Privacy
What Fathom collects, what it never transmits, and how to delete everything.
Summary
Fathom is built around research-grade data integrity, which is inseparable from research-grade privacy. The platform does not run third-party analytics, does not fingerprint visitors, does not show advertising, and never transmits the content of what you are testing or thinking about. The aggregate research dataset is structurally decoupled from your account.
What we collect
- An anonymous account identifier. A random UUIDv4 stored in an HttpOnly cookie. No derivation from IP, browser fingerprint, time of day, or anything else that could re-identify you. Issued on first visit; lasts up to one year unless you log out or delete the account.
- Trial records. For each trial: your choice (A or B), the outcome (A or B), the four canonical timestamps (presentation, choice, generation, reveal), the server-signed HMAC, the entropy bytes, and a paradigm identifier.
- Session records. Trial counts, completion status, and per-session statistics derived from your trials.
- Invite code (if applicable). During closed beta, the code you redeemed is linked to your account for capacity accounting.
- Email address. Collected only when you choose to enable magic-link authentication (V1.5+). Optional.
What we never collect
- Trial content. Fathom never asks what you are testing about, what question is in your mind, or what intention you set for a trial. That content never leaves your browser. Only your binary choice + the outcome + timing leave the device.
- Browser fingerprints used for identity. No canvas fingerprinting, no font enumeration, no audio fingerprinting, no behavioral biometrics keyed to identity. We do collect normal request metadata (user-agent, request timestamp) that web servers see by default; these are used for integrity validation, not identity.
- Advertising identifiers. No third-party ad networks. No retargeting pixels.
- Third-party analytics. No Google Analytics, Mixpanel, Amplitude, or similar. Server logs and error reports (Sentry) are first-party and PII-redacted at the SDK level.
Contribution payloads
If you opt into anonymous contribution (the $5 one-time unlock), your trial data is published to the aggregate research dataset with a separate contribution_user_id UUID. There is no foreign-key, hash, or other deterministic link between your account ID and your contribution ID. Contribution payloads carry sequence numbers within a session but no timestamps, so researchers cannot triangulate session-to-account from the temporal pattern.
Contribution is opt-in, reversible at the row level (we can purge your historical contributions on request), and never the default.
Third parties
- Vercelhosts the application and sees standard request metadata (IP, user-agent, timing). Vercel's privacy terms apply for the network layer.
- Neon hosts the Postgres database. Trial data and account records are stored encrypted at rest.
- Upstash hosts the rate-limiting layer. Only ephemeral counters are stored there, keyed by IP for abuse mitigation.
- Sentry receives application error reports. PII (UUIDs, emails, tokens) is redacted at the SDK level before transmission via a hardened
beforeSendfilter. - Stripe (when V1 contribution unlock ships) handles payment for the contribution unlock. Stripe receives your card data; Fathom only receives a payment-success acknowledgement and never sees the card details.
Retention & deletion
Account deletion cascades to all trials, sessions, and statistics associated with the account. Per-row deletion is supported for contribution payloads on request. Server-side error reports (Sentry) follow Sentry's default retention.
Logging out via the navigation menu clears your account cookie and ends your session; it does not delete your data. Use the account deletion flow (V1+) for permanent removal.
Contact
Privacy questions, deletion requests, and data exports go through the contact form. We aim to respond within 7 days.