Privacy Policy


Privacy Policy Selfie Mirror


Thank you for interest in our Selfie Mirror. On this page you will find information on how we, ITAB Guidance AB, with company registration number 556065-3866, and registered address at Instrumentvägen 2, 550 09 Jönköping, Sweden, (“Data Controller”), processes your personal data in connection with the usage of the Selfie Mirror.

In accordance with the statutory requirements of the General Data Protection Regulation ((EU) 2016/679) we are committed to inform you of your legal rights and how we are handling your personal data in connection with the usage of the Selfie Mirror.


1. Data processing when taking a photo

The Selfie Mirror automatically recognizes when a face is looking at the display and starts interacting. However, a recording or other processing of personal data only takes place by taking a photo if you have given your verbal consent. This consent constitutes the legal basis for the processing of your data within the meaning of Art. 6 para. 1 (a) of the GDPR.

2. Storage of your photo and withdraw of consent

You can withdraw your consent at any time with effect for the future. In the case of photographs that you have not selected as a cover photo, the withdraw will be made immediately by your selection of the preferred photo. All other photos which have been taken in connection with the usage of the Selfie Mirror will be deleted immediately. Your cover photo will be stored up to 12 months after the photo was taken. You can request the deletion of the photo and thereby withdraw your consent by sending us an email to: In order to identify you, we need the URL of the picture from the QR Code.


3. Data processing when visiting the QR-Code-landing-page

If you scan the QR Code on the display of the Selfie Mirror and subsequently visit our landing page, the web server processes the following data:

  • date and time of access,
  • the QR Code from which access is made to our domain,
  • type of your mobile device,
  • your operating system and the browser you use.

This processing is necessary to connect your mobile device to the web server. The collection and processing of this data also serves the purposes of ensuring system security and stability, error and performance analysis as well as for internal statistical purposes. We will retain and evaluate this information on the visits to the website and about the functions used (e.g. download, print or share) for analytic purposes in order to understand how we can optimise our website and our marketing campaigns. In the aforementioned purposes, we have a legitimate interest in data processing pursuant to Art. 6 para. 1 (f) of the GDPR.


4. Use of cookies

In order to enable the use of certain functions of our website, we use so-called cookies. These are small text files that are stored on your end device. Cookies store certain settings about your browser and data about the exchange with the website. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the use of the information contained in the cookie. The cookies used on our website are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies).

Most web browsers automatically accept cookies. However, you can configure your browser to prevent cookies from being stored on your computer or to always display a message when you receive a new cookie. On the following pages you will find explanations on how to configure the processing of cookies:

Disabling or rejecting cookies may prevent you from using the features of the website. Our legitimate interest within the meaning of Art. 6 para. 1 (f) GDPR is the legal basis for the data processing described above.


5. Disclosure of data to third-parties

The personal data described is processed by Ombori Apps AB, with company registration number 556841-1333, (Centralplan 17, 111 20 Stockholm, Sweden), on our behalf. The personal data described is stored on servers of Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521) in the Netherlands.

These service providers will use your data exclusively in accordance with our instructions and for the purposes set out in this privacy policy. They will also comply with the applicable data protection and security requirements.

In addition, your data may be disclosed if we are legally obliged to do so or if this is necessary to safeguard our rights, in particular to enforce claims arising from the use of the Selfie Mirror or the website.

Our legitimate interest within the meaning of Art. 6 para. 1 (f) GDPR is the legal basis for the data processing operations described.


6. Transfer of personal data abroad

The disclosure of personal data to third parties described in this data privacy policy may also involve the transfer of data abroad. If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies through contractual arrangements with these companies.


7. Right to information, deletion and correction

You have the following rights with regard to your personal data:

  • You can request information about your personal data stored and processed by us. You may request that your personal data be rectified, blocked or deleted. Instead of deletion, blocking will take place if there are legal obstacles to deletion (e.g. legal storage obligations).
  • You can withdraw your consent or object to the processing of data at any time with effect for the future.
  • You can request the transfer of your data.

To exercise your rights, please send us an e-mail to: With regard to the exercise of the right of opposition and the withdraw of consent, see also the previous sections of this privacy policy. In addition, you have the right to file a complaint with a data protection authority at any time.


8. Advice for children and parents 

It is forbidden for children under 16 years of age, to transmit personal data about themselves to us. If we detect that such data has been transmitted to us, it will be deleted from our server. The parents (or legal guardians) of the child may contact us and request deletion of the data. For this purpose, we require a copy of an official document confirming you as a parent or guardian.

Last update: December 2019