Honest answers

Protected student voice. Responsible school oversight.

Anonymity claims are easy to make. We try to be honest about exactly what True Anonymity protects, what it does not, and what schools have to do themselves to make the technical anonymity actually hold up in the real world.

Three layers

Anonymity has three layers. The software covers one.

Most "anonymous" tools blur this distinction. We don't.

Technical anonymity

The database cannot connect voter to ballot. The submitted ballot is written to a separate pool from the code, and the link is deleted at submission.

Owned by: True Anonymity.

Operational anonymity

Code distribution doesn't accidentally expose identity. A teacher handing a printed code to a known student in front of the class breaks anonymity socially, even when the math is fine.

Owned by: the school's distribution protocol.

Perceived anonymity

Voters believe the system protects them. Without belief, students self-censor and the result becomes dishonest even when it's technically anonymous.

Owned by: both, jointly.

The governance docs published with True Anonymity include a Distribution Protocol that tells operators how to handle layer two correctly. The voter-facing privacy page handles layer three.

Exactly what the school sees

What schools can and cannot see.

What the school can see

  • How many codes were used vs. unused.
  • How many people read the briefing, skipped it, or never opened it — aggregate, not by name.
  • Vote counts and percentages per question, after the deadline.
  • How many people picked "I'd rather not answer", and which of the five reasons they chose.
  • Whether voters reported feeling ready to vote (when the readiness check is on).

What the school cannot see

  • Which option you picked on any question.
  • Whether you are the person who picked any specific abstention reason.
  • Your email, name, IP, browser, or device fingerprint tied to a ballot.
  • The order in which ballots came in. Submission timestamps are not joined to ballots.
  • Results before the voting deadline. Nobody — not even the operator — sees results while voting is open.
How it actually works

One-time codes, separated ballots, no rows of responses.

  1. 1. Code issued. When a vote opens, the operator generates a one-time code per eligible voter and sends it through whatever channel makes sense (email, QR sheet, sealed envelope).
  2. 2. Voter submits. The voter uses their code once. The system validates eligibility, then writes the ballot to a separate anonymous pool.
  3. 3. Link deleted. The mapping from code to ballot is deleted at submission. The code's status becomes "used"; the ballot exists in the pool but is no longer joined to the code.
  4. 4. Results sealed until deadline. Nobody, including the operator, can view results while voting is open. This is enforced by the data model, not by policy.
  5. 5. Aggregate report. After close, the system generates a decision-legitimacy report with counts, percentages, denominators, and qualitative bands. No view exists for "show me ballots by code".
Honest about limits

What True Anonymity doesn't protect against.

No software can protect against everything. Here's what falls outside the technical guarantee.

RiskWhy we can't fully prevent itWhat helps
Operator hands a code to a known voter and watches them scan it. The math is anonymous; the social context is not. Indirect distribution (sealed envelopes, posted QR sheets, parent emails). The Distribution Protocol.
Tiny groups. If only 5 people are eligible and 2 abstain, the result reveals individuals by inference. Minimum-participation thresholds; "don't publish per-question results when ballot count is below 10".
QR code leakage. If a voter screenshots their QR and shares it, anyone with the image can vote. Print on physical paper for sensitive votes; instruct voters not to forward.
Voter proves their own vote externally. True Anonymity can't unsend a screenshot or recall a verbal "I voted X". This is a feature of voter autonomy, not a bug. Voters get to decide what to share.
Operator with shell access to the server. A determined IT admin reading raw files could see that ballots exist — but not whose is whose. Limit shell access. Encryption-at-rest is on the roadmap. For high-stakes votes, host on infrastructure the operator doesn't control.
Insider coercion via social channel. "Tell me how you voted or there will be consequences" is an organizational failure, not a technical one. Acceptable-use policy explicitly prohibits retaliation. True Anonymity can't fix this alone.

Full threat model and distribution protocol are published with the governance docs.

For parents

Questions parents ask first.

Can I see how my child voted?

No. Once the ballot is submitted, the link between code and ballot is gone — even your child cannot retrieve their own ballot after the fact. This is a deliberate property of the system: a vote whose record can be retrieved isn't really anonymous.

What happens if a student writes something inappropriate or threatening?

True Anonymity doesn't currently offer free-text in ballots — voting is structured (single choice, multiple choice, ranking, rating) plus the five-category abstention reasons. None of those carry free text. If/when written feedback ships, it will require moderation policies in writing before any school can use it. Safety-escalation protocols are documented in the governance docs.

How do I know the school isn't manipulating the briefing?

Two safeguards. First, a built-in briefing balance check that prompts operators to verify the briefing answers five framing questions before publishing — including "main arguments for each option". Second, voters can pick "Trust barrier" as an abstention reason if they believe the briefing is biased. If a meaningful share picks that, the decision-legitimacy report calls it out as a flag.

What about my child's "I'd rather not answer" reason?

The school sees how many people picked each of the five reasons in total — but cannot see which person picked which. The five categories exist so the school can tell information failure from trust failure from option-design failure. If 30% pick "Pressure barrier", the school has a concrete signal to investigate the climate around the vote — without knowing which 30%.

What if my child loses their code?

Contact the school office (not the teacher running the poll). The office contacts the operator, who marks the unused code invalid and generates a replacement. Important: if the code was already used, it cannot be replaced — that would let someone vote twice or trace which ballot was "yours".

Can I see the results?

That depends on the visibility setting the operator picked at poll creation. Three options: private (operator only), shared with voters (after close), public. The setting is committed to before voting starts and can't be tightened after the fact — meaning a school can't promise public results, then quietly mark them private if the outcome is unfavorable.

What does the school promise not to do?

True Anonymity deployments are expected to sign off on an acceptable-use policy: no retaliation, no re-identification attempts, no selective publication, no bait-and-switch. The policy is published in the governance docs. If a school is using True Anonymity and the commitments aren't visible in writing, ask why.

For students

Short version, for you.

What's true

  • Your code proves you were invited. It is deleted after you submit.
  • Your ballot is written to an anonymous pile. Nobody — including the principal — can find your specific ballot.
  • Nobody sees results before the deadline. Not even the operator.
  • If you choose not to answer, you pick one of five reasons. The school sees totals, not your reason.

What to be careful about

  • Watch your screen. If a teacher can see your phone, the math is still anonymous but the visual isn't.
  • Don't share your code. It's single-use; whoever uses it first locks it.
  • You can leak yourself. If you screenshot your ballot or tell people how you voted, that's on you.
  • For sensitive votes, vote from a personal device on a personal network when you can.

The full voter-facing privacy explainer is built into the app at /privacy, linked from every ballot.

Try a demo and see exactly what data flows where.

The demo includes the privacy explainer voters see on the ballot. Walk through it as if you were a parent or student.