Legal
Cookies & local storage
Cookies, in plain words
A "cookie" is a small piece of data a website asks your browser to remember between visits. Most websites use cookies for advertising, retargeting, and cross-site tracking through third-party scripts.
Fathom sets no cookies by default. There are no advertising cookies, no retargeting pixels, and no Meta pixel, and we never track you across other websites. Only if you explicitly accept on the consent banner do we enable Google Analytics 4 and Google Tag Manager, which set first-party cookies to measure traffic; if you decline, the site stays fully cookieless. Our default analytics (Plausible) never sets a cookie.
Analytics
Plausible Analytics (default, always on) - we load a small script from plausible.io that records aggregate page views and outbound-link clicks. Plausible is built to be GDPR/CCPA/PECR-compliant by design: no cookies are set, no persistent identifiers are stored on your device, no fingerprint is computed, and no data is sold or shared. It counts visits using a daily-rotating hash of (IP + user-agent + site domain) that cannot be reversed to identify you. We see country, referrer, browser, and which pages are popular - nothing more.
Google Analytics 4 & Google Tag Manager (optional, consent-gated) - these load only after you click "Accept analytics" on the consent banner. Provided by Google, they set first-party cookies and let us measure traffic and conversions in more detail. If you click "Decline" (or never choose), they never load and the site stays cookieless. Your choice is remembered on your device and you can change it any time by clearing site data. Any tracker-blocker (uBlock Origin, Brave's shields, Firefox strict mode) blocks all of the above automatically.
What else Fathom stores
localStorage - equivalent to a cookie under most data-protection regulations. We use it on your device for: your account record, active session, subscription state, language preference, default lesson view, accepted-cookies flag, a cache of your reflections, and (when you create or redeem one) coupon records.
IndexedDB - a browser-native database. We use it to cache your voice notes (base64 audio) for offline playback.
Synced to your account, encrypted: your reflections and voice notes are also stored on our servers, encrypted at rest (AES-256-GCM), so they survive device loss and sync across your devices. Only you can read them while signed in.
Service-worker cache - a browser-native cache that stores the static files needed to run the app offline. No personal content.
Why we show a consent banner
Because Google Analytics and Tag Manager set cookies and are third-party tools, EU/UK law (GDPR + PECR) requires your prior consent before they load. The banner gives you two real choices: Accept analytics loads Google Analytics and Tag Manager now and on future visits; Decline never loads them. Either way, cookieless Plausible and the on-device storage the app needs to function keep working.
Your choice is stored in a single localStorage key (fathom.analytics.consent.v1, value granted or denied) so we don't keep asking. Clearing site data resets the choice and shows the banner again.
Removing what's stored
You can clear everything Fathom has stored on your device at any time, from inside the app: Me → Your data → Delete everything. You can also clear it from your browser's site-data settings - Chrome, Firefox, and Safari all expose a per-site "clear storage" control.
Clearing storage logs you out, removes your subscriptions and progress on this device, and resets all preferences. There is no cloud copy to fall back on.
Third-party assets
Images and fonts are served directly from fathom.courses - no external CDN, no third-party font services, no embedded media. The app uses one font file (Noto Nastaliq Urdu) served from the same domain. The external scripts we load are Plausible (always; cookieless) and, only after you opt in, Google Analytics and Google Tag Manager from googletagmanager.com.