The math of dignity.

Exitview operates under a k-anonymity threshold of 5 (Sweeney 2002). A theme cluster is never surfaced — to anyone, including the administrator — until five or more former employees have independently raised it.

What we collect

Redacted free-text responses, a non-reversible contributor hash, and a 384-dimensional BERT embedding. We never store: the original raw text, employee names, manager names, dates, departments, or device fingerprints.

How we redact

Every response passes a two-stage pipeline: a regex pattern strip for emails, phone numbers, employee IDs, and named individuals; followed by a Constitutional-AI second-pass via Anthropic Haiku that re-reads the cleaned text and tokenizes anything residual.

Audit transparency

Every k-threshold check is appended to an immutable Postgres audit table (UPDATE/DELETE blocked via trigger). Daily denial counts are published to /api/k-audit/log with Laplace noise applied.

Contact: privacy@exitviewai.com