Fathom Analytics and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Fathom Analytics, according to the provider's information they process exclusively the IP address and the user agent of website visitors for the purpose of pseudonymised reach measurement on the basis of a legitimate interest or consent. This article explains what data Fathom Analytics specifically processes, how the processing is to be classified legally, and what information a website operator should include in their privacy policy. The presentation is based on publicly accessible information from the provider and does not replace a case-by-case examination.

A. Purpose and Function of Fathom Analytics

Fathom Analytics is a web-based analysis tool that provides website operators with evaluations on the use of their website – such as page views, visitor numbers, countries of origin, and referrer information. The provider explicitly positions Fathom Analytics as a privacy-friendly alternative to classic analysis services and advertises that it works without cookies and without storing directly identifying personal data.

The central integration function for the website operator is the Fathom tracking script: A short JavaScript snippet is embedded in the website and sends a request to the Fathom servers with each page view. Fathom additionally offers further functions such as event tracking (conversions), email reports, uptime monitoring, and a screen sharing function for dashboards. In what follows, only the integration function of the tracking script for classic website analysis is addressed.

B. Mandatory Disclosures in the Privacy Policy When Using Fathom Analytics

In relation to the use of tools such as Fathom Analytics, the GDPR prescribes specific mandatory disclosures in addition to the general information for the privacy policy. Specifically, information must be provided on the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), in the case of processing on the basis of a balancing of interests, additionally on the legitimate interests specifically pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), and on any transfers to unsafe third countries outside the EU/EEA (Art. 13(1)(f) GDPR). In addition, the retention period or the criteria for determining it must be specified (Art. 13(2)(a) GDPR), and – in so far as the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The mandatory disclosures referred to above are broken down for Fathom Analytics below.

It is not necessary to list every single tool by name and with its own text template in the privacy policy – even though precisely this practice has become widespread in many privacy policies. This "text-template-per-tool" approach has established itself as an unfortunate habit: It results in long, highly repetitive texts and makes the entire privacy policy difficult to maintain and barely readable. A topic-oriented approach is more appropriate, describing the processing operations in an integrated manner (server operation, newsletter, tracking, sales, etc.) and listing the specific service providers used only in an annex. This is precisely the methodology followed by the matterius generator.

C. Provider of Fathom Analytics

The provider of Fathom Analytics, according to the company's publicly accessible information, is

Conva Ventures Inc. Registered office: British Columbia, Canada

The provider's data protection notices specifically for the service are available at https://usefathom.com/legal/privacy. The Data Processing Agreement (DPA) is available at https://usefathom.com/legal/dpa.

Canada has an adequacy decision of the EU Commission (limited to commercial organisations), so that for transfers to Conva Ventures Inc., no additional guarantees such as Standard Contractual Clauses under Art. 46 GDPR are required in principle. The provider states that for European customers it offers a so-called "EU Isolation", under which data of EU visitors is processed on servers in the EU and the IP address is removed in the EU before anonymised data may be transferred to US-based servers. The website operator should examine on a case-by-case basis whether EU Isolation is activated for their account and whether the specific sub-processor list is suitable for the deployment.

D. Data Processing at Fathom Analytics – Procedure in Steps

E. Data Collected by Fathom Analytics

According to the publicly accessible information of the provider, when the Fathom tracking script is used, in particular the IP address (which is briefly used for hash generation and is subsequently no longer stored), the user agent, the URL accessed, the referrer, the screen size, the coarse location at country level, and event information (conversions) are processed. According to the provider's information, no direct personal reference is created via name, email address, or persistent identifiers in the browser, since Fathom does not set cookies or local storage entries.

The data can be classified into the following standardised data type categories:

• Web server log data: Data that the Fathom server receives with each request, in particular IP address of the internet connection, date, time and time zone of the request, URL of the requested content, referrer, as well as technical metadata such as status code and amount of data transferred.
• Click paths: Pages of the website visited with date and time, as well as – where the website operator has configured events – clicked links, buttons, accessed forms, and conversion events.
• Device data: Information on the terminal device such as device type, screen resolution, and screen size.
• Browser information: Information on the browser used, in particular browser name and browser version.
• Coarse location data: Coarse location of the user determined on the basis of the IP address, according to the provider's information typically at country level.
• Conversion events: User interactions defined as relevant by the website operator, e.g. access to certain pages, downloads, or contact requests, where events are configured.

F. Purposes of Use of Fathom Analytics

Website operators typically use Fathom Analytics to measure the reach of their online offerings, identify frequently accessed content, understand technical performance (e.g. device usage), and evaluate the success of individual campaigns or content via conversion events. Fathom Analytics is primarily oriented towards evaluating user behaviour for the improvement of one's own website; user-individual marketing or personalised advertising are explicitly not among the use purposes advertised by the provider.

The purposes typically pursued by the website operator with the use of Fathom Analytics can be classified into the following standardised categories of purposes of use:

• Provision of functionality: Provision of the functionality of the website, in particular error detection and remediation on the basis of technical evaluations.
• Security and abuse protection: Limited use to detect suspicious access patterns.
• General product improvement: General needs-oriented design of the website, in particular optimisation on the basis of frequently accessed content, improvement of user-friendliness, and general business planning.
• General marketing: Non-user-individual orientation of marketing measures, in particular reach analysis and success measurement of campaigns.

User profile creation, user-individual product improvement, or user-individual marketing does not take place by Fathom Analytics, according to the provider's information, on account of the pseudonymisation.

G. Legal Bases for the Use of Fathom Analytics

Fathom Analytics falls into the tool category tracking (statistics/reach measurement).

For tracking services, consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG is regularly the relevant basis. Since Fathom Analytics, according to the provider's information, does not set cookies and does not store or read out information on the terminal device, the provider argues that § 25 TDDDG is not applicable to the service. For the mere storage of the pseudonymised usage data on the Fathom servers, in such constellations reliance is additionally placed on legitimate interests under Art. 6(1)(f) GDPR, in particular in improvement and business management (needs-oriented design of online services, determination of reach, decisions on investments in individual content).

Whether dispensing with cookies and persistently stored identifiers is sufficient in an individual case to escape § 25 TDDDG, and whether the balancing of interests in cookieless reach measurement tips in favour of the website operator, has not been conclusively clarified at supervisory authority level or in case law. The specific legal basis must therefore be examined by the website operator on a case-by-case basis. Where Fathom Analytics is integrated as part of a consent solution, the user's consent is the legal basis.

H. Special Features and Notes on Fathom Analytics

• Cookieless tracking: According to the provider's information, Fathom does not set cookies and does not store persistent identifiers on the terminal device. Whether § 25 TDDDG is therefore not applicable is to be assessed by the website operator on a case-by-case basis.
• EU Isolation: The provider states that it offers a default-activatable "EU Isolation" under which data of EU visitors is processed on EU servers. Details and activation status are to be checked in the Fathom account.
• Third-country transfer / adequacy decision: The provider is a Canadian company. Canada has an adequacy decision of the EU Commission for commercial organisations. Sub-processors may be located in further countries; the respective guarantees under Art. 44 et seq. GDPR apply here.
• Data Processing Agreement (DPA): The provider states that it provides a DPA under Art. 28 GDPR and describes itself as a processor. Conclusion of a corresponding agreement is generally required when using the tool.
• Settings for the website operator: Examination of the activation of EU Isolation, configuration of the event/conversion trackers, where applicable integration via a consent manager.
• Opt-out for visitors: Due to the pseudonymisation, Fathom states that it does not provide a classic opt-out cookie. Visitors can prevent its use via browser settings (e.g. blocking scripts) or – where integrated via a consent banner – by refusing consent.

I. Frequently Asked Questions on Fathom Analytics (FAQ)

J. Conclusion and Recommendation on the Use of Fathom Analytics

Fathom Analytics is a reach measurement tool that, according to the provider's information, dispenses with cookies and directly identifying data and provides for an EU Isolation for European customers. The specific data protection classification – in particular the relevant legal basis and the question whether § 25 TDDDG applies – depends on the specific setup and is to be assessed by the website operator on a case-by-case basis.

For the privacy policy: It is generally not very useful to include a separate, lengthy text template for every individual tool – and thus also for Fathom Analytics. This makes the privacy policy unwieldy, redundant in content, and difficult to maintain, and runs counter to the transparency requirement of Art. 12(1) GDPR, according to which information must be provided in a precise, transparent, intelligible, and easily accessible form. A structured, topic-oriented approach is more appropriate: The processing operations are described in an integrated manner by topic blocks (server operation, newsletter, tracking, sales, etc.); individual tools and service providers – including Fathom Analytics – are listed by name in the recipient annex. This is precisely the methodology followed by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com