Privacy
Policy
1. Who we are
The data controller for any information you submit through this site is:
B21
Bally & Bhota Jagpal
Postal address: Available on request via the email below
Email: [email protected]
Website: www.b21online.com
If you have any questions about how we use your data, or you want to exercise any of your rights (see Section 7), email us at the address above.
2. What we collect
When you use the photo submission form at b21online.com/fans/submit, we collect:
- The photo file you upload
- Your name, only if you choose to provide one (it's optional)
- A caption, only if you choose to provide one (also optional)
- Your IP address, recorded for spam prevention and rate limiting
- The date and time of submission
- A record that you accepted these terms when you submitted
We do not ask for or collect your email address, phone number, location, or any payment information through the submission form.
We strip EXIF metadata (which can contain GPS coordinates and device info) from every photo file before we store it.
3. How we use your information
The photo and any associated name and caption may be:
- Reviewed by the band before being approved or rejected
- Displayed on the screen at live B21 performances
- Displayed on b21online.com or related band websites
- Shared on B21's official social media accounts
Your IP address is used only for technical reasons:
- Preventing spam and bot submissions
- Limiting how many photos can be submitted per person per hour
- Investigating any abuse or technical issues
We will never: sell your data, use it for advertising, share it with anyone outside the band's immediate circle, or use it to contact you (we don't have your email anyway).
4. Legal basis for processing
Under UK GDPR Article 6, we process your data on these bases:
- Your consent (Article 6(1)(a)) for the photo, name, and caption. You give consent by ticking the agreement box on the submission form. You can withdraw consent at any time, see Section 7.
- Legitimate interest (Article 6(1)(f)) for the IP address and technical metadata, specifically our legitimate interest in protecting the service from automated abuse and spam.
5. How long we keep it
- Approved photos: kept while relevant to the band's anniversary campaign and online presence. You can request removal at any time.
- Rejected photos: kept for 7 days in case of accidental rejection, then automatically deleted forever.
- IP addresses in the rate-limit log: automatically cleared after 1 hour.
- IP addresses in submission metadata: kept for the same duration as the photo (deleted when the photo is deleted).
6. Who we share it with
We use a small number of third-party services to operate this site. Each of them has its own privacy policy:
- A third-party anti-bot service (a CAPTCHA-replacement on the submission form): may briefly collect your IP address and browser characteristics to verify you're human. They process this data on our behalf as a data processor.
- Our web hosting provider, where the data is stored at rest. They act as our processor.
- Our content delivery network and edge-security provider, which sits in front of the site, terminates TLS, caches static files and blocks obvious automated attacks. They act as our processor.
We do not share your data with any other parties.
7. Your rights under UK GDPR
You have the following rights over the data we hold about you:
- Right of access: ask us what information we hold about you
- Right to rectification: ask us to correct anything inaccurate
- Right to erasure ("right to be forgotten"): ask us to delete your photo and any data linked to it
- Right to restrict processing: ask us to stop using your data while a query is being resolved
- Right to data portability: ask us to provide your data in a portable format
- Right to object: object to our processing of your data
- Right to withdraw consent: withdraw your consent at any time, with no consequence
To exercise any of these rights, email us at [email protected]. We'll respond within 30 days. There is also a quick form at b21online.com/fans/delete-request.html if you specifically want a photo removed.
To delete a photo, please describe it (approximate date submitted, name you used if any, what's in the photo) so we can identify it.
Right to complain to the ICO
If you think we've handled your data incorrectly and you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office:
8. Cookies
The submission form does not set any tracking or analytics cookies.
The anti-bot challenge on the form may set short-lived session cookies for fraud prevention. These are considered essential for the security function and don't require separate consent under PECR.
9. Security
We've taken reasonable steps to protect your data:
- Photos are stripped of EXIF metadata (location, device info) on upload
- Files are stored with random non-guessable filenames
- Admin access is password-protected with brute-force rate limiting
- The website uses HTTPS encryption end-to-end
- Sensitive configuration files are blocked from public access
- Pending and rejected photos are not publicly accessible
10. Photos of other people
If a photo you submit contains other identifiable people, you confirm that you have their permission to share it, or that it was taken in a public place at a public event where photography was permitted. See our Submission Terms for full details.
11. Children
This service is not aimed at children under 13. If a photo includes anyone under 18, you confirm you have parental or guardian permission to share it.
12. Changes to this policy
We may update this policy occasionally. The "Last updated" date at the top of the page shows when we last changed it. We won't notify you of changes by email since we don't have your email address; please check this page if you want to stay informed.
13. Contact us
For any questions about this privacy policy or how we handle your data:
Email: [email protected]