| [EU Representative provider — TBA] | GDPR Article 27 representation | EU |
| [UK Representative provider — TBA] | UK GDPR Article 27 representation | UK |
If we add or change subprocessors materially, we will notify members at least 30 days before the change takes effect.
7.3 Legal disclosure
We may disclose your data to courts, regulators, law enforcement, or other authorities where required by law, including under the Egyptian Cybercrime Law No. 175/2018, court orders, or legally valid requests.
7.4 Business transfers
If ABC undergoes a reorganisation, sale, or transfer of assets, your data may be transferred. We will notify you and your rights under this Privacy Policy will continue to apply.
7.5 We do not sell your personal data
ABC does not sell or share your personal data for cross-context behavioural advertising or any other commercial purpose. We do not receive payment for transferring your data to advertisers or data brokers.
8. International Data Transfers
ABC is based in Egypt. Some of our service providers are located outside Egypt and outside the European Economic Area and the United Kingdom. Where your data is transferred internationally, we rely on the following safeguards:
- EU Standard Contractual Clauses (Commission Decision 2021/914) with each subprocessor.
- UK International Data Transfer Addendum to the EU SCCs where UK data subjects are affected.
- Transfer Impact Assessments for each subprocessor, supplemented by encryption at rest, TLS 1.3 in transit, and access controls.
- PDPC cross-border transfer permit (application pending; transfers operate under the PDPL grace period until 1 November 2026 and on the basis of explicit member consent recorded at signup).
You may request a copy of the safeguards in place by contacting [privacy@abc-community.org].
9. How Long We Keep Your Data
| Category | Retention period |
|---|---|
| Active account data | For the life of your account |
| Account data after closure | 12 months after account closure, then anonymised or deleted |
| Verification documents | 30 days after successful verification (90 days for failed verifications); then deleted |
| Marketing consent records | 3 years from your last marketing communication, then deleted |
| Audit and moderation logs | 5 years (to satisfy Egyptian Cybercrime Law 175/2018 and PDPL evidence requirements) |
| Connection graph | For the life of your account; anonymised in aggregated form after deletion |
| Posts, comments, and content visible to others | Retained while published; you may delete at any time. Deleted content is removed from the live Platform within 30 days |
| Data subject to legal hold | As long as the legal hold applies |
10. Your Rights
You have the following rights regarding your personal data.
10.1 Under Egyptian PDPL Article 2
- Be informed of, access, review, and obtain personal data we hold about you.
- Withdraw consent previously given.
- Correct, amend, update, add to, or delete your personal data.
- Limit processing to a specific scope.
- Be informed of any breach affecting your data.
- Object to processing or its outcomes where these conflict with your fundamental rights.
The PDPL permits a fee of up to EGP 20,000 for the exercise of certain rights. ABC waives this fee. All rights requests under this Privacy Policy are free.
10.2 Under EU GDPR and UK GDPR
- Access (Art. 15) — receive a copy of your data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure / right to be forgotten (Art. 17).
- Restriction of processing (Art. 18).
- Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
- Object to processing (Art. 21), including profiling and direct marketing.
- Withdraw consent (Art. 7(3)) at any time where consent is the basis.
- Not be subject to solely automated decision-making that produces legal or similarly significant effects (Art. 22). ABC does not make such decisions.
- Lodge a complaint with your supervisory authority.
10.3 Under California law
California residents may exercise the rights to know, delete, correct, and limit use of sensitive personal information, and the right to opt out of sale or sharing. ABC does not sell or share personal data, but we honour Global Privacy Control signals as opt-out requests. To exercise these rights, visit [/privacy/your-choices] or email [privacy@abc-community.org].
10.4 How to exercise your rights
- Self-service: most rights (access, correction, deletion, consent withdrawal) can be exercised at [/account/privacy].
- By email: [privacy@abc-community.org].
- By post: [REGISTERED ADDRESS, Cairo, Egypt].
We respond to verified requests within 30 days. For complex requests we may extend this period by up to two months and will tell you why. We may ask you to verify your identity before responding.
11. Cookies and Tracking
We use cookies and similar technologies on the Platform. Strictly necessary cookies (authentication, security, consent record) are set without consent. All other cookies require your consent through the cookie banner.
For details see our Cookie Policy. You can withdraw cookie consent at any time via the "Cookie preferences" link in our footer.
We honour Global Privacy Control (GPC) signals for visitors in jurisdictions that recognise them, including California.
12. Security
We implement technical and organisational measures appropriate to the risk, including:
- TLS 1.3 encryption in transit.
- AES-256 encryption at rest.
- Row-level security in our database.
- Principle of least privilege for access to sensitive data.
- Logging and monitoring of administrative access.
- Periodic review of subprocessor security posture.
- Breach response procedures.
No security measure is perfect. If we become aware of a personal data breach affecting you, we will notify the PDPC within 72 hours and, where the breach poses a high risk to your rights, notify you within 3 working days of notifying the PDPC, in accordance with Egyptian PDPL Executive Regulations Article 5 and GDPR Article 34.
13. Children
The Platform is for AUC alumni aged 18 and over. We do not knowingly collect personal data of children under 18. If you believe a child has provided data to us, please contact [privacy@abc-community.org] and we will delete it.
14. Future Hospice Cairo Health Data
ABC's operator intends to launch a separate end-of-life care service ("Hospice Cairo") on shared underlying infrastructure in the future. At the time of publication of this Privacy Policy, no health data is processed through the ABC Platform.
When Hospice Cairo launches:
- It will operate under a separate Privacy Policy.
- Health data will be processed in an isolated Supabase project with separate access controls.
- ABC members who are not Hospice Cairo users will not have their data combined with Hospice Cairo data.
- ABC will obtain explicit written consent and a separate PDPC sensitive-data licence before any health data is processed.
This reservation does not authorise health-data processing today. It exists so that future expansion does not require members to re-accept this Privacy Policy.
15. Changes to This Policy
We may change this Privacy Policy. We classify changes as:
- Material changes (new purposes, new data categories, new subprocessors, extended retention, weakened safeguards): we will notify you by email and an in-app banner at least 30 days before the change takes effect, and we will ask for your renewed agreement at next login. Continued use without renewed agreement may result in account suspension.
- Non-material changes (corrections, clarifications, restructuring): we will publish the new version with the updated effective date and notify you in the in-app activity feed.
We maintain a version history at [/privacy-policy/versions].
16. Contact and Complaints
| Reason | Contact |
|---|---|
| General privacy questions | [privacy@abc-community.org] |
| Data Protection Officer | [dpo@abc-community.org] |
| Exercise of rights | [/account/privacy] or [privacy@abc-community.org] |
| EU/EEA residents | [EU REP NAME — TBA] |
| UK residents | [UK REP NAME — TBA] |
| Complaint to Egyptian regulator | Egyptian Personal Data Protection Centre — https://pdpc.gov.eg |
| Complaint to EU regulator | Your local supervisory authority — https://edpb.europa.eu |
| Complaint to UK regulator | Information Commissioner's Office — https://ico.org.uk |
| Complaint to California regulator | California Privacy Protection Agency — https://cppa.ca.gov |
This document is a Phase 1 draft pending review by Egyptian counsel and registration with the Egyptian Personal Data Protection Centre. It will be updated when the PDPC licensing portal opens and ABC's registration completes.