It may be hard to “fathom” (sorry, bad joke), but Fathom Analytics doesn’t use cookies or similar technologies in our analytics. Instead, we’ve pioneered collecting analytics data without invading anyone’s privacy or personal information. Unlike Google Analytics, Fathom doesn’t use cookies or similar with our embed script. And while we’re not in a position to offer legal advice, we invest heavily in compliance and have a fantastic EEA-based privacy officer who keeps us up to date with all the latest changes. The intent of the GDPR is to protect the privacy of EU citizens, and we agree with that (our whole software product is built around accomplishing this goal). We have a lawful basis for the processing we do. And we run privacy risk assessments whenever we need to make a significant change (e.g. when we had to enable basic, heavily redacted IP access logs after we were DDoS attacked. We go into considerable detail on this on our Data journey page, but some key pieces for GDPR are as follows:
  1. We process personal data (IP Address and User-Agent) on your behalf.
  2. We keep pseudo-anonymized data for around 48 hours. After that, the hash salts (explained here) are removed from our system, and there’s no reasonable way for anybody to brute force them.

What about Schrems II?

Schrems II was a massive ruling for the world. We’ve gone into it on our blog, and we’ve invented EU Isolation to address the complexities that Schrems II has introduced.

Want to update your privacy policy?

We’ve added a sample paragraph example for your privacy policy to mention how you protect their privacy to your website visitors. This isn’t a legal requirement, but a nice touch to show your visitors you care about their privacy.