1. Introduction

This Privacy Policy explains how we collect, use, store, share, and protect data uploaded by users to our platform. We are committed to complying with all applicable data privacy laws and regulations, such as GDPR to safeguard personal data and ensure transparency. While the California Consumer Privacy Act (CCPA) does not currently apply to our business, we voluntarily adhere to its principles to ensure a high standard of data privacy for all our customers.

2. Data Collection

• User Accounts
  To create and manage user accounts securely, we collect the following data:
  
  

  • First and last names

  • Email addresses

  • Login credentials (stored as securely hashed passwords)

  • IP addresses and device identifiers

  • Cookies (Strictly Necessary Cookies) for session management and authentication

This data is essential for user authentication, account management, and communication related to platform use.

• User-Uploaded Data
  To deliver learning and development insights, we collect and process data that is uploaded by users or provided through an API. This deidentified data may include:
  
  

  • Unstructured text, surveys, or feedback responses

  • Attendance, completion, or assessment data

  • Job roles

  • Departments

  • Program participation details

  • Geographic or organizational segmentation data
    
    

• Personal Data:
  Depending on the requirements of each customer and the contractual agreement between Fathom and that customer, users may upload personal data to conduct additional analysis.

For many customers, our use of personal data is limited to the creation and management of user accounts, and we advise that all datasets are scrubbed of personal data before uploading. If personal data is uploaded inadvertently, this is flagged immediately and users can decide whether to continue or re-upload the data, omitting the personal data.

• Automatic Data Collection: In addition to user account and user-uploaded data, we may automatically collect technical data such as IP addresses, browser type, and usage statistics to improve our services and ensure the proper functioning of the platform.

3. Use of Data

• We process data for the following purposes:
  

  • Delivering insights, analytics, and recommendations to support learning and development goals.

  • Improving the platform’s functionality, including fraud detection and new product development.

  • Enabling secure authentication and account management.

  • Complying with legal obligations and responding to regulatory requirements.

We do not sell personal data to third parties.

4. Data Sharing

• Third-Party Service Providers
  

  • We share data with trusted third parties, such as Auth0, for authentication services. Data shared includes names, email addresses, and login credentials, processed securely per GDPR and CCPA.
    
    

• Legal Requirements
  

  • We disclose data only when required by law or public authorities.
    
    

• Access Restrictions
  

  • All third-party processors are contractually obligated to handle data securely, process only necessary information, and comply with privacy regulations.
    
    

5. Data Security

We implement industry-leading technical and organizational measures to ensure data security, including:

• Encryption
  

  • Data in transit is encrypted using TLS 1.2 or higher.

  • Data at rest is secured with AES-256 encryption.
    
    

• Access Controls
  

  • Role-based permissions restrict access to personal data.

  • A "break-glass" policy requires director approval for emergency data access.
    
    

• Monitoring and Incident Response
  

  • Automated tools detect anomalies.

  • Incidents are logged, investigated, and addressed within 24 hours, with forensic evidence preserved.
    
    

6. User Rights

Users have the following rights:

• Access and Correction
  

  • Request access to or correction of personal data.
    
    

• Portability
  

  • Obtain data in a machine-readable format (e.g., CSV, JSON).
    
    

• Deletion
  

  • Request data deletion, except where retention is legally required.
    

• Consent Withdrawal
  

  • Opt-out of processing or sharing personal data.

    We maintain processes to respond to user rights requests promptly and notify third-party recipients where applicable.

7. Data Retention

• Retention Period: We retain user-uploaded data for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements.

• Data Deletion: After the retention period ends, or upon user request, we will securely delete or anonymize user data.

8. Cookies and Tracking Technologies

We use "Strictly Necessary Cookies" for essential platform functions, such as authentication and session management. These do not require user consent under applicable privacy laws. We do not use cookies for tracking or marketing purposes.

9. International Data Transfers

• Cross-Border Data Transfers: If user-uploaded data is transferred outside of the user’s country of residence, we ensure that appropriate safeguards are in place to protect the data in accordance with this Privacy Policy and applicable laws.

10. Compliance and Certification

While not currently certified under a specific framework, we align with GDPR, CCPA, and other global standards. We are actively pursuing SOC 2 certification to enhance our compliance position.

11. Changes to This Policy

• Policy Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. Users will be notified of significant changes, and the updated policy will be made available on our platform.

12. Contact Information

Questions and Concerns: If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@getfathom.io