Kataloop's cryptographic anonymity system makes unmasking mathematically impossible. Here's the complete technical breakdown.
Hover to see identity dissolve
Unlike "anonymous" survey tools that rely on policy promises, Kataloop uses mathematical guarantees that make de-anonymization impossible - even for us.
Kataloop uses cryptographic pseudonyms that protect your identity while letting you track your own submissions, combined with k-anonymity thresholds to ensure no individual can be isolated from a group. Even with database access, identity mapping is cryptographically impossible because no mapping table exists.
You have a consistent pseudonym that lets you track your submissions - but managers can never trace it back to you.
You put in two ingredients:
The blender mixes them and spits out:
You can't un-blend it. If someone has "Turtle_8473", they cannot work backwards to figure out your email. It's mathematically impossible.
See if your feedback led to change. Watch patterns you contributed to get addressed.
One person = one voice, no matter how many times you submit. Add context freely—it won't inflate the count.
Access, export, or delete your feedback anytime. Just log in—we'll show you everything tied to your account.
Not "we won't tell" — we CAN'T tell.
There's no database table linking your identity to your feedback. No file. No spreadsheet. Nothing to hack, subpoena, or leak. The connection only exists in the moment you log in—then it's gone. Even if someone stole our entire database, they couldn't find who said what. Because that information doesn't exist.
Even if someone could trace a pattern to a group, they can't narrow it down to one person.
K-anonymity means you're indistinguishable from others who said similar things. No one can narrow down which individual contributed to a pattern.
Simple, predictable ranges:
No percentages. No complex math. Just clear ranges that scale with your team.
3-15 people: 3 voices needed. Clear, simple, always protected.
16-40 people: 5 voices. 41-100 people: 8 voices. Simple ranges that scale.
Specific complaints become general themes. "Manager X micromanages" → "Management practices."
Some issues can't wait for 5 voices. Safety concerns, power dynamics, and cultural issues have lower thresholds - because waiting too long could mean waiting until it's too late.
Standard topics like "meeting efficiency" can wait for 5 voices - nothing urgent happens if it takes a few weeks. But topics like harassment, safety concerns, or power imbalances? Waiting for 5 voices could mean:
Before the pattern surfaces, they've already quit
The problematic behavior keeps happening
"The system doesn't work for important stuff"
Process improvements, tool requests, meeting feedback, workflow optimizations
Leadership concerns, cultural issues, growth barriers, team dynamics
"This topic surfaces with fewer voices (3+) to ensure timely attention. Your feedback remains fully anonymous."
Safety concerns, power imbalances, unspoken tensions, psychological safety
"This topic is critical and will surface quickly (2+ voices). Your feedback remains fully anonymous. Are you sure?"
Sensitive topics surface faster because waiting for 5 voices could mean waiting too long. Safety concerns should never wait. Power dynamics shouldn't fester. Cultural issues shouldn't go unaddressed for months. With clear warnings and your full consent, critical feedback reaches leadership while you remain completely anonymous.
These mechanisms work together to prevent accidental re-identification and protect your anonymity.
AI identifies tools, clients, meetings, and person contexts
Employees mention specific tools, clients, meetings, and colleagues. We need to route feedback to the right teams while protecting identity - but keeping important context about which teams or departments are involved.
AI recognizes entities and automatically tags them. Names are removed, but role/department context is preserved. "Mike in sales" becomes "Sales Team Member" - you're protected, but leadership knows which department to address.
Names are removed, but context is preserved. "Sarah in sales" → "Sales Team Member". Leadership knows which teams need attention without knowing WHO said it.
Protected at the specific level. Impactful at the broader level.
What if your specific concern doesn't get enough voices to surface as a pattern? Does your feedback just disappear?
Your feedback gets tagged at multiple levels from day one—not as a fallback, but by design. Even if your specific issue stays protected (too few voices), your voice still contributes to company-wide insights where patterns surface more easily. And you control which tags apply before you submit.
Specific pool: Only 2 people mentioned this exact meeting
Your voice also joins the broader "Meeting Effectiveness" pool (31 voices). That pattern surfaces. Your specific meeting doesn't. You're protected, but heard.
Specific pool: Just you and one colleague noticed this
Your voice joins company-wide "Tools & Systems" insights. If others across the company feel tool pain, that surfaces. Your team stays anonymous.
Worried about being identified in a small category?
Before submitting, you see all suggested tags. Uncheck any you don't want. You control which pools your voice joins.
Specific concerns stay private. Broader patterns emerge. You choose which pools you join.Department + level, not individual
In small teams, unique job titles like "The only Senior DevOps Engineer" or "Head of Marketing DACH" can identify individuals.
Roles are mapped to department + level categories. Specific enough to route feedback properly, general enough to protect identity. You approve the mapping before submitting.
Managers see patterns by department and level (e.g., "Software Development", "Sales Leadership"), not by specific title.
These three mechanisms work together. NER catches accidental self-identification. Feedback aggregation prevents learning from group membership. Role generalization removes unique identifiers. Your anonymity isn't a promise - it's mathematics.
We've analyzed every potential de-anonymization attack. Here's how Kataloop defends against each:
Someone gains full read access to PostgreSQL database
No identity-to-pseudonym mapping table exists. Pseudonyms are computed on-the-fly and never stored. Even with complete database access, there is nothing to reverse.
Manager creates very specific patterns to isolate individuals
Dynamic thresholds use fixed ranges by team size (3-15 people: 3 voices, 16-40: 5, 41-100: 8, etc.). Patterns also get generalized before surfacing.
Someone monitors submission times to correlate with schedules
Timestamps are bucketed into 1-hour windows. Exact submission time is never exposed.
AI analysis of word choice to identify authors
AI summarization normalizes all feedback. Original text is never displayed to managers.
Using team size, department, or role to narrow down
Dynamic thresholds use fixed ranges: 3-15 people need 3 voices, 16-40 need 5, etc. No percentages, no complex math—just clear protection.
Manager pressures team to reveal who said what
Zero-knowledge design means even the employee cannot prove they submitted specific feedback.
Kataloop's anonymity isn't a policy or promise - it's a mathematical guarantee. Even if someone compromises our database, bribes an employee, or subpoenas our records, they cannot determine who said what. It's not that we won't tell - we can't.
Your growth journey is yours. Share wins for recognition, keep struggles private for safety.
Unlike organizational feedback (which surfaces patterns for managers), personal development data is private by default. You control what your manager sees, when they see it, and you can make it private again at any time.
You set goals, you decide what to share
Development feedback NEVER used in reviews
Can make shared data private again anytime
Different data has different vulnerability levels. The more vulnerable the data, the stronger the privacy protection. Default privacy maps to vulnerability level.
Research shows that when development is separated from evaluation and employees control visibility, they're 34% more likely to share authentic struggles and ask for help. Your vulnerabilities stay yours. Your wins get the recognition they deserve.
"I struggle with public speaking - received feedback that I need to work on this."
"Goal: Present at 3 team meetings"
"Completed 3/3 presentations! Confidence improved significantly."
Private struggles not visible
Private goals not visible
"Completed 3/3 presentations! Confidence improved significantly."
Personal development feedback is NEVER used for performance evaluations, promotion decisions, or any form of assessment. This is a hard policy enforced by design.
When employees own their development data and control what's shared, they're honest about where they struggle. When development is separated from evaluation, they ask for help instead of hiding gaps. Your growth journey is yours. Share what builds your reputation. Keep what doesn't, private.
See how Kataloop's cryptographic anonymity can unlock honest feedback in your organization.