Privacy Battles
Simple Analytics
Privacy Score
94
%
⚔️
Fathom
Privacy Score
94
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Simple Analytics doesn’t process personal data, therefore does not have to designate a DPO.

Simple has a privacy dedicated email contact available on the website: privacyquestions@simpleanalytics.com

Compliant
Partially Compliant
Not Compliant

A DPO is said to be designated but no direct contact or identity was found on Fathom’s website and policies.

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding cloud:
A Cloud Privacy Policy is not necessary as no personal data is processed in the Cloud.

Regarding website:
https://simpleanalytics.com/privacy-policy

Compliant
Partially Compliant
Not Compliant

Regarding cloud and website: https://usefathom.com/privacy

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
The Netherlands 🇳🇱  (EU) 🇪🇺

Storage Facilities:
All analytics data is processed by Dutch cloud providers Worldstream and Leaseweb.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Canada 🇨🇦

Storage Facilities:
EU traffic is processed by German cloud provider Hetzner in Germany and Iceland.

EU residents’ personal data is pseudonymized before being transferred on US servers (cloud provider is AWS), except if option « Extreme EU isolation » is contracted by the controller which ensures data stays in the European Union.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Data is never transferred outside the EU.

Compliant
Partially Compliant
Not Compliant

The adequate level of protection in Canada has been approved by the European Commission.

However, Fathom doesn’t transfer data to Canada but to the US after it being pseudonymized.

If chosen by the controller, Fathom option “Extreme EU isolation” ensures data is never transferred outside the EU.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Simple has only one subcontractor for CDN that is called BunnyCDN and is part of a company called BunnyWay, located in Slovenia (EU). They have concluded a written agreement protecting personal data processed on BunnyCDN's part.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Fathom’s DPA: https://usefathom.com/dpa

Fathom has made public its list of subprocessors: https://usefathom.com/dpa

Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.

Fathom conducts risk assessments for every data processor used.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

Simple shares technical incidents on its website: https://status.simpleanalytics.com/?ref=simpleanalytics.com

Simple doesn’t process personal data and therefore a data breach cannot be materialized nor notified.

Compliant
Partially Compliant
Not Compliant

In case of a data breach, Fathom will notify the controller without undue delay after becoming aware of the breach, and assist the controller in providing necessary information.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Reasonable assistance will be provided for the fulfilment of the controller’s obligation to respond to data subjects' right requests.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Fathom explains conducting DPIAs on its processing activities but doesn’t mention assistance to controller if needed.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Simple doesn't process personal data and therefore is not obliged by the GDPR to have its employees subject to confidentiality obligations and trainings on personal data management.

Compliant
Partially Compliant
Not Compliant

Persons authorized to process the personal data are subject to confidentiality obligations.

Security Policy

Compliant
Partially Compliant
Not Compliant

Simple doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

Fathom mentions having a security policy but has not made it public.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relies on Worldstream and Leaseweb.

Other measures:
Anonymisation and pseudonymisation of data, password encryption, backups on external servers.

Compliant
Partially Compliant
Not Compliant

Fathom mentions having a security policy but has not made it public.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted at rest.

Compliant
Partially Compliant
Not Compliant

Fathom mentions data encryption but doesn’t precisely says if data is encrypted at rest or in transit.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Fathom only allows external access or processing of personal data in accordance with their instructions and only when strictly necessary (for instance, IT support).

Reuse of data

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t reuse personal data, nor sell it.

Compliant
Partially Compliant
Not Compliant

Fathom only processes personal data pursuant to controller instructions.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Simple doesn’t set any cookies.

Compliant
Partially Compliant
Not Compliant

YES, Fathom technology doesn’t require cookies.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).

Compliant
Partially Compliant
Not Compliant

NO, if controller selects “Extreme EU isolation” storage option. If not, data is only pseudonymized through SHA256 when transferred to Amazon US servers.