PRIVACY NOTICE

Last updated: July 8, 2026

1. INTRODUCTION

This Privacy Notice (the "Notice") is issued by Fathom Signal, a United States company operating as FATHOM ("FATHOM," "we," "us," "our"). It describes how we collect, use, disclose, retain, and delete personal information when you visit our website at fathomsignal.com, use the FATHOM application, or otherwise interact with us (collectively, the "Services"). For purposes of applicable data protection law, Fathom Signal is the controller of the personal information described in this Notice.

FATHOM exists to collect what people know but rarely say, and that only works if the people who use it can trust us completely. This Notice is therefore written to be read. If anything in it is unclear, contact us at team@fathomsignal.com and a person will answer. Where a specific program's terms provide participants additional protections, those protections also apply.

2. INFORMATION WE COLLECT

Information you or your organization provide.

  • Account information. Your name and email address, provided by the client organization that enrolls you. We use passwordless login links sent to that email; we never store passwords.
  • Responses. The written or dictated observations you submit through the application. Nothing is recorded until you review and confirm it.
  • Voice audio. If you dictate a response, audio is captured only while you are actively recording, with the recording state visible on screen. Audio is transcribed and then deleted; only the transcript you review and confirm is retained.
  • Communications. Information you provide when you write to us, such as your name, email address, and the contents of your message.

Information collected automatically.

  • Device and log data. IP address, browser type, device identifiers, and timestamps, collected for security, abuse prevention, and reliability.
  • Usage data. Information about how you interact with the Services, used to operate and improve them.

The public website sets no advertising or analytics cookies. Because we do not use personal information in ways that would legally require recognition of opt-out preference signals, the website does not respond to "Do Not Track" or Global Privacy Control signals.

3. HOW WE USE INFORMATION

  • To operate the Services: validate submissions, synthesize reports, and deliver them to the client organization and, where the program provides for it, to you.
  • To protect the Services: abuse prevention, security monitoring, enforcement of our Terms, and reliability.
  • To communicate with you and respond to your requests.
  • To comply with legal obligations, described in Section 9.

We do not use your information for any other purpose. Client organizations receive completion status and synthesized reports. They never receive raw responses, authorship of any response, or any content in the compliance views they use.

4. WHAT WE NEVER DO

These commitments are permanent and structural. The entire business depends on being the place where honest words are safe, and there is no version of this company that trades that away.

  • We never sell your data.
  • We never share your data for advertising.
  • We never use your data to train AI models, and the AI providers we use process it under enterprise terms that prohibit training on it.

5. HOW RESPONSES ARE PROTECTED

The protection is structural, by design rather than by promise alone:

  • Raw responses live only in our vault, on our infrastructure. What travels to a client organization is synthesis: themes, flags, trends, and narrative. No screen in any client-facing product shows who wrote what.
  • Reports are composed by AI in its own voice from many inputs. No verbatim or near-verbatim quotation appears in any output that leaves our system, so your writing style has no path out.
  • A theme cannot surface in a report until it has support from multiple independent contributors, and identifying detail is generalized. Where a contributor pool is too small to protect the individuals in it, the content is held out of the report rather than risked.
  • Your identity is used at submission to verify enrollment and confirm the people you reference. When a collection campaign closes, the link between you and your words is severed, and nothing we hold can re-create it.
  • While that link exists, access inside the company is restricted to a small number of named senior personnel under database-level access controls, on a need-only basis.

6. LEGAL BASES FOR PROCESSING

Where applicable law requires a legal basis for processing personal information, we rely on: performance of a contract, to provide the Services under our Terms and the applicable program agreement; legitimate interests, to secure and improve the Services, prevent fraud and abuse, and operate our business; legal obligation, where processing is required to comply with law; and consent, where we ask for it, which you may withdraw at any time.

7. RETENTION AND DELETION

DataRetention
Voice audioDeleted immediately after transcription succeeds.
Author attributionDestroyed when the collection campaign closes.
Raw responsesPurged after the program closes out.
Synthesized reportsRetained for the client organization and the participant.
Account recordsDeleted after the program closes out.
Communications with usRetained as long as needed to resolve the matter, then deleted.
Security logsRetained up to 12 months, then deleted.

This schedule is published here so you can read it before your first response. Where a longer period is required by law, legal hold, or dispute resolution, we retain only what that obligation requires, for only as long as it requires. Nothing from the platform travels with you after a program ends.

8. SUBPROCESSORS AND DISCLOSURE

We use a small number of infrastructure providers, each bound by a data-processing agreement. Production data is processed in the United States.

ProviderPurposeLocation
Google CloudAI processing, under enterprise API terms that prohibit training on your dataUnited States
SupabaseDatabase and authenticationUnited States
VercelWeb hostingUnited States
Google WorkspaceCompany emailUnited States

We will update this list before adding or replacing any subprocessor. Beyond subprocessors, we may disclose personal information to professional advisors (such as counsel and accountants) under confidentiality obligations, to a successor entity in connection with a corporate transaction (in which case this Notice's commitments travel with the data), and as described in Section 9. We do not disclose personal information to any other third parties.

9. LEGAL PROCESS

We disclose data only when required by a lawful court order, which no private company can put itself above. We hold what an order could reach deliberately small: once a campaign closes, an order can reach verbatim text but not who it came from, because the information linking authors to their words has been destroyed. We commit to challenging overbroad demands and to notifying affected parties where the law allows.

10. SECURITY

All data is encrypted in transit and at rest. Access follows least privilege with database-level controls, and administrative access is limited to named personnel. We review our security posture continuously and engage outside review as the platform grows. No security program can guarantee perfect security; we design so that what an attacker could reach is as small and as anonymous as the product allows. Security researchers can reach us through security.txt.

11. YOUR RIGHTS AND CHOICES

Depending on where you live, you may have the right to:

  • Access or obtain a copy of the personal information we hold about you;
  • Correct inaccurate personal information;
  • Delete your personal information;
  • Restrict or object to our processing of your personal information;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email team@fathomsignal.com. We will not discriminate against you for doing so. For your security, we may need to verify your identity, and any authorized agent's authority, before acting on a request. If we decline a request, we will explain why, and where the law provides an appeal, you may appeal by replying to our decision. Note that some rights are qualified by the platform's protective design: once a campaign closes and attribution is destroyed, we can no longer associate raw responses with you, which means they can no longer be retrieved or deleted on an individual basis. Corrections to a submitted response are handled with you through your program's administrator.

12. INTERNATIONAL TRANSFERS

We are based in the United States and the Services are operated from the United States. If you use the Services from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection rules that differ from those of your country. Where applicable law requires a transfer mechanism, we rely on appropriate safeguards such as contractual protections with our subprocessors.

13. UNITED STATES STATE DISCLOSURES

Some U.S. states, including California, require additional disclosures. In the preceding 12 months we have collected the following categories of personal information: identifiers (name, email address, IP address); user-generated content (your responses and transcripts); audio data (transiently, as described in Section 2); internet or network activity (device, log, and usage data). We collect them from you, from the client organization that enrolls you, and automatically from your device. We use them for the purposes in Section 3 and disclose them only as described in Sections 8 and 9.

We do not "sell" or "share" personal information as those terms are defined in the California Consumer Privacy Act, we have not done so in the preceding 12 months, and we do not have actual knowledge of selling or sharing personal information of anyone under 16. We use and disclose sensitive personal information only for the purposes the CCPA permits. California residents may exercise the rights in Section 11, including through an authorized agent.

14. CHILDREN

The Services are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have done so, email team@fathomsignal.com and we will delete it.

15. CHANGES TO THIS NOTICE

When this Notice changes, we will update the date at the top and publish the revised version here. For material changes affecting active participants, we will provide notice in the application before the change takes effect. Prior versions are available on request.

16. CONTACT

Fathom Signal · team@fathomsignal.com