- Anonemo is a staff-operated desktop application intended to reduce identification risk in public-facing school image workflows.
- The core image-processing workflow is local-only and 100% offline by design during normal use.
- The product is designed not to send source images to a cloud inference service during normal use.
- The product is intended as a risk-reduction tool and should not be described as guaranteeing anonymity, compliance, or safeguarding safety.
DPO / DPIA summary
Structured statements for school DPO and DPIA review.
This page is intended to make supplier review easier for schools, trusts, and DPOs by setting out the main privacy, technical, and governance statements in a more direct assessment-friendly format.
Status
Working supplier summary
Last updated: 13 June 2026. This page is designed to sit alongside the fuller supplier and compliance documents, not replace a school's own DPIA.
Product position
Core statements
Data categories
What data may be processed
In-app image workflow
- Source image files selected by the school
- Temporary previews, masks, crops, and limited workflow metadata
- Exported processed images chosen by the school
- Checklist confirmations recorded during the export step
Website and support
- Names, job titles, work email addresses, and organisation names
- Enquiry, support, complaint, and billing correspondence
- Quote, purchase-order, invoice, and payment-related business records
Not part of the normal product model
- No cloud image-processing account system for ordinary use
- No telemetry by default
- No retained biometric face database after cleanup
Controller / processor position
Default role statement
The normal expected position is that the school or trust remains the controller for its images, its publication decisions, and its wider safeguarding and communications workflow.
AiyoTea supplies the software, website, and related support/documentation. If any support arrangement were to require customer data beyond ordinary business contact information, that scope should be assessed separately and documented clearly.
Online-service boundary
What is online, and what is not
Desktop image processing
The Anonemo desktop app's core image-processing workflow is designed to operate locally on the user's device and 100% offline during normal use.
Model download and updates
Online elements may be involved for the initial local model download, app download, and future update distribution. Those are separate from the ordinary processing path once the app and model are installed.
Support, billing, and enquiries
Online services are used for website hosting, email routing, support-desk handling, and ordinary business administration such as support, billing, and procurement communication.
Named third parties
Current infrastructure statements
- Cloudflare is used as the authoritative DNS provider for
aiyotea.com. - Cloudflare Pages is used for product-related web properties on
*.aiyotea.com, including sites such asanonemo.aiyotea.com. - Cloudflare Email Routing is used to forward role-based addresses including
support@aiyotea.com,info@aiyotea.com, andbilling@aiyotea.com. - Those routed email contacts are currently handled through Zoho Desk as the support and enquiry platform.
- Cloudflare is not part of the Anonemo desktop app's core image-processing workflow.
Technical review
Current model and deployment notes for school IT
- The current local generator model is
runwayml/stable-diffusion-inpainting. - The pinned model revision in the current release line is
8a4288a76071f7280aedbdb3253bdb9e9d5d84bb. - The bundled local face-detection asset is BlazeFace, shipped with the app rather than downloaded during ordinary use.
- The core image-processing workflow remains local-only and 100% offline by design during normal use after installation.
- The current named install-time model source is
huggingface.cofor the one-off local model download. - Product websites and public documentation are currently served from
*.aiyotea.com. - The final production download and update host should be published in release deployment notes before customer rollout so school IT teams have a stable allowlist target.
Retention and deletion
Main retention statements
Remain in the school's own chosen source location unless the school deletes them separately.
Are intended to be deleted after export or discard when cleanup is enabled.
Are written only to the destination chosen by the user, including optional metadata-stripped and public-web-copy PNG outputs.
Enquiry, support, billing, and complaint records are kept only as long as reasonably needed for the relevant operational, legal, or accounting purpose.
Controls
Relevant technical and organisational controls
- Local-only offline processing during normal use
- Mandatory publishing checklist before export
- Optional PNG metadata stripping
- Lower-resolution
Public web copyexport preset - Human review of detections, false positives, missed faces, and final publication suitability
- Published privacy, compliance, complaints, and governance documentation
Residual risks
Important limitations to state clearly
The product does not remove all identification risk
Pupils may still be identifiable through names, uniforms, badges, captions, event context, timing, or other non-face details. Human review remains essential.
The support and website stack is a separate processing surface
Even though image processing is local-only, the website, email, support, billing, and download/update routes still involve online services and ordinary business-data handling.
Some governance and evidence work is still ongoing
Complaints handling, release-by-release evidence, and incident-response guidance are being strengthened, and schools should still review the current limitations before sign-off.
School-side responsibilities
What the product does not replace
- Lawful basis, consent, and transparency decisions
- Final publication judgement
- Review of captions, uniforms, badges, and contextual identifiers
- Platform privacy settings and content audits
- Internal safeguarding and incident-response routes
- The school's own DPIA and local risk acceptance decision