Trust is the whole product

Anonymity isn't a setting.
It's the architecture.

If your team has any doubt that responses are truly anonymous, they'll hold back — and you'll learn nothing. So anonymity isn't left to a setting or a promise: StaffHero is built, in code, so that no screen, export, report or query you can reach ever reveals who said what.

EMPLOYEE TRUST BADGE
Your responses are anonymous to your employer.
They see grouped results, never who said what. No names attached, no IP logging on responses, no tracking.
No IP loggingNo fingerprintingHidden below 5 responses
The anonymity architecture

How your employer is kept from
ever seeing who said what.

1

A private reference, never exposed

Each response keeps an internal reference used for two things only: preventing double-submission and routing anonymous follow-ups. It's never shown to you, and submission times carry a random ±60-second jitter.

2

Identity is stripped in code

Before anything reaches you, a confidentiality layer removes that reference and runs every cell through the privacy rules. No employer-facing screen, export, report or API ever carries it.

3

Small groups are suppressed

Scores stay hidden until at least 5 people respond, verbatim comments until at least 7, and tiny segments are merged — so no one is identifiable by elimination.

5-response privacy threshold

No result — overall or segmented — is ever shown until at least 5 people have responded. Smaller segments are merged or hidden, so no one is identifiable by elimination.

EU & US data residency

Separate databases for EU and US, routed by the region you choose at signup. EU data stays in the EU; US data stays in the US — satisfying GDPR and US preferences alike.

Comments you can read, names you can't

You can read your team's comments verbatim — but only once at least 7 people in a group have answered, and never tied to a name. The AI brief is grounded in those real comments and reports the patterns; unsafe content is filtered out.

No employee portal, no tracking

Employees answer via a private email link — no account, no login, no app, no tracking pixels. Every touchpoint is built to reinforce that they're safe.

Platform security

Solid foundations
under the hood.

StaffHero runs on a modern, audited stack with privacy designed in from the schema up — not bolted on afterward.

  • Encryption in transit (TLS) and at rest on managed Postgres
  • Every record scoped to your organization — strict tenant isolation
  • Rate limiting & abuse protection on every survey submission
  • PII-free audit logging — actions are tracked, identities never
  • GDPR-aligned data handling with a clear DPA on request
Honest answers

The questions your team will ask

Rolling StaffHero out? Share our For your team page — it answers these questions in your employees’ language.

Can my employer really not see who I am?

Correct — not in anything StaffHero shows them. We keep a private reference only to prevent double-voting and route anonymous follow-ups; it's stripped in code before any screen, export or report, and small groups are hidden so you can't be singled out.

What about small teams — could I be guessed?

That's exactly why results stay hidden below 5 responses, and small segments are merged into "Other." If a view could single someone out, you simply won't see it.

Do you track IP addresses or use cookies to identify me?

No. We don't log IPs, we don't fingerprint browsers, and the survey carries no tracking pixels. The private link only tells us which survey to show — not who opened it.

Where is our data stored?

In your chosen region — EU or US — on separate databases. Data never crosses regions, which keeps you aligned with GDPR and US data-residency expectations.

When people feel safe,
they tell the truth.

Give your team the protection that makes honesty possible. Start free today.

Start free →