Does your website use third-party services? Get GDPR compliant in minutes.

Fathom

What does Fathom Analytics do?

Fathom Analytics is a privacy first, cookieless web analytics tool from Conva Ventures Inc. that collects no personal data, sets no cookies in its default configuration, and is designed to be consent exempt under GDPR and ePrivacy.

What Fathom Analytics is

Fathom Analytics is a privacy focused alternative to Google Analytics, built and operated by Conva Ventures Inc. in Canada. It provides website traffic statistics such as page views, referrers, unique visitors, and conversions without setting cookies, without collecting personal data, and without sharing visitor information across websites.

Why Fathom is cookieless

Instead of cookies or device fingerprinting, Fathom generates a daily rotating salt and hashes the visitor IP address, user agent, and site ID together to produce an ephemeral anonymous identifier used only for same day visit deduplication. The salt is destroyed at the end of each day, which means the identifier cannot be linked back to a person or reused across days.

GDPR and ePrivacy stance

Because Fathom does not store or read information on a visitor terminal and does not process personal data in its default mode, the ePrivacy Directive consent requirement for cookies and similar technologies does not apply. The UK PECR analogue follows the same logic. Most European data protection authorities accept that strictly anonymous, aggregated audience measurement of this kind does not require prior consent.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Legal basis under GDPR

To the extent that any limited processing falls inside the scope of the GDPR, the appropriate legal basis is Article 6(1)(f), legitimate interest. Recital 49 explicitly recognises measurement and security of information systems as a legitimate interest of the controller. The balancing test is favourable because no identifiers persist, no profiling occurs, and visitors cannot be singled out.

EU Isolation feature

When EU Isolation is enabled, Fathom routes all European visitor traffic through servers located in Frankfurt, Germany. Data never crosses the Atlantic and is processed exclusively inside the European Union, removing any Schrems II transfer concerns for European audiences.

How to implement Fathom

Implementation is a single script tag loaded from cdn.usefathom.com with your unique site identifier. There is no consent gate required for the default cookieless mode, so the script can load on every page from the first visit. Enable EU Isolation in the site settings to keep European traffic on the Frankfurt infrastructure.

GDPR consent category

Analytics

Websites using Fathom Analytics must obtain user consent under GDPR regulations.

Legal basisArt 6(1)(f) GDPR, legitimate interest. No personal data is processed in the default configuration, so consent is not required under ePrivacy or PECR.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, PECR, CCPA, LGPD

DPIA considerations

Low risk. No personal data is processed in default configuration, no cookies are set, and no cross site tracking occurs. A full DPIA is not required; a record in the Article 30 register noting legitimate interest and the EU Isolation setting is sufficient.

Sample consent text

Fathom Analytics is consent exempt in its default configuration; no banner toggle is required. Disclosure in the privacy notice is recommended for transparency.

Technical details

Tracking methodCookieless first party analytics, daily rotating salt hash of IP, user agent, and site ID for anonymous visit deduplication

Server locationFrankfurt, Germany (EU Isolation mode), USA (default)

Cookieless tracking availableYes

Third-party domains contacted

cdn.usefathom.comapp.usefathom.com

Cookies placed

Name	Type	Duration	Purpose
(no cookies set)	none	N/A	Fathom Analytics is cookieless by default. No browser cookies are set.

Fathom Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does Fathom Analytics set any cookies?

No. In its default configuration, Fathom Analytics does not set any first party or third party cookies, and it does not read any cookies from the visitor browser. Instead, Fathom uses a daily rotating salt hashed with the visitor IP address, user agent, and site ID to deduplicate visits anonymously within a single day. Because nothing is stored on the user device, the cookie law and ePrivacy storage rules are not triggered.

Do I need a consent banner for Fathom?

In most European jurisdictions you do not need a consent banner for Fathom Analytics, because no information is stored on or read from the visitor terminal and no personal data is processed in the default mode. The CNIL, the ICO, and several other supervisory authorities accept strictly anonymous audience measurement as exempt from prior consent. We recommend listing Fathom in your privacy notice for transparency, but a consent toggle is generally not required.

What is the legal basis for using Fathom under GDPR?

To the extent that the GDPR applies, the legal basis is Article 6(1)(f), legitimate interest. Recital 49 recognises measurement and security of information systems as a legitimate interest of the controller. The legitimate interest assessment is straightforward because Fathom does not persist identifiers, does not profile users, does not enable cross site tracking, and does not allow the singling out of individuals.

Does Fathom transfer data to the United States?

Only if you do not enable EU Isolation. With EU Isolation activated on your site, European visitor traffic is processed exclusively on Fathom servers located in Frankfurt, Germany, and never crosses the Atlantic. Without EU Isolation, anonymous aggregated analytics may be processed on Fathom infrastructure in the United States, in which case standard contractual clauses and the EU US Data Privacy Framework apply.

Do I need a DPIA for Fathom Analytics?

A full data protection impact assessment is not required for Fathom in its default configuration. The processing is low risk: no personal data is collected, no cookies are set, no profiling occurs, and visitors cannot be re identified. A short entry in your Article 30 record of processing activities, noting the legitimate interest basis and whether EU Isolation is enabled, is sufficient documentation for accountability purposes.

How do I implement Fathom on my website?

Add a single script tag pointing to cdn.usefathom.com with your unique site identifier in the head of your pages. Because the default mode is cookieless and consent exempt, the script can load unconditionally on every page load, including the first visit. If your audience is European, enable EU Isolation in the Fathom dashboard so that traffic is routed through the Frankfurt servers.

What are the alternatives to Fathom Analytics?

Comparable privacy first, cookieless analytics tools include Plausible Analytics (EU hosted in Germany), Simple Analytics (EU hosted in the Netherlands), and Matomo (self hosted or EU cloud). All four follow a similar consent exempt design pattern. The right choice depends on hosting location, pricing, integrations, and whether you prefer self hosting or a managed service.

Should Fathom be listed in my cookie policy?

Strictly speaking, a cookie policy entry is not required because Fathom does not set cookies. However, a short mention in the privacy notice or analytics section is recommended for full transparency. State that Fathom Analytics is used for anonymous, cookieless audience measurement, that EU Isolation is enabled where applicable, and that no personal data is processed.

Get compliant — Try FlowConsent free

Free plan · 10-min setup