QuietPart Privacy Policy

Effective date: May 15, 2026. This policy explains what this QuietPart site does and does not collect when people create, answer, view, or administer surveys.

Plain-English promise

QuietPart is designed for anonymous surveys, but it does not claim perfect anonymity. The application avoids collecting respondent identity data, while written answers, small groups, server/proxy logs, and backups can still create privacy risks outside the application database.

Information QuietPart does not collect from respondents

QuietPart's application database is intentionally designed not to store respondent identity metadata. It does not collect or store:

Names, email addresses, employee IDs, or account logins
Manager, department, role, location, tenure, or similar workplace profile fields
IP addresses, user-agent strings, referrer headers, browser fingerprints, or analytics identifiers
Respondent identity cookies or unique per-respondent invite tokens
Third-party analytics, tracking pixels, external fonts, or remote scripts in the respondent browser

Information QuietPart stores

Survey setup data: title, description, questions, answer options, settings, and retention dates entered by the survey creator. This metadata can be encrypted at rest when DB_ENCRYPTION_KEY is configured.
Access data: hashes of the admin token and any read-only results token. Raw tokens are shown once and are not stored.
Response data: choice answers, rating answers, and a response creation time truncated to the hour.
Written answers: browser-encrypted ciphertext in answers.text_value for new surveys that allow free text.

Responses are not linked to a respondent identifier. Results pages and exports do not include exact timestamps, response IDs, or per-response answer groupings.

How QuietPart uses information

QuietPart uses stored survey and response data to display the survey, accept submissions, show aggregated results, let the survey creator administer the survey, and generate exports. It uses the hashed admin token only to verify admin access.

QuietPart does not sell personal information, share respondent data for advertising, run behavioral analytics, or build respondent profiles.

Encryption

Written answers: encrypted in the respondent's browser before submission. The private decryption key is only in the admin URL fragment after #k=. URL fragments are not sent to the server.
Choice and rating answers: stored in a form the server can count and average, so they are not end-to-end encrypted.
Survey metadata: optionally encrypted at rest when DB_ENCRYPTION_KEY is configured.

If the admin link is lost, QuietPart cannot recover the raw admin token or the written-answer decryption key.

Retention and deletion

Each survey has a retention period selected at creation time, from 1 hour to 90 days. After delete_after, results and exports are refused, and the cleanup job removes the survey, questions, options, responses, and answers from the application database.

The cleanup job in src/cleanup.js runs on server startup, hourly, and through npm run cleanup. It is the source of truth for retention behavior.

Deletion applies to QuietPart's application database. It does not automatically erase separate host snapshots, database backups, reverse-proxy logs, or server logs that may exist outside the application database.

Cookies, logs, and security

QuietPart uses necessary, signed, HTTP-only cookies. Admin and results cookies keep access tokens out of URLs after access is verified. A survey-scoped submission cookie marks that this browser has already submitted to a specific public link, so the same browser cannot casually submit again until the cookie expires.

The submission cookie is not stored in the application database, does not contain a name, email, IP address, user agent, fingerprint, or answer content, and is capped by the survey's deletion time. QuietPart does not use advertising, analytics, third-party, or cross-site tracking cookies.

QuietPart itself does not log response contents, respondent IP addresses, user agents, or referrers. Reverse-proxy logs, server logs, platform logs, and backups are separate from the application database and may have their own retention behavior.

Disclosure

QuietPart is not designed to disclose respondent-level identity because the application does not collect respondent identity fields. I may disclose information if required by law, to address abuse or security incidents, or as part of maintaining the service. Any disclosure is limited by what this site actually has access to.

Your choices

Respondents: avoid writing names, job titles, rare incidents, or other details that identify you or someone else unless you intentionally want to include them.
Survey creators: choose the shortest retention period that fits your purpose, keep the admin link private, and do not ask questions that require identifying answers.

Contact and legal notes

For privacy questions, contact TofuWater through TofuWater.com.

This policy may be updated when QuietPart's privacy behavior changes. Changes should preserve the core anonymity rules documented in AGENTS.md.