Research Privacy Notice

Effective date: FEB 2025
Who we are: Fathom Data Labs Pte. Ltd. (“Fathom”, “we”, “us”).
DPO (Singapore): Mike Parsons - dpo@fathom.inc
 
1) When this notice applies

This notice explains how personal data is handled for surveys and research we conduct. It applies to: - Fathom as processor (most projects): your controller is our client, whose name appears in the invitation or first page of the survey. We collect and process responses on their documented instructions. Refer to the client’s privacy notice for their full details and lawful bases. We will pass any rights requests to the client. - Fathom as controller (limited cases): e.g., for our proprietary research panel, security/quality controls, and where we re‑use anonymised/aggregated data for benchmarking.
If the role isn’t clear, email privacy@fathom.inc and we’ll confirm and route your request.
 
2) What data we collect

​

• Survey responses you choose to provide (we design surveys to avoid direct identifiers).

• Operational metadata for fraud prevention/quality: e.g., IP address, device/browser info, timestamps, approximate location (derived from IP), response velocity, duplicate checks.

• Contact details only when necessary (e.g., incentive fulfilment, re‑contact, panel sign‑up), collected via separate forms and kept separate from response data.

• We do not seek special category data unless clearly stated and justified, with enhanced safeguards.

 
3) Purposes and legal bases

When the client is controller (Fathom as processor): we process data on the client’s instructions for market/UX research, analytics, and reporting to the client. The client defines the lawful basis (e.g., consent, legitimate interests, contract). See the client’s notice.
When Fathom is controller (limited cases): - Quality, security, and fraud prevention (legitimate interests).
- Panel operations and re‑contact (consent for sign‑up and communications; legitimate interests for suppression/security).
- Product improvement and benchmarking using anonymised/aggregated data (outside personal data scope; where personal data is involved, legitimate interests).
- Where we rely on legitimate interests or deemed consent by notification under Singapore PDPA, we keep a written assessment and, where required, publish a summary.
- For genuine research scenarios under PDPA, we may rely on the research exception where legal conditions are met.
 
4) Recipients and disclosures

​

• Client: receives aggregated reports and, where agreed, underlying datasets (typically with identifiers removed).

• Sub‑processors / vendors: survey platforms (e.g., Alchemer), hosting, communications, fraud prevention, incentive processors. We require appropriate contracts and safeguards. We currently use Alchemer as our survey platform.

• Legal/safety: regulators, law enforcement, courts, or advisers where required by law or to protect rights.

 
5) International transfers

When data leaves its origin country/region we ensure appropriate safeguards, including:
- EEA: EU SCCs (2021/914) with Transfer Impact Assessments and supplementary measures as needed.
- UK: IDTA/UK Addendum to the SCCs.
- Singapore (PDPA): comparable protection for overseas transfers (e.g., model clauses, including ASEAN MCCs).
Details are available on request.
 
6) Retention

​

• Operational personal data: kept for the minimum time needed to deliver the project, complete quality checks, and comply with law/contract. Unless instructed otherwise, we typically retain operational datasets for up to 12 months after project close, then delete or irreversibly anonymise them.

• Anonymised/aggregated datasets: retained on an ongoing basis for benchmarking and product improvement.

• Panel profiles: see our Panel Privacy Notice.

 
7) Your rights

Your rights depend on the law that applies (e.g., EU/UK GDPR, Singapore PDPA) and whether Fathom or the client is the controller. Rights may include access, correction/rectification, erasure, restriction, portability, objection, and withdrawal of consent.

• How to exercise: email privacy@fathom.inc (include your survey ID or other details to help us locate your record). If the client is the controller, we will pass your request to them and support their response.

• We do not re‑identify anonymised datasets in response to requests.

 
8) Cookies and similar technologies

Survey pages and dashboards may use cookies or similar technologies. We limit cookies to essential functions unless you opt‑in to additional categories (e.g., analytics) where required. Manage preferences via the cookie banner/manager. See our Cookies Policy: https://www.fathom.inc/cookies-policy
 
9) Contact

​

• Privacy/data rights: privacy@fathom.inc

• DPO: dpo@fathom.inc

• Compliance: compliance@fathom.inc

 
10) Changes

We may update this notice from time to time. The effective date shows when the latest version took effect. Material changes will be highlighted where practicable.