XLX Ventures

Privacy architecture

What protects your team, and where the protection ends.

We describe how the system works, not absolutes. Every protection below maps to code that ships today, and where a protection has a real limit, we say so right next to it. Two things shape everything else on this page: anonymity depends on group size, and an AI model conducts the interviews and processes the responses.

  1. 01

    Names never sit next to interview content.

    Identifying details (name, email, role, manager) live in one place. Interview responses live in another. The only link between them is a salted hash, and the salt comes from a secret stored on the server, not in the database. A database-only leak cannot rebuild the link.

    Where it ends

    A leak of both the database and the server environment could rebuild the link. We do not pretend otherwise.

  2. 02

    Names are removed before storage, not at display.

    Every response runs through three passes before it is saved. Emails are replaced with a generic token. A name-detection pass replaces person names the model finds. A strip list replaces the names of other participants in the same cycle. If that list is missing, the system stops loudly rather than saving a weaker version. The response format itself refuses identifying fields, so a future bug cannot attach a name to a response.

    Where it ends

    This is detection plus a list, not magic. An unusual nickname, initials only, or a misspelling the model misses could slip through. We deliberately over-remove on emails, treating every email as identifying.

  3. 03

    Leadership sees themes, not transcripts.

    The leadership view reads from a synthesized themes layer, not raw interview text. A theme is kept only if at least three different people raise the same pattern. That threshold is checked when themes are built and again when they are read, so a theme that loses support later is dropped.

    Where it ends

    Three people is a rule of thumb, not a guarantee. In a small group where three of four people answer, the fourth person's view can sometimes be guessed by elimination. Hard filtering across role and tenure can also narrow a group to recognizable people. Stronger statistical protections are on the roadmap.

  4. 04

    Tiers are kept apart by design, not by a setting.

    Synthesis runs three separate passes per cycle, one for each confidentiality level. A higher-level response is simply not in the input for a lower-level pass, so the model cannot leak text it never saw. The leadership read then matches exactly one level at a time. The full breakdown is on the confidentiality flags page.

    Where it ends

    This stops leakage across levels. Inside one level and a small group, a paraphrased theme can still carry workflow detail that points to a few people. We accept this for now, instruct the model to write generically, and document the residual risk.

  5. 05

    Quotes are exact, or they are dropped.

    When a quote is attached to a theme, it is checked against the original response. If it is not an exact match, the quote is dropped and the theme stands on its plain-language description alone. A theme can never carry a quote that was tidied up or invented.

    Where it ends

    This stops fabricated quotes. It does not stop a paraphrased description, in a small group, from carrying recognizable detail.

  6. 06

    One company's data never reaches another.

    Every request is tied to a customer ID resolved on the server from the session, never taken from the request itself. A lookup that crosses companies returns "not found," so you cannot even confirm another company's data exists.

    Where it ends

    This isolates companies from each other. It does not, on its own, stop a leader from making an over-broad guess about their own small team.

What we do not claim

The honest other half.

A privacy page that promises what the product does not do is worse than no page. Here is what we are open about.

  • Anonymity is not absolute. With very few people in a cycle, identity can sometimes be guessed by elimination. We never claim "fully anonymous," "100% secure," or "impossible to identify."
  • An AI model (Anthropic's Claude, through our provider) runs the interviews and builds the themes. Conversation content passes through the provider on every turn. Anthropic's standard API terms include 30-day retention for trust and safety, not used for training. A zero-retention agreement is not yet in place for this product.
  • Operator login today is a single shared admin token, a placeholder before real per-operator login. We do not claim single sign-on yet.
  • A self-serve delete button for participants has not shipped. The system can soft-delete a response (its quotes stop showing immediately, and its theme is dropped if support falls below three), but the participant-facing button is still being built. For now, deletion runs through your operator.
  • An automated invitation and consent email from a named coordinator is on the roadmap. The system stores the coordinator name and email; the send step is being built.
  • Encryption at rest is not advertised as a feature. It depends on the hosting provider's setup, which lives outside our code.
  • No SOC 2, GDPR DPA, HIPAA, or ISO certification today. We will take each one on when a customer needs it, and note it here when it lands.

Have a sharper question?

We are happy to walk your team through the data model.

Email seth@xlxventures.com