Last updated: April 2026
This Privacy Policy explains how personal data is processed when you visit and use this website, including the portfolio, the interactive exam, certificate-related features, optional email communication, optional personalization features, first-party usability analytics, and related security measures.
This website is designed with a strong focus on data minimization, separation of concerns, and avoidance of unnecessary identification of users. Functional data, usability analytics, certificate-related data, newsletter data, and optional personalization data are handled as separate processing contexts wherever possible.
The controller responsible for the processing of personal data on this website is:
Michal Domanski
Beethovengasse 5/11
1090 Vienna
Austria
Email: privacy@mwah.design
Phone: +43 670 408 6666
VAT Number: ATU77577604
This Privacy Policy applies to the website available at:
https://mwah.design
The website is provided in English and is intended primarily for users in the European Union and the United Kingdom.
Processing on this website is based in particular on the following principles:
This website is hosted by Hetzner. The server infrastructure is located in Germany. A backup package provided by the same hosting provider is used for operational resilience, service continuity, and data security.
The website does not currently use a content delivery network (CDN). Fonts are hosted by the operator directly on the website infrastructure. According to the current setup, no third-party scripts are loaded from external providers.
Purpose of processing: website delivery, hosting, system operation, backup, maintenance, and technical security.
Legal basis: Article 6(1)(f) GDPR (legitimate interests in operating a secure and reliable website).
The website processes technical logs in the form of PHP error logs for debugging, maintenance, and stability purposes. These logs are designed, where possible, to avoid containing personal data. To the extent personal data is exceptionally included in technical logging despite such safeguards, such processing is limited to what is necessary for diagnosing and resolving technical faults.
At present, logs are retained according to the default retention settings of the hosting environment unless a shorter period is configured or required for a specific operational reason.
Purpose of processing: error detection, troubleshooting, system maintenance, technical debugging, and service stability.
Legal basis: Article 6(1)(f) GDPR.
This website uses HTTPS encryption to protect data transmitted between your device and the website. Access to critical system components, tokens, and protected functions is restricted through appropriate access controls and permissions. Additional technical and organizational measures are implemented to protect personal data against unauthorized access, unauthorized disclosure, accidental loss, or misuse, taking into account the nature, scope, context, and purposes of the processing.
This website uses encrypted cookies and related functional identifiers solely where necessary to provide certificate-related functionality and preserve access to certificate-related records over time.
These identifiers contain certificate-related IDs and GUIDs. They are used only to:
These identifiers:
Where such functional cookies are stored, their lifetime may extend up to one year where this is necessary to preserve certificate access and avoid unnecessary loss of access state for the user.
Purpose of processing: providing and maintaining user-requested certificate access functionality.
Legal basis: Article 6(1)(b) GDPR (performance of a service requested by the user).
The website provides an interactive exam designed to assess a user's understanding of design-related topics and to educate users about the value of design.
During the exam, users may submit:
Users are explicitly instructed not to provide personal data in open-text responses.
After submission, the exam data is transmitted to the OpenAI API for evaluation. According to the configuration used for this website, API data is not used for model training and persistence is turned off for the relevant processing configuration used by the controller.
After evaluation, the exam data is stored in the website database as part of the certificate-related data structure.
Purpose of processing: providing the exam requested by the user, evaluating the submission, generating exam-related feedback, supporting certificate functionality, and educating users about design-related topics.
Legal basis: Article 6(1)(b) GDPR.
The exam data is retained to preserve the user's exam state and to enable continued use of certificate-related functionality and advanced website offers that depend on successful completion of the exam.
The purpose for retaining the exam result over time is to avoid unnecessary data loss and to avoid frustrating users by forcing them to repeat a completed process solely because of the passage of time or loss of a local access state.
Depending on the stage of use, the retained exam-related dataset may include:
The exam-related dataset is intended to be stored initially without direct identification of the user. However, it cannot be fully excluded that a user may voluntarily include personal data in an open-text response despite the instruction not to do so.
Purpose of processing: preserving exam results, enabling certificate generation and retrieval, enabling access to advanced offers dependent on exam completion, and maintaining continuity of the user experience.
Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (legitimate interests in continuity of user-requested service functionality and prevention of unnecessary loss of exam state).
Retention: indefinite unless and until deleted, revoked, or otherwise removed through a user action or another applicable legal reason.
After completing the exam, a user may claim the exam result and certificate by providing:
At that stage, the email address is collected only for the purpose of certificate-related processing and communication.
Once the certificate is claimed:
The email address collected for this certificate-delivery flow is deleted after the delivery and access-restoration flow has been completed.
Purpose of processing: certificate issuance, certificate preparation, certificate delivery, certificate access restoration, and service-related communication requested by the user.
Legal basis: Article 6(1)(b) GDPR.
After a certificate is claimed, a certificate summary may be generated through the OpenAI API. In this processing step, no personal data is sent to OpenAI. The summary is generated based on the relevant certificate-related data and stored as part of the certificate record.
Purpose of processing: generation of certificate-related content requested by the user as part of the certificate service.
Legal basis: Article 6(1)(b) GDPR.
The first and last name are stored as part of the certificate record in order to issue and maintain a named certificate. This name data may be deleted at the user's request or as part of a certificate revocation process.
Users may revoke their certificate. Where a certificate is revoked:
If a user later chooses to reactivate the certificate, the user must provide the relevant identifying name information again so that the certificate can be restored in named form.
Purpose of processing: named certificate issuance, certificate lifecycle management, revocation, and reactivation at the user's request.
Legal basis: Article 6(1)(b) GDPR.
Retention: name data may be stored indefinitely until deletion or revocation, provided the user continues to use the certificate functionality or until another lawful deletion trigger applies.
Transactional emails related to certificate processing, certificate availability, certificate access, access restoration, or changes triggered by user choices are sent through Lettermint, a provider based in the Netherlands.
The provider is used with a no-data-retention approach to the extent offered and configured for the service. The controller does not use the provider's own link-tracking features for these emails.
Such emails may include:
Purpose of processing: sending strictly service-related communications requested by the user.
Legal basis: Article 6(1)(b) GDPR.
When claiming a certificate, users may choose between:
These options are presented as separate and equally available choices. The optional educational materials are expressly stated not to be required for access to the certificate.
If a user opts into educational materials:
The educational materials may include case studies, insights, and learnings in the field of design and are generally sent up to once per month.
Users may withdraw this consent at any time through unsubscribe functionality in the emails or through the corresponding functionality on the website.
The purpose for storing the email address in this separate context is solely to communicate with the user within the scope of the consent granted. The newsletter table is intended to be kept separate from unrelated data unless the user later gives an additional separate consent for personalization.
Purpose of processing: sending optional educational materials and documenting the related consent.
Legal basis: Article 6(1)(a) GDPR (consent).
Retention: until consent is withdrawn or another lawful deletion trigger applies.
Where necessary for certificate-related operations, additional encrypted cookies may be stored on the user's device. These cookies contain a UID and GUID for the relevant user entry in the database and are used only for operations relating to that user entry and certificate access. They are not intended to be used for first-party usability analytics.
Purpose of processing: preserving or enabling certificate-related functionality in connection with user-requested features.
Legal basis: Article 6(1)(b) GDPR.
After opting into educational materials, users may be offered a further choice between:
Custom tailored materials are described as educational materials that use certain data about the user's interaction with the website and the exam result to make the educational content and recommendations more relevant to that user.
Personalization is activated only after explicit consent. If the user chooses generic materials, only the ordinary educational-materials processing described above applies.
If a user opts into personalized materials, additional processing will take place, including:
The stated purpose of this processing is to communicate with the user in a more personal way and provide more relevant recommendations, such as case studies, articles, or educational resources more closely matched to the user's interests or needs.
Purpose of processing: consent-based personalization of educational communication and related account-style convenience functionality.
Legal basis: Article 6(1)(a) GDPR (consent).
Retention: until consent is withdrawn or another lawful deletion trigger applies.
Users may withdraw personalization consent at any time and return to generic materials.
Withdrawing personalization consent comes with the following, intended consequences:
Where specific personalization-related data is scheduled for deletion after withdrawal, the corresponding post-withdrawal deletion process applies accordingly.
Purpose of processing: implementing the user's withdrawal of consent and restoring the non-personalized service state.
Legal basis: Article 6(1)(a) GDPR.
After withdrawing personalization consent, users may be offered the opportunity to submit feedback through an online form.
If such feedback is submitted:
If the user consents to being contacted regarding the feedback, an email address may be stored together with the feedback for that purpose.
Purpose of processing: service improvement and, where separately permitted, follow-up communication regarding the feedback.
Legal basis: Article 6(1)(f) GDPR for feedback itself and Article 6(1)(a) GDPR where separate contact consent is given.
This website processes certain interaction data in order to understand how the interface is used and to improve usability, accessibility, service quality, navigation, and interaction design.
This processing is limited to first-party, session-scoped interaction measurement and is not intended to identify users as individuals.
The interaction signals processed in this first-party usability analytics context may include:
This processing does not include:
Raw interaction data is retained only briefly and is intended to be retained for approximately up to one hour at most before further reduction. After that, it is processed into:
These resulting analytics outputs are not used to create user profiles in the base analytics layer and are intended to support product and usability improvement rather than individual evaluation.
This processing is necessary to understand sequence-dependent usability issues, navigation breakdowns, interface friction, and other interaction problems that cannot be sufficiently assessed through fully aggregated high-level counters alone.
Purpose of processing: usability analysis, accessibility improvement, identification of friction points, interaction-design improvement, and service-quality optimization.
Legal basis: Article 6(1)(f) GDPR (legitimate interests in operating, evaluating, and improving the website and its interaction design).
Retention: raw interaction data approximately up to one hour; aggregated metrics retained indefinitely; de-identified interaction patterns retained for the period the controller considers necessary for qualitative usability analysis, subject to the controller's retention logic.
Certain high-level KPI-style metrics, such as conversion-related measures or average completion-related values, are retained indefinitely in aggregated form in order to understand the long-term evolution of the website and to improve the service over time.
Qualitative interaction patterns derived from short-lived raw session data are used to understand user friction points and interface difficulties and are retained for a limited period considered necessary for that qualitative analysis.
Where such information is included in emails as part of a “did you know” or comparable informational box, the intention is to use only high-level information and not to identify unrelated users.
Purpose of processing: long-term service improvement, communication of general website-development insights, and support for evidence-based UX decisions.
Legal basis: Article 6(1)(f) GDPR.
To protect the website and the AI-supported exam from misuse, an anti-abuse mechanism is used.
The session itself does not receive the token identifier that is associated with the IP-based control logic.
Purpose of processing: abuse prevention, system security, cost control, and protection of the continued availability of the AI-supported functionality.
Legal basis: Article 6(1)(f) GDPR.
Personal data may be disclosed to the following recipients or categories of recipients where necessary:
No third-party analytics, advertising, monitoring, CDN, or externally embedded processing tools are used.
Unless a longer retention period is required by law or justified by an ongoing legitimate or user-requested purpose, personal data is retained only for as long as necessary for the purposes described in this Privacy Policy.
The main retention logic is as follows:
Users are generally not legally required to provide personal data. However, certain website features cannot be used without the data necessary for those features. In particular:
Under applicable data protection law, you may have the following rights, subject to the conditions and limits laid down by law:
To exercise these rights, please contact:
You have the right to lodge a complaint with a competent supervisory authority if you believe that the processing of your personal data infringes applicable data protection law.
In Austria, the competent supervisory authority is generally:
Österreichische Datenschutzbehörde
You may also contact another competent supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement, where applicable.
This website uses AI-assisted evaluation in connection with the interactive exam and may use consent-based personalization where the user has explicitly opted into personalized materials.
The base first-party usability analytics is not intended to create user profiles and is not intended to evaluate personal aspects of an identified individual.
The personalization functionality described in this Privacy Policy is intended to tailor educational communication and recommendations only where the user has separately consented. It is not intended to produce decisions based solely on automated processing that create legal effects or similarly significant effects within the meaning of Article 22 GDPR.
This website is not specifically directed at children. Users are instructed not to submit personal data in open-text exam answers. The website is not intended to collect special categories of personal data unless a user voluntarily provides such data despite the instructions given.
If such data is nevertheless submitted, the controller reserves the right to handle the data in accordance with applicable law and to restrict, delete, or otherwise manage the relevant content where appropriate and lawful.
This Privacy Policy may be updated from time to time to reflect legal, technical, or operational changes. The version published on the website at the time of use shall apply.