Demo
Privacy Policy

1. Who we are

The data controller for any information you submit through this site is:

B21
Bally & Bhota Jagpal
Postal address: Available on request via the email below
Email: [email protected]
Website: www.b21online.com

If you have any questions about how we use your data, or you want to exercise any of your rights (see Section 8), email us at the address above.

2. What we collect

When you use the demo submission form at b21online.com/demos/submit, we collect:

• The audio file you upload (MP3, WAV, M4A, AAC, FLAC, or OGG, up to 15 MB)
• Your real name (required)
• Your email address (required, so the band can reply)
• The artist or producer name you want to be known by (required)
• The track title (required)
• Optional notes you write in the form (up to 500 characters)
• Your IP address, recorded for spam prevention and rate limiting
• Your browser user agent string, recorded with the submission for diagnostic and abuse-investigation purposes
• The date and time of submission
• A record that you accepted these terms when you submitted, along with the version of the policy you accepted
• The SHA-256 hash of the uploaded file, used to look up an existing virus scan result (see Section 6)

We do not ask for or collect your phone number, postal address, payment information, location, or any social media handles through this form.

Our server re-encodes every uploaded file to a normalised 192 kbps MP3 before storing it. This strips all embedded tags (ID3, iXML, any custom metadata) and discards any non-audio streams the original file may have contained. The file you upload as .flac or .wav is not what we store on disk.

3. How we use your information

The audio file and the names, email, track title, and notes you submit may be:

• Listened to by the band and their immediate creative circle as part of internal A&R review
• Discussed within that same internal circle (lyrics, production, fit with the project)
• Used to reply to you by email if the band wants to take it further

What we never do: we do not publish demos on this website, on social media, on streaming services, or at live shows. Demos are not part of any public gallery. They exist only for internal review and to give us a way to contact you back.

Your IP address and user agent are used only for technical reasons:

• Preventing spam and bot submissions (via a third-party anti-bot challenge service)
• Enforcing the limit of one submission per IP address and one per email address per 24 hours
• Investigating any abuse or technical issues with a specific submission

We will never: sell your data, use it for advertising, share it with anyone outside the band's immediate circle (except the processors listed in Section 6), or contact you for any reason other than discussing your demo.

4. Legal basis for processing

Under UK GDPR Article 6, we process your data on these bases:

• Your consent (Article 6(1)(a)) for the audio file, your name, email, artist name, track title, and notes. You give consent by ticking the agreement box on the submission form. You can withdraw consent at any time, see Section 8.
• Legitimate interest (Article 6(1)(f)) for the IP address, user agent string, file hash, and the malware scan, specifically our legitimate interest in protecting the service from automated abuse, spam, and from storing malicious files on our servers.

5. How long we keep it

• Pending submissions (not yet reviewed): kept until the band has had a chance to listen. You can request deletion at any time, no questions asked.
• Shortlisted submissions (the band is interested in following up): kept while the conversation with you is ongoing or while the track remains relevant to a project.
• Rejected submissions: kept for a short period in case the band wants to reconsider, and then deleted. You can request earlier deletion at any time.
• IP and email rate-limit log: automatically pruned after 24 hours from the timestamp of submission.
• If you email us asking for deletion, we remove the file and its associated metadata (your name, email, artist name, track title, notes, IP, user agent) from our systems. We cannot recall files that have already been uploaded to the external malware-scanning service, see Section 6.

6. Who we share it with

We rely on a small number of third-party services to operate this site and to keep our server safe. Each is engaged under written data-processing terms and acts only on our instructions, except for the malware-scanning service noted below, which is the one place where the file you upload may leave our control. We describe the categories rather than the specific providers, as a matter of operational security; this does not affect your rights under UK GDPR, and we can name the specific processor on request if you need it for a subject-access request.

• A third-party malware-scanning service (the one to flag): before storing your file we scan it for malware via this external service. In practice this means:
  • We compute a cryptographic hash of your file and ask the service whether it has already scanned a file with the same hash. If yes, we use the existing scan result and your file is not uploaded.
  • If the service has never seen the file before, we upload the raw bytes to it so it can be scanned.
  • Files uploaded to that service are retained by them under their own terms, and may be accessible to participating security researchers and antivirus vendors. If you do not want your unreleased track shareable through an external scanning service, please do not submit it via this form, email it directly to [email protected] instead.
• A third-party anti-bot challenge service: used on the submission form to prevent automated abuse. May briefly collect your IP address and browser characteristics to verify you're human; processes the data on our behalf as our processor.
• Our web hosting provider: where the audio file and its metadata are stored at rest. Acts as our processor.
• Our content delivery network and edge-security provider: sits in front of the site, sees request details for every page-load, blocks obvious automated attacks. Acts as our processor.
• A cookie-less analytics service: used to measure page traffic across the public site. Does not set cookies or store IP addresses for visitor identification; we see aggregate numbers only.

We do not share your data with any other parties. If you need the specific names of the processors above for a UK GDPR subject-access request, email us and we will provide them in writing.

7. The track is yours to share

By submitting, you confirm that:

• The track is your own work, or you have explicit permission from every collaborator (co-writers, producers, vocalists, sample owners) to send it to us for review.
• The track does not contain uncleared samples, or any material that would put us in breach of someone else's copyright if we listened to or discussed it.
• You retain all rights to the track. Sending it to us does not grant us any licence to release, perform, or distribute the work. If we ever want to do anything beyond internal review, we will contact you and agree terms in writing first.

8. Your rights under UK GDPR

You have the following rights over the data we hold about you:

• Right of access: ask us what information we hold about you
• Right to rectification: ask us to correct anything inaccurate
• Right to erasure ("right to be forgotten"): ask us to delete your demo and any data linked to it
• Right to restrict processing: ask us to stop using your data while a query is being resolved
• Right to data portability: ask us to provide your data in a portable format
• Right to object: object to our processing of your data
• Right to withdraw consent: withdraw your consent at any time, with no consequence

To exercise any of these rights, email us at [email protected] from the same address you used when you submitted the demo, and tell us the track title and approximate date you sent it. We'll respond within 30 days.

Right to complain to the ICO

If you think we've handled your data incorrectly and you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office:

ico.org.uk/make-a-complaint

9. Cookies

The demo submission form does not set any tracking or analytics cookies.

The anti-bot challenge on the form may set short-lived session cookies for fraud prevention. These are considered essential for the security function and don't require separate consent under PECR.

10. Security

We've taken reasonable steps to protect your data:

• Every uploaded file is virus-scanned before it is stored; malicious files are rejected and not kept
• Every uploaded file is re-encoded to MP3, which strips embedded tags and discards any non-audio streams the original may have contained
• Files are stored on disk with random, non-guessable filenames
• The pending, shortlisted, and rejected directories are blocked from public web access at the server level
• The admin area is password-protected and behind the same single sign-on portal as the rest of the band's admin tools
• The website uses HTTPS encryption end-to-end
• Sensitive configuration files (API keys, secrets) are blocked from public access and stored outside the website's public directory where possible

11. Children

This service is not aimed at people under 16. If you are under 16, please do not submit through this form, ask a parent or guardian to send the track to [email protected] on your behalf instead.

12. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top of the page shows when we last changed it. If we make a material change that affects how we handle previously-submitted demos, we will email everyone whose demo we still hold to let them know.

13. Contact us

For any questions about this privacy policy or how we handle your data:

Email: [email protected]