★ B21 · 30 Years ★

Privacy
Policy

Last updated · 14 May 2026

Short version: B21 only collects information when you actively give it to us (sending a photo, sending a demo, buying merch) or when our hosting and security services need to log a request to keep the site online. We don't sell anything to anyone, we don't run advertising trackers, and you can ask us to delete anything we hold about you at any time. The detail follows. If you've come here from a specific form, the focused policy for that form is the authoritative one for that bit of data, links in Section 2.

1. Who we are

The data controller for any information you submit through this site is:

B21
Bally & Bhota Jagpal
Postal address: Available on request via the email below
Email: [email protected]
Website: www.b21online.com

If you have any questions about how we use your data, or you want to exercise any of your rights (see Section 11), email us at the address above.

2. What this policy covers

b21online.com has several distinct things you can do, and each one collects a different shape of data. This umbrella policy is the complete picture across the whole site. Two of the features have their own focused policies that go into more detail and are the authoritative source for that flow.

Where you are	What's collected	Authoritative policy
Browsing the site	Aggregate page-view counts via a cookie-less analytics service; standard server-side request logs	This page, Sections 6 to 7
Sending a fan photo	Photo, optional name and caption, IP address	/fans/privacy.html
Sending a demo	Audio file, real name, email, artist name, track title, optional notes, IP, user agent; file scanned for malware by a third-party service before storage	/demos/privacy.html
Buying from the shop	Name, email, phone, shipping address (encrypted at rest); card payment handled entirely by a PCI-DSS compliant third-party processor	This page, Section 5

3. Sending us a fan photo

The photo submission form at /fans/submit collects the photo you upload, optionally your name, optionally a caption, and your IP address for spam prevention. Approved photos are shown on the homepage, the fan gallery, on screen at live B21 shows, and on our social media. Rejected photos are deleted within seven days.

Full detail, including legal basis, retention, and your rights for this specific flow: /fans/privacy.html.

4. Sending us a demo

The demo submission form at /demos/submit collects the audio file, your real name, email address, artist or producer name, track title, optional notes, your IP address, and your browser user agent. We use the email to reply if the band wants to follow up. Demos are never published, broadcast, shared on social, or shown at live shows; they are reviewed internally only.

Important: before storing the file, we scan it for malware via a third-party scanning service. If the service has not previously seen a file with the same content (matched by a cryptographic hash of the file), the file bytes are uploaded to the service for scanning and may be retained by it under its own terms. If you do not want your unreleased track uploaded to an external scanning service, please do not use the form, email the file directly to [email protected] instead.

Full detail: /demos/privacy.html.

5. Buying from the shop

The B21 shop at store.b21online.com takes orders for B21 merchandise. When you check out, we collect:

Your name
Your email address (for order confirmation and shipping updates)
Your phone number (for delivery contact if the carrier needs it)
Your shipping address
The items you ordered, the price you paid, and the order timestamp

We do not see, store, or process your payment card details. Card payment is handled entirely by a PCI-DSS compliant third-party payment processor; you are redirected to that processor's secure checkout page to enter your card details. We receive only a confirmation that the payment succeeded and the last four digits of the card for our records.

How your order data is protected

Your name, email, phone, and shipping address are encrypted at rest using industry-standard authenticated encryption. The encryption key is held outside the website's public directory and is not accessible to a normal web request.
Orders are stored in a separate database, accessible only to the band's authenticated admin tools.
Sensitive paths under the shop (the orders directory, the configuration file, the stock file) are filtered out at the edge before reaching our server, as an additional defence-in-depth layer.

How long we keep order data

Order records are kept for as long as UK consumer-protection and tax law require us to (currently six years from the end of the relevant accounting period). After that they are deleted.
If you ask for deletion sooner, we can remove your personal data from the order (name, email, phone, address) while keeping the anonymised order line items for tax records.

6. Site-wide things

Analytics

Every public page on b21online.com loads a small script from a privacy-respecting, cookie-less third-party analytics service. It records page-view counts and high-level information about each visit (referring URL, country, browser type), but does not set cookies, does not store your IP address beyond the brief moment needed to bucket the visit, and does not build a profile of individual visitors. We see aggregate numbers, not personal profiles.

Anti-bot challenge on forms

The fan photo form and the demo form use a third-party CAPTCHA-replacement service that verifies you're human without showing you images of traffic lights. The service may briefly collect your IP address and browser characteristics for that check. It does not appear on pages without forms.

Edge security and CDN

The site sits behind a third-party content delivery network and edge-security layer that terminates TLS, caches static files near you, and blocks obvious automated attacks before they reach our server. That provider therefore sees the IP address and request details of every visitor to b21online.com. They act as our processor and do not use this data for their own purposes other than aggregate security analytics for their own platform.

Hosting

Everything that isn't cached at the edge is served by our web hosting provider, who stores the content of the site at rest and processes the same request details. They act as our processor.

7. Cookies and local browser storage

We use cookies and small amounts of local browser storage only where they are essential to the feature. We do not use cookies for advertising, tracking, or building cross-site profiles.

Site session cookie: set when you have an active shopping cart on the shop. Deleted when the browser closes the session.
Anti-bot service session cookies: very short-lived, set when you complete a human-verification challenge to prevent re-verification on every request. Considered essential under PECR for the fraud-prevention function and don't require separate consent.
Local storage: b21_a11y: set by the site's accessibility toggle (the universal-access button at the bottom-left of every page) to remember your high-contrast / larger-text preference. Stored only on your device.
Session storage: b21_video_dismissed and b21_video_time: set by the floating "Dil Tarhke" video popup on the homepage to remember if you dismissed it this tab, and where you were in the clip. Cleared when the tab closes.

8. Legal basis for processing

Under UK GDPR Article 6, we process your data on these bases:

Your consent (Art 6(1)(a)) for things you actively send us: photos, demos, optional names and captions. You give consent by ticking the agreement box on the relevant form. You can withdraw consent at any time.
Performance of a contract (Art 6(1)(b)) for shop orders: we need your name, address, email and phone to fulfil the order you have asked us to ship.
Legitimate interest (Art 6(1)(f)) for IP addresses, user agent strings, rate-limit logs, the malware scan on demo uploads, and the security infrastructure (CDN, edge filter, anti-bot challenge). Our interest is in keeping the site online and free from abuse.
Legal obligation (Art 6(1)(c)) for the retention of order records for the period required by UK tax and consumer-protection law.

9. How long we keep your data

Fan photos: approved photos, indefinitely while relevant to the anniversary campaign and the band's online presence; rejected photos, seven days then auto-deleted. Full detail: /fans/privacy.html.
Demos: pending and shortlisted submissions are kept while the band is considering them; rejected, a short retention then deletion. Full detail: /demos/privacy.html.
Shop orders: up to six years from the end of the relevant accounting period, per UK tax law. Earlier removal of personal data on request (see Section 5).
Server access logs at our CDN and hosting provider: retained per those providers' standard policies (typically days to weeks for full request logs, longer for aggregate metrics).
Analytics: aggregate visit data, retained for as long as the band's account with the analytics provider is active. No identifiable visitor data is stored.

10. Your rights under UK GDPR

You have the following rights over the data we hold about you:

Right of access: ask us what information we hold about you
Right to rectification: ask us to correct anything inaccurate
Right to erasure ("right to be forgotten"): ask us to delete your data
Right to restrict processing: ask us to stop using your data while a query is being resolved
Right to data portability: ask us to provide your data in a portable format
Right to object: object to our processing of your data
Right to withdraw consent: withdraw your consent at any time, with no consequence

How to ask

The cleanest way depends on which feature your data sits in:

Fan photo deletion: use the quick form at /fans/delete-request.html, or email us.
Demo deletion: email us from the same address you used when you submitted, mentioning the track title and approximate date.
Shop order data: email us with your order number or the email address you used at checkout.
Anything else: email [email protected]. We'll respond within 30 days.

Right to complain to the ICO

If you think we've handled your data incorrectly and you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office:

ico.org.uk/make-a-complaint

11. International data transfers

Some of the processors we rely on operate from outside the United Kingdom. In each case, the transfer is covered either by a UK adequacy decision (where the destination country has been formally recognised as offering an equivalent level of data protection) or by Standard Contractual Clauses, a UK GDPR-recognised legal mechanism under which the processor commits in writing to UK-equivalent data-protection standards. We satisfy ourselves that one of these safeguards is in place before working with any third-party processor.

12. Children

This site is not aimed at children under 13. The fan photo form does not knowingly accept content from anyone under 13; if a photo includes anyone under 18, you confirm you have parental or guardian permission to share it. The demo form is not aimed at people under 16, please ask a parent or guardian to send via email instead. The shop is not aimed at children, and orders should be placed by an adult.

13. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top of the page shows when we last changed it. We won't notify you of changes by email unless we hold your email address (i.e. you have an active shop order or an in-progress demo submission), in which case we will email you about any material change before it takes effect.

14. Contact us

For any questions about this privacy policy or how we handle your data:

Email: [email protected]