Anonemo logo ANONEMO from AiyoTea

DPO / DPIA summary

Structured statements for school DPO and DPIA review.

This page brings together the main privacy, technical, and governance statements in a more direct format for schools, trusts, and DPOs carrying out supplier review.

Status

Current supplier summary

Last updated: 24 June 2026. Use this alongside the fuller supplier and compliance documents, not as a replacement for a school's own DPIA.

Product position

Core statements

  • Anonemo is a staff-operated desktop application used to reduce identification risk in public-facing school image workflows.
  • The core image-processing workflow is local-only and 100% offline by design during normal use.
  • The product is designed not to send source images to a cloud inference service during normal use.
  • The product is a risk-reduction tool. It does not guarantee anonymity, compliance, or safeguarding safety.

DfE scope

How this product fits the generative AI safety standards

Anonemo is best reviewed as a staff-operated publishing-safety workflow tool. It is not designed as a learner-facing tutor, chatbot, companion, or open-ended classroom assistant.

For DfE standards review, the most accurate category is Other. That means standards on purpose, privacy, governance, security, and testing are directly relevant, while learner-facing standards such as cognitive development or emotional dependency are largely out of scope in the current product shape.

Data categories

What data may be processed

In-app image workflow

  • Source image files selected by the school
  • Temporary previews, masks, crops, and limited workflow metadata
  • Exported processed images chosen by the school
  • Checklist confirmations recorded during the export step

Website and support

  • Names, job titles, work email addresses, and organisation names
  • Enquiry, support, complaint, and billing correspondence
  • Quote, purchase-order, invoice, and payment-related business records

Not part of the normal product model

  • No cloud image-processing account system for ordinary use
  • No telemetry by default
  • No retained biometric face database after cleanup

Controller / processor position

Default role statement

The normal expected position is that the school or trust remains the controller for its images, its publication decisions, and its wider safeguarding and communications workflow.

AiyoTea supplies the software, website, and related support/documentation. If any support arrangement were to require customer data beyond ordinary business contact information, that scope should be assessed separately and documented clearly.

Online-service boundary

What is online, and what is not

Desktop image processing

The Anonemo desktop app's core image-processing workflow is designed to operate locally on the user's device and 100% offline during normal use.

Model download and updates

Online elements may be involved for the initial local model download, app download, and future update distribution. Those are separate from the ordinary processing path once the app and model are installed.

Support, billing, and enquiries

Online services are used for website hosting, email routing, support-desk handling, and ordinary business administration such as support, billing, and procurement communication.

Named third parties

Current infrastructure statements

  • Cloudflare is used as the authoritative DNS provider for aiyotea.com.
  • Cloudflare Pages is used for product-related web properties on *.aiyotea.com, including sites such as anonemo.aiyotea.com.
  • Cloudflare Email Routing is used to forward role-based addresses including support@aiyotea.com, info@aiyotea.com, and billing@aiyotea.com.
  • Those routed email contacts are currently handled through Zoho Desk as the support and enquiry platform.
  • Cloudflare is not part of the Anonemo desktop app's core image-processing workflow.

Technical review

Current model and deployment notes for school IT

  • The current local generator model is runwayml/stable-diffusion-inpainting.
  • The pinned model revision in the current release line is 8a4288a76071f7280aedbdb3253bdb9e9d5d84bb.
  • The bundled local face-detection asset is BlazeFace, shipped with the app rather than downloaded during ordinary use.
  • The core image-processing workflow remains local-only and 100% offline by design during normal use after installation.
  • The current named install-time model source is huggingface.co for the one-off local model download.
  • The planned commercial delivery model is a school-site licence with school-specific access codes for authorised distribution.
  • Product websites and public documentation are currently served from *.aiyotea.com.
  • The final production download and update host should be published in release deployment notes before customer rollout so school IT teams have a stable allowlist target.

Retention and deletion

Main retention statements

Imported originals

Remain in the school's own chosen source location unless the school deletes them separately.

Temporary app-managed files

Are normally deleted after export or discard when cleanup is enabled.

Exports

Are written only to the destination chosen by the user, including optional metadata-stripped and public-web-copy PNG outputs.

Business records

Enquiry, support, billing, and complaint records are kept only as long as reasonably needed for the relevant operational, legal, or accounting purpose.

Controls

Relevant technical and organisational controls

  • Local-only offline processing during normal use
  • Mandatory publishing checklist before export
  • Optional PNG metadata stripping
  • Lower-resolution Public web copy export preset
  • Human review of detections, false positives, missed faces, and final publication suitability
  • Published privacy, compliance, complaints, and governance documentation

Residual risks

Important limitations to state clearly

The product does not remove all identification risk

Pupils may still be identifiable through names, uniforms, badges, captions, event context, timing, or other non-face details. Human review remains essential.

The support and website stack is a separate processing surface

Even though image processing is local-only, the website, email, support, billing, and download/update routes still involve online services and ordinary business-data handling.

Some governance and evidence work is still ongoing

Release-by-release evidence, complaints handling, and incident-response guidance continue to be strengthened, and schools should still review the current limitations before sign-off.

School-side responsibilities

What the product does not replace

  • Lawful basis, consent, and transparency decisions
  • Final publication judgement
  • Review of captions, uniforms, badges, and contextual identifiers
  • Platform privacy settings and content audits
  • Internal safeguarding and incident-response routes
  • The school's own DPIA and local risk acceptance decision

If something goes wrong

Minimum incident-handling position

  • If there is an immediate safeguarding concern, the school should use its DSL and internal safeguarding route first.
  • If an image is already live, the school should preserve evidence and follow its own incident process before routine cleanup or deletion.
  • Relevant external routes may include platform reporting, police reporting, Report Remove, Stop NCII, or Take It Down depending on the incident.
  • Supplier complaints, privacy concerns, and product-safety concerns should also be routed through the published AiyoTea support/privacy contact route.