Anonymity & Deduplication
NextGenPoll enforces strict cross-device deduplication while guaranteeing 100% anonymous voting — even when a poll requires participants to be logged in.
How It Works: The Two-Table Model
When a participant submits a response, the backend writes to two completely separate database tables that share no foreign key or link between them:
| Table | Records | Does NOT record |
|---|---|---|
vote_submissions | Who voted on which question (user ID + question ID + timestamp) | The content of the vote |
anonymous_polling_results | The actual response value (option chosen, text entered, number submitted) | Any user identifier |
Because there is no shared key between these two tables, it is impossible to trace an individual response back to a specific participant — even for an administrator with direct database access.
What Instructors Can and Cannot See
| Can see | Cannot see |
|---|---|
| How many participants responded to each question | Which participant gave which answer |
| Whether a specific participant voted at all (deduplication check) | What that participant's answer was |
| Aggregate results (counts, averages, distributions) | Per-user response breakdowns |
Why Two Tables? Deduplication Without Compromising Privacy
The deduplication engine needs to prevent the same participant from voting twice (e.g., by switching devices or browsers). To do this, it must record that a user voted. The two-table split achieves this without ever needing to store what they voted for alongside their identity:
- On submission: The backend checks
vote_submissionsfor an existing(user_id, question_id)pair. If one exists, the submission is rejected with a duplicate error. - If no duplicate: A new row is written to
vote_submissions(identity only) and a separate row is written toanonymous_polling_results(response only). - On results display: The API queries only
anonymous_polling_results. User identities are never involved in result aggregation.
Anonymous Polls vs. Logged-In Polls
| Poll configuration | Deduplication | Identity exposed |
|---|---|---|
| Anonymous (no login required) | By browser session / device fingerprint | Never |
| Login required | By authenticated user ID | Never (two-table split applies in both cases) |
Even when a poll requires sign-in, the response content is stored without any user reference. The login requirement only improves deduplication reliability — it does not reduce anonymity.
Resetting Responses
Presenters can reset responses for a question (clearing both tables for that question/run). After a reset, participants can re-submit their answers. The privacy guarantees apply equally to the fresh submissions.