Privacy notice for Fathom Analytics
This privacy notice explains how we, Conva Ventures Inc. (the corporation behind Fathom Analytics), process personal data in our business as per the General Data Protection Regulation (GDPR) and other relevant data protection and privacy laws applicable to our business.
Our commitment to data protection and privacy
Fathom Analytics is a privacy-first analytics company. We make money from our paying customers, so there's no need or reason to sell, rent or give away any of your data (that's not our business model).
In May 2020, we further solidified our privacy efforts with a comprehensive GDPR project led by a European-based GDPR consulting company. We reviewed all our obligations under the GDPR, updated our records of processing activities per Article 30, performed data protection risk assessments, formalized several policies and procedures and various other activities.
We have also formally appointed a Privacy Officer to help us stay continuously up to date with global data protection and privacy rules and regulations.
We hope to provide you with clear and transparent information on how we process your personal data (as a controller) and your data protection rights. If you feel that any information is unclear or missing, please do not hesitate to contact us.
We start this policy by describing our processing as the controller of your personal data. We also process some personal data on your behalf, as a data processor, described at the end.
Your data protection rights
- Access and rectification: you may request a copy of the information we process about you and ask us to rectify any incorrect data.
- Erasure or restriction: in some circumstances, you may ask us to delete or restrict our processing of your data, but we cannot delete any data we are legally required to process.
- Object to processing: in some circumstances, you may ask us to stop processing your data.
- Data portability: in some circumstances, you may ask us to transfer your data to you or another organization.
- Also, if you're unhappy about how we process your data, you have a right to complain to a national data authority. We hope, however, that you will contact us first so that we can try to resolve the matter for you in a satisfactory way.
Please get in touch with us if you have any questions about how we handle your data or want to exercise one of your rights. You are entitled to a reply within 30 days.
How we get your personal data
We typically process personal data on potential or existing customers, website visitors and vendors and collaboration partners.
We may process personal data when you:
- Contact/communicate with us online (email, video calls, social media, etc.) or on the phone
- Use our services/software (Fathom Analytics)
- Deliver products/services to or enter into a collaboration with us
It is voluntary to provide us with personal data, but we cannot provide you with our services if you choose not to.
We do not rent, buy or sell personal data from or to others, use automated decisions or profiling in the processing of your personal data, or process any special category data as per the GDPR Article 9.
Purpose, lawful basis and retention periods
We only process your personal data when we have a purpose and a lawful basis for doing so. Under the GDPR Article 6-1, the lawful bases we rely on are:
- Your consent
- We have a contractual obligation (contract)
- We have a legal obligation
- We have a legitimate interest
As a rule, we do not process personal data for longer than necessary to fulfill the purpose for processing. To comply with this, we have regular internal GDPR audits where we formally assess our data protection and privacy work with the intention to amend, update and, if necessary, delete personal data.
We will only retain data for as long as we are required to as per applicable legal obligations such as accounting, tax, labour laws or any other relevant rules and regulations. One example is the Canadian Income Tax Act, where we are required to retain data for as long as someone is a customer and then for at least six years.
Details on the processing of your personal data
This section describes when and how we process your data, for what purposes and our legal grounds to do so (lawful bases). We also specify the retention periods for the processing.
We process personal data when:
You communicate with us
Regardless of your relationship with us, as a potential or existing customer, vendor or other, we process your personal data whenever you communicate with us. This could be when you contact us through email, phone (call, text message) or social media. Depending on where and how you contact us, this may include your name, contact details, IP address and other information you choose to send to us. We use a customer support system to manage personal data on potential and existing customers.
The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where our legitimate interest is to respond to your inquiries and, on some occasions, keep records in case of complaints or legal claims.
We review this data at our regular GDPR audits and delete personal data as appropriate. We typically keep this type of personal data for up to two years or six years if we have a legal obligation in accordance with accounting and bookkeeping rules.
You sign up for a Fathom Analytics trial
We want you to be able to try Fathom Analytics before you spend money, which is why we offer a 30-day free trial. To get access, you need to share your email address and billing address, set a password, select your preferred plan, and enter your payment card details. Your card will be charged at the end of your trial unless you have cancelled your account. We will send you a few emails during your trial. If you don't want to receive these emails, you can easily opt-out at any time by clicking the unsubscribe link in any email.
The purpose of this processing is to give you access to a trial of our service, and the lawful basis is b) contract. We review this data at our regular GDPR audits and delete personal data as appropriate; however, no later than two years after you signed up for the trial.
You subscribe to Fathom Analytics (become a customer)
When you purchase a subscription, we already have the personal data you provided when signing up for a trial. We will also have your order/invoice history. You can add other personal data in your account dashboard, like address, company name and VAT number. If you choose to become an affiliate, we ask for your PayPal email address (note that we do not share any personal data about the referrals you've made).
The purpose of this processing is to fulfill our obligation to deliver the services you have purchased and manage the customer relationship. The lawful bases are b) contract and c) legal obligation related to accounting, tax and other business laws we must abide by.
We process the data for as long as you are a customer, and we have a legal obligation as per any applicable rules and regulations we are bound by. We are required by law to store business records, including personal data, for as long as someone is a customer and then for at least six years for accounting and bookkeeping purposes.
You receive marketing as an existing customer
If we have an existing customer relationship with you, we may send you emails containing a promotional element (this happens very infrequently). The personal data we process is your name and email address. The purpose is to provide you with news and offers related to your subscription. The lawful basis is f), where our legitimate interest is to offer our relevant products and services. The lawful basis could also be a), where you have given us your consent to such marketing.
You can opt-out of marketing emails at any time by clicking the unsubscribe link in any such email. We process the data for as long as we have a customer relationship with you or if the processing is based on your consent until you withdraw it. When you ask us not to send you any promotional materials, your account will be flagged as "unsubscribed from marketing" in our internal database, and you won't receive any further marketing emails from us. We are still required to process data for accountancy, tax and other business purposes if you are our customer.
You respond to our surveys
We sometimes send surveys to our customers to improve our product. Responding to our surveys is completely voluntary. We process personal data such as your name, contact details and other information you choose to share with us. We do not process any personal data if a survey is anonymous.
The purpose is to gather your feedback to continuously improve our products and services and provide you with better customer service in the future. The lawful basis is a) consent. We review this data at our regular GDPR audits and delete personal data as appropriate; however, no later than two years after responding to the survey.
You supply services to or collaborate with us
When you enter into an agreement with us either as a vendor, partner or data processor, we process personal data such as your name, contact details and correspondence. The purpose is to enter into this agreement and communicate with you before, during and after our formal business relationship.
The lawful bases are b) contract, c) legal obligation related to accounting, tax and other business laws we are required to abide by, and f) where our legitimate interests are to be able to communicate with you before, during and after our formal business relationship (described under the paragraph "You communicate with us" above). We store personal data for as long as we have a formal business relationship and then for up to 6 years after, in accordance with our legal obligations for accounting, tax and other business purposes.
You use our website
When you use our website, we briefly process your IP address and user agent, which are considered personal data under the GDPR. Following a significant DDoS (Distributed Denial of Service) attack, we were also forced to start keeping partial access logs. We don't keep track of which pages are viewed, only the time & total requests per IP. The purposes for this processing are a) to protect against cyberattacks such as the DDoS one and b) to analyze our website traffic to optimize and run our business effectively. The lawful basis is f), where our legitimate interests protect our business against cyberattacks and optimize and run our business effectively.
Whom we share your personal data with
To run our business efficiently and securely, we sometimes will have to share your personal data with other (trusted) parties such as:
- Data processors: providers of various services that process your personal data on our behalf
- Our accountant
- Professional advisors from other industries, such as law and finance
- IT support, when necessary
- Public authorities: when we are obliged to report to them
We require that all such recipients secure data in accordance with good information security and as per the requirements of this Privacy notice. We review and quality assure all vendors and data processors and enter into a data processing agreement/addendum whenever necessary.
We use data processors for:
- Email, calendar and digital meetings
- This website, including online payments providers
- Transactional emails to customers
- Support ticket system
We don't publish further details (like names) of our data processors to protect our business. If you'd like to know more about our processing and with whom we share your personal data, please get in touch with us. We practice data minimization, so we will only use data suppliers to process your personal data when required (e.g. Stripe for payment processing).
Transfer of personal data outside the EU/EEA
In some cases, your personal data will be transferred to a "third country", i.e. outside the EU/EEA. For example, where we use data processors to manage email services. We only use data processors we trust that are well known, reputable, and have a data processing agreement/addendum.
We have ensured that every data processor in a third country has necessary safeguards in place like the EU adequacy decision, standard contractual clauses (SCC) or binding corporate rules (BCR).
We conduct risk assessments for every data processor we use in our business. In addition, where your personal data is transferred outside of the EU/EEA, we conduct an additional risk assessment. We review, in particular, the data processor's technical and organizational security measures, reputation and safeguards for international transfers of personal data.
In line with the Schrems II ruling and the EDPB's recommendations, we have also conducted transfer impact assessments (TIA). Finally, we're currently working on a new technique called EU Isolation to address the ruling. We'll update this privacy notice as soon as we have more information.
If you still have any concerns or questions, please get in touch with us.
We take information security as seriously as privacy, and we will always do our utmost to safeguard your personal data in the best possible way. For example, we use strong passwords, data encryption, two-factor authentication and several other measures to secure our data and prevent unauthorized persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal data.
We only allow others to access or process your personal data in accordance with our instructions and only when strictly necessary (e.g. in the unlikely event that we require IT support).
We have created and implemented a dedicated IT security policy for technical and organizational measures and a routine for managing data breaches. Suppose we experience a personal data breach, i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected. In that case, we will notify the national data authority within 72 hours. If the risk is deemed high for the people affected, we will inform them directly, if possible.
Our role as a data processor
When you use Fathom Analytics on your website, we process data from your website visitors on your behalf. In this case, you are the controller of such data, and we are a data processor of yours. We comply with the requirements as per GDPR Article 28, like:
- Only carry our processing on your behalf and as per your instructions
- Use sufficient technical and organizational security measures to protect the data we process on your behalf
- Require our employees to treat your data as confidential
- Govern this processing by a contract (a data processing addendum) [DPA being published publicly soon]
We also engage other (sub)processors as per your general written authorization and will inform you of any intended changes regarding such (sub)processors to object to such changes, should you not agree to them.
You can view a detailed Data journey of what happens when you use Fathom analytics on your website. And you can explore our privacy law compliance section for more information.
We process minimal personal data on your behalf
Since we built Fathom Analytics from the ground up with privacy in mind, we have minimized the amount of personal data being processed to only include the IP address and User-Agent (in line with one of the fundamental principles of the GDPR; Article 5(1)(c)).
The IP address and User-Agent are considered personal data under the GDPR, and the lawful basis for processing is usually consent or legitimate interest. Since the IP address is provided by the internet service provider and not by the user's terminal equipment, we do not consider such information to constitute "information stored in the terminal equipment". IP addresses provided in that manner are therefore outside the scope of Article 5 (3), and the consent requirement will not apply under the ePrivacy Directive (Directive 2009/136/EC). In addition, User-Agent is not accessed from terminal equipment, it is sent to us by your browser, and it's impossible for us not to receive it. Note: This may change in the future as browsers move to remove user agent strings.
As per the Schrems II ruling, we are currently working out how we process data in the EU. This will be available on our website shortly, and this privacy notice will then reflect this change.
Accessing and Correcting your Personal Data
You have a right to access your personal data and request a correction if you believe it is inaccurate. If you have submitted Personal Information and would like to have access to it, or if you would like to have it corrected, please get in touch with us using the contact information provided below.
How to Contact Us
Conva Ventures Inc.
BOX 37058 Millstream PO, Victoria, British Columbia, V9B 0E8.
Or send an email to: firstname.lastname@example.org.
This privacy notice was last updated: July 12, 2021