Encrypted on your device. Unreadable on ours.

What we collect

Fathom is local-first. All financial data is processed and encrypted on your device. We operate no analytics, no telemetry, and no crash reporting services. In the free tier, your data never leaves your device. With Harbour, data is encrypted end-to-end before it reaches our servers — we store only ciphertext that we cannot decrypt. We never hold your encryption keys.

How we handle your email

If you connect your Gmail or Outlook account, Fathom uses OAuth (the same standard used by major apps) to read your email with your explicit permission. Here is exactly what happens:

• › We request read-only access. Fathom cannot send, delete, or modify your email.
• › Email content is processed entirely on your device. Raw email data is never sent to our servers or any third party.
• › Fathom scans for bank transaction alerts and merchant e-receipt confirmations. It extracts only structured financial data — merchant name, amount, date, and line items.
• › After parsing, the raw email content is discarded. Only the extracted financial record is stored in your local encrypted database.
• › Your OAuth access and refresh tokens are stored in your device's secure enclave (iOS Keychain / Android Keystore), never in the app database.
• › You can disconnect your email at any time in Settings. This revokes the OAuth token immediately.

On-device AI

Fathom runs a small language model directly on your device for receipt parsing, spending insights, and natural language queries. The model processes your financial data locally — nothing is sent to a server. If you optionally connect a cloud AI provider (such as OpenRouter), your queries are sent to that provider under their privacy policy. This is always opt-in and clearly disclosed in Settings.

Biometric data

Fathom uses your device's built-in biometric authentication (Face ID, Touch ID, or fingerprint) to protect the app. Your biometric data is handled entirely by your operating system — Fathom never accesses, stores, or transmits biometric data. We receive only a yes/no authentication result from the OS.

Product recognition contributions

Fathom can resolve garbled receipt text (like "KRKLD ORG XVOO") into recognizable product names. If you opt in via Settings, Fathom shares these receipt-to-product name mappings — and only these mappings — to improve recognition for all Anglers. Specifically:

• › What is shared: the receipt abbreviation, the resolved product name, the merchant name, and the barcode if known. Nothing else.
• › What is never shared: prices, quantities, totals, purchase dates, purchase frequency, account details, transaction history, or any information that identifies you.
• › Submissions are anonymous. No account, device identifier, or IP address is linked to your contributions.
• › Anonymized, aggregated mappings may also be used to train a specialized AI model for better receipt text recognition. Once data is incorporated into a trained model, it cannot be individually removed from that model. This is disclosed before you opt in.
• › You can turn this off at any time in Settings. New contributions stop immediately. Previously submitted mappings remain in the shared catalog (they are anonymous and non-identifying) but are excluded from future model training batches.
• › This feature is off by default and requires explicit opt-in. If we materially change what is collected or how it is used, you will be asked to re-consent before contributions resume.

Fathom Harbour (cloud sync)

Fathom Harbour offers optional cloud sync, encrypted backup, and household sharing. Your data is encrypted end-to-end on your device before it leaves — we store only ciphertext that we cannot decrypt. The sync relay can observe when devices sync and from which network, but never the content of your financial data. This is the same metadata profile as Signal or iMessage. Cloud backup is opt-in and uses the same zero-knowledge encryption. Household sharing uses a shared encryption key — all members of the household can read the shared ledger, but Fathom still cannot. When a member leaves a household, the shared key is rotated and data is re-encrypted so that the departed member loses access. If you lose your encryption key and all devices, we cannot recover your data.

Data sovereignty

Your data lives on your device. The encryption keys live in your device's secure enclave and are never transmitted to us. When data flows outward — sync, backup, household sharing — it is encrypted on your device first, and our infrastructure sees only ciphertext we cannot decrypt. The encryption guarantees do not depend on which company runs the storage; they depend on keys never leaving your device. The protocol is documented and the backend is self-hostable: a technical Angler can run the same software on their own server and point the app at it. You can take your data and leave at any time via standard exports (SAR JSON, CRA tax year, plain CSV).

Third-party services

Fathom integrates with a small number of external services. Each is used only when you initiate it:

• › Google Gmail API — read-only email access for bank alert and e-receipt parsing. Google's privacy policy applies to the OAuth connection.
• › Microsoft Graph API — read-only Outlook email access for the same purpose. Microsoft's privacy policy applies.
• › OpenRouter (optional) — cloud AI inference. Only used if you explicitly connect it in Settings. OpenRouter's privacy policy applies to queries you send.
• › Open Food Facts — product database lookups for receipt item enrichment. Fathom sends product names or barcodes to look up product details. Open Food Facts is a free, open database — no account or API key is required. Their privacy policy applies.
• › Apple / Google — app distribution and subscription billing. We receive confirmation of payment status, not payment details.

What we never do

• ✕ Sell ads or show advertising
• ✕ Share data with brokers or third parties
• ✕ Track your behaviour or build profiles
• ✕ Monetize your financial data in any way
• ✕ Fingerprint your device or collect device identifiers
• ✕ Sell, rent, or trade your personal information

Data retention

Your financial data lives on your device for as long as you keep it. If you opt into Harbour cloud backup, encrypted backups are stored on our infrastructure and auto-delete after 30 days of inactivity. Sync relay data auto-deletes after 30 days. Audit logs (which record what actions were taken, not your financial data) are retained locally for 2 years.

Your rights under PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• › Access any personal information we hold about you
• › Request correction of inaccurate information
• › Request deletion of your data
• › Withdraw consent for data processing at any time
• › Export your data in a portable format (CSV or JSON)

Because Fathom encrypts your data on your device with keys we never hold, we cannot access your financial data — even when it passes through our servers for sync or backup. You can exercise these rights directly in the app via Settings > Privacy, or by contacting us at privacy@getfathom.ca. Deletion requests are processed within 30 days.

Children's privacy

Fathom is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If you have concerns, please contact us at privacy@getfathom.ca.

Data breach notification

Because Fathom is local-first, a server breach cannot expose your financial data — even Harbour sync stores only ciphertext we cannot decrypt. If a breach affects our sync relay or backup infrastructure, we will notify affected users within 72 hours and report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA.

This website

This website (getfathom.ca) uses no cookies, no analytics, no tracking scripts, and no third-party resources that track visitors. It is a static site. Our hosting provider may process standard server logs (IP address, request time) under their privacy policy; we do not access these logs.

Launch waitlist

If you join our launch waitlist, we store your email address and preferred language so we can send you a confirmation email and notify you when Fathom launches. We never share your email with third parties. You can unsubscribe at any time via the link in our emails or by emailing privacy@getfathom.ca.

Governing law

This privacy policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein.

Contact

For privacy inquiries, data access requests, or concerns, contact us at privacy@getfathom.ca.