General Anonymization Information

The 3 possible enforcement triggers

There are three ways anonymization can be enforced in nps.today:

1. A respondent actively chooses to stay anonymous when answering a survey.
2. A campaign is configured to enforce anonymization.
3. The account uses automatic anonymization after data has been stored for a configured number of days or years.

When automatic anonymization is enabled, the respondent and the survey response are always anonymized. It is also possible to extend the anonymization to related employee and company data.

Where does masking apply?

Masking is applied when a survey response is submitted under anonymous conditions, or when automatic anonymization later processes existing data. Because the anonymized values are stored in the database, the anonymized version is the one that continues to appear anywhere the data is read back.

This includes channels such as:

1. The dashboard
2. Notifications
3. API responses
4. Exports, for example the reports that can be downloaded from the platform
5. Downstream integrations that read anonymized records

What is masked?

At a product level, nps.today masks or clears the direct identifiers that are most likely to identify a person or company. This includes the fields that are explicitly anonymized in our data model, such as:

1. Names
2. Email addresses
3. Phone numbers
4. Street addresses and location details
5. Company contact details
6. Banking or payment-related information

When free text or comments are processed for sensitive information, the classification is aligned with the PII entity categories described in Azure.AI.TextAnalytics. The required masking categories are:

1. Email
2. PhoneNumber
3. Address
4. InternationalBankingAccountNumber
5. AUBankAccountNumber
6. CABankAccountNumber
7. ILBankAccountNumber
8. JPBankAccountNumber
9. NZBankAccountNumber
10. USBankAccountNumber

Person names are handled separately. We only mask the Person category when Azure.AI.TextAnalytics returns a confidence score of 80% or higher.

Microsoft maintains the full category list in the Azure documentation:

• Recognized PII and PHI entities
• Azure.AI.TextAnalytics PiiEntityCategory

For the exact field-by-field values used during automatic anonymization of campaign members, respondents, employees, and companies, see the dedicated guide: Automatic anonymization of data.

What is not masked?

Not every field is treated as personal data.

As a general rule, we do not mask business context or reporting data unless it is itself personal information or Azure.AI.TextAnalytics recognizes it as a supported PII category and meets our masking threshold. Examples of data that are normally not masked by default include:

1. Ratings, scores, and aggregated reporting data
2. Operational metadata needed for statistics or audit history
3. Role or job title

This distinction is important: Azure.AI.TextAnalytics recognizes specific PII categories, not every descriptive business field. A job title such as Customer Success Manager is normally not classified as PII on its own, while an email address, phone number, or bank account number is. Likewise, a detected person name is only masked when the confidence score is at least 80%.

Limitations and coverage

Masking coverage depends on both the product rules in nps.today and the supported entity categories in Azure.AI.TextAnalytics.

Keep the following limitations in mind:

1. Azure PII detection is category-based and language-dependent. Detection quality can vary by language, wording, context, and confidence score.
2. Not every business-specific identifier is automatically classified as PII by Azure. Custom fields should therefore be reviewed carefully.
3. Some Azure categories are broader than the fields currently stored in nps.today, so support in Azure documentation does not automatically mean there is a one-to-one field in the product.
4. Anonymization is intended to remove or replace direct identifiers while preserving enough non-identifying data for reporting and analysis.
5. Automatic anonymization is irreversible.

If you need the exact property values that are replaced for campaign members, employees, or companies, use the property-level examples in the automatic anonymization guide.## The 3 possible enforcement triggers

There are three ways anonymization can be enforced in nps.today:

1. A respondent actively chooses to stay anonymous when answering a survey.
2. A campaign is configured to enforce anonymization.
3. The account uses automatic anonymization after data has been stored for a configured number of days or years.

When automatic anonymization is enabled, the respondent and the survey response are always anonymized. It is also possible to extend the anonymization to related employee and company data.

Where does masking apply?

Masking is applied when a survey response is submitted under anonymous conditions, or when automatic anonymization later processes existing data. Because the anonymized values are stored in the database, the anonymized version is the one that continues to appear anywhere the data is read back.

This includes channels such as:

1. The dashboard
2. Notifications
3. API responses
4. Exports, for example the reports that can be downloaded from the platform
5. Downstream integrations that read anonymized records

What is masked?

At a product level, nps.today masks or clears the direct identifiers that are most likely to identify a person or company. This includes the fields that are explicitly anonymized in our data model, such as:

1. Names
2. Email addresses
3. Phone numbers
4. Street addresses and location details
5. Company contact details
6. Banking or payment-related information

When free text or comments are processed for sensitive information, the classification is aligned with the PII entity categories described in Azure.AI.TextAnalytics. The required masking categories are:

1. Email
2. PhoneNumber
3. Address
4. InternationalBankingAccountNumber
5. AUBankAccountNumber
6. CABankAccountNumber
7. ILBankAccountNumber
8. JPBankAccountNumber
9. NZBankAccountNumber
10. USBankAccountNumber

Person names are handled separately. We only mask the Person category when Azure.AI.TextAnalytics returns a confidence score of 80% or higher.

Microsoft maintains the full category list in the Azure documentation:

• Recognized PII and PHI entities
• Azure.AI.TextAnalytics PiiEntityCategory

For the exact field-by-field values used during automatic anonymization of campaign members, respondents, employees, and companies, see the dedicated guide: Automatic anonymization of data.

What is not masked?

Not every field is treated as personal data.

As a general rule, we do not mask business context or reporting data unless it is itself personal information or Azure.AI.TextAnalytics recognizes it as a supported PII category and meets our masking threshold. Examples of data that are normally not masked by default include:

1. Ratings, scores, and aggregated reporting data
2. Operational metadata needed for statistics or audit history
3. Role or job title information when it is not being used as a direct personal identifier

This distinction is important: Azure.AI.TextAnalytics recognizes specific PII categories, not every descriptive business field. A job title such as Customer Success Manager is normally not classified as PII on its own, while an email address, phone number, or bank account number is. Likewise, a detected person name is only masked when the confidence score is at least 80%.

Limitations and coverage

Masking coverage depends on both the product rules in nps.today and the supported entity categories in Azure.AI.TextAnalytics.

Keep the following limitations in mind:

1. Azure PII detection is category-based and language-dependent. Detection quality can vary by language, wording, context, and confidence score.
2. Not every business-specific identifier is automatically classified as PII by Azure. Custom fields should therefore be reviewed carefully.
3. Some Azure categories are broader than the fields currently stored in nps.today, so support in Azure documentation does not automatically mean there is a one-to-one field in the product.
4. Anonymization is intended to remove or replace direct identifiers while preserving enough non-identifying data for reporting and analysis.
5. Automatic anonymization is irreversible.

If you need the exact property values that are replaced for campaign members, employees, or companies, use the property-level examples in the automatic anonymization guide.