Do they own your data? Fathom.video Privacy Policy Reviewed.

TL;DR: Companies handling highly sensitive calls may face privacy concerns when using Fathom for call recording and transcription. Issues include the collection and use of meeting content for service improvement, sharing data with third-party service providers, data retention policies, and potential challenges with regulatory compliance like GDPR and HIPAA. An alternative solution like BuildBetter.ai, which is GDPR, SOC 2 Type 2, and HIPAA compliant, does not train on customer data, and grants full ownership of data to customers, may better meet stringent privacy requirements for sensitive communications.

Evaluating Privacy Concerns When Using Fathom for Sensitive Call Recordings

Introduction

For companies dealing with highly sensitive calls and working with individuals requiring strict confidentiality, understanding how a service like Fathom handles data privacy is crucial. Fathom offers call recording and transcription services, but it's important to examine their privacy policy (Last Updated: October 25, 2024) to ensure it aligns with your organization's privacy standards and regulatory obligations. This post provides a detailed analysis of Fathom's privacy policy to highlight potential concerns for organizations handling sensitive information.

1. Collection and Use of Meeting Content Information

Privacy Policy Insight:

Under "Information We Collect", Fathom states:

"Meeting Recordings. If you use our Services to record or transcribe your meetings, we will receive the personal information contained in the content of those meetings."

They further explain:

"By using our Services to record or transcribe meetings, you understand that your meeting will be recorded, and you agree to allow us to record your meeting for you solely in accordance with our Terms of Service."

What This Means for You:

Your sensitive call content, including audio, video, transcripts, and any personal information discussed during meetings, is collected and stored by Fathom. While they mention that the data is used "solely in accordance with our Terms of Service," there may be concerns about how this information is handled, who has access to it, and whether it's used for purposes beyond just providing the service, such as improving their technology.

2. Data Sharing with Third-Party Service Providers

Privacy Policy Insight:

Under "How We Disclose the Information We Collect", Fathom states:

"Vendors and Service Providers. We may disclose any information we receive with vendors and service providers retained in connection with the provision of our Services. We disclose Meeting Content Information with a limited number of service providers and vendors solely to help us provide and deliver the Services to you."

What This Means for You:

Sharing Meeting Content Information with third-party vendors and service providers increases the risk of unauthorized access or misuse of sensitive data. Even if the sharing is intended to help provide the service, involving third parties may conflict with your company's data governance policies or regulatory requirements, especially if strict control over data access and storage is required.

3. Integration with Third-Party Applications

Privacy Policy Insight:

Under "Third Party App Integrations", Fathom mentions:

"When you connect a third party application such as Google, Microsoft, Zoom or any other compatible third-party conferencing application to our Services, we may share information such as your meeting notes, links to video clips, or portions of the meeting transcript with that third party."

What This Means for You:

Integrating with third-party applications can lead to additional data sharing with those services. This could potentially expose sensitive meeting content to other platforms, which may have different privacy practices. Your company would need to ensure that all integrated third-party services meet your privacy and security standards.

4. Data Retention Policies

Privacy Policy Insight:

In "Data Retention", Fathom states:

"We store all personal information for as long as necessary to fulfill the purposes set out in this Privacy Policy, or for as long as we are required to do so by law or in order to comply with a regulatory obligation."

They also mention:

"When deleting personal information, we will take measures to render such personal information irrecoverable or irreproducible, and the electronic files which contain personal information will be permanently deleted."

What This Means for You:

Fathom retains your sensitive data for an unspecified duration, which may be longer than your company's data retention policies allow. Extended retention periods increase the risk of data breaches over time. While they mention measures to delete data upon request, there may be concerns about how promptly and thoroughly this is done, especially if data has been backed up or archived.

5. Compliance with International Data Transfers

Privacy Policy Insight:

Under "International Visitors and Cross Border Data Transfers", Fathom states:

"Our Services are hosted in the United States and intended for visitors located within the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your personal information outside of those regions to the United States for storage and processing."

They also mention:

"When we transfer your personal information outside of the European Economic Area, including to the U.S., we shall ensure that relevant safeguards are in place to afford adequate protection for your personal information in compliance with relevant data protection laws such as Standard Contractual Clauses or the Data Privacy Frameworks."

What This Means for You:

International data transfers can pose compliance challenges with regulations like GDPR if your calls involve individuals from the EU or other regions with strict data protection laws. Your company may need to ensure that these transfers comply with all relevant regulations, which may require additional contractual safeguards and impact assessments.

6. User Responsibility for Obtaining Consent

Privacy Policy Insight:

Under "Information We Collect", Fathom notes:

"Some states or countries require all parties to consent before recording a video or audio meeting—not just the consent of one party to the communication (i.e., yourself). Please make sure you have the necessary permissions and consents from other meeting participants before using our Services and/or sharing personal information with us."

What This Means for You:

The responsibility to obtain consent from all meeting participants falls on you. In jurisdictions requiring all-party consent, failure to obtain proper permissions could lead to legal issues. This adds complexity to using Fathom for recording sensitive calls, especially when participants are in different locations with varying laws.

7. Data Security Measures

Privacy Policy Insight:

Under "Security", Fathom states:

"We make reasonable efforts to protect your information by using reasonable physical, technical, organizational and electronic safeguards designed to improve the security of the information we maintain."

What This Means for You:

While Fathom mentions reasonable efforts to protect your data, they do not provide detailed information about their security protocols. Companies handling highly sensitive information may require more stringent security measures, such as end-to-end encryption, and need assurance that the service meets specific security standards.

8. Use of Data for Service Improvement

Privacy Policy Insight:

Under "How We Use the Information We Collect", Fathom states:

"To understand and analyze how you use our Services and develop new products, services, features, and functionality."

What This Means for You:

Your data, including potentially sensitive Meeting Content Information, may be used to improve Fathom's services. This could involve analyzing meeting content, which may not align with your company's policies on data usage, especially if sensitive information is involved.

9. Third-Party Advertising

Privacy Policy Insight:

Under "Third Party Advertising", Fathom mentions:

"We work with third party advertisers to show you ads for Fathom’s Services... Information received by these parties includes Device Information. For the avoidance of doubt, information received by these third parties does not include your Meeting Content Information, Registration Information, or your Fathom account information."

What This Means for You:

While Fathom states that Meeting Content Information is not shared with advertisers, Device Information and usage patterns may still be shared. This could potentially expose metadata about your use of the service, which might be a concern for companies requiring strict confidentiality.

10. Retention of Data After Account Deletion

Privacy Policy Insight:

In "Delete your Account or Pose a Question", Fathom states:

"If we receive an account deletion request, we will use commercially reasonable efforts to delete your recordings and personal information within 30 days of your account deletion request, although we cannot guarantee that deletion will always occur within this timeframe."

What This Means for You:

There may be delays in deleting your data after a request, and Fathom does not guarantee immediate deletion. For sensitive information, delays in data deletion can increase risks. Additionally, they may retain data if legally required, which could conflict with your company's policies on data handling.

11. Dependence on Third-Party Calendars

Privacy Policy Insight:

Under "Information We Collect", Fathom notes:

"Please note that linking an Outlook Calendar or a Google Calendar account is core to our Services and without linking either an Outlook Calendar or a Google Calendar, you will not be able to successfully use our Services."

What This Means for You:

Requiring integration with third-party calendars like Google or Outlook means sharing calendar data, which may include sensitive information about meetings, attendees, and topics. This dependency introduces additional privacy considerations, as your calendar data is accessible to Fathom and subject to their data handling practices.

12. Processing of Sensitive Personal Data

Privacy Policy Insight:

Under "Information We Collect", Fathom states:

"As a data controller, we do not collect any sensitive data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data nor do we collect any information about criminal convictions and offenses. If this type of data is discussed in your meeting, you are the controller of this data and such data will be considered Meeting Content Information. You must have a proper legal basis to collect such data."

What This Means for You:

If sensitive personal data is discussed during meetings, you are responsible for ensuring compliance with data protection laws. Fathom considers you the data controller for such data, placing the burden of legal compliance on your company. This could be challenging, especially under regulations like GDPR, which impose strict requirements for processing sensitive data.

Introducing BuildBetter.ai as a Secure Alternative

Given these concerns, companies require a solution that prioritizes data privacy and security. BuildBetter.ai emerges as a robust alternative:

• Compliance: BuildBetter.ai is GDPR, SOC 2 Type 2, and HIPAA compliant, ensuring adherence to international data protection regulations.
• Data Ownership: Customers retain full ownership of their data, providing control over how it's used and stored.
• Data Usage: BuildBetter.ai does not train on customer data, eliminating risks associated with data being used for service improvement or AI training.
• Security Measures: With stringent security protocols, BuildBetter.ai safeguards your data against unauthorized access and breaches.
• No Third-Party Sharing: They avoid unnecessary data sharing with third parties, minimizing exposure risks.

What This Means for You:

Using BuildBetter.ai allows your company to leverage call recording and transcription services without compromising on privacy. It ensures that sensitive information remains confidential, complies with all relevant regulations, and provides you with full control over your data.

Conclusion

For companies handling highly sensitive calls and working with individuals requiring strict confidentiality, using Fathom for call recording presents several privacy concerns. These range from data collection and sharing practices to data retention policies and compliance challenges with international regulations.

Recommendations:

• Conduct a Comprehensive Risk Assessment: Evaluate how Fathom's data practices align with your company's privacy policies and legal obligations.
• Choose Compliance-Focused Tools: Opt for solutions like BuildBetter.ai that prioritize regulatory compliance and data security.
• Maintain Control Over Data: Ensure that you retain ownership and control over your data to prevent unauthorized use.
• Implement Additional Security Measures: If proceeding with Fathom, consider adding encryption or other security enhancements where possible.
• Consult Legal Experts: Engage with legal counsel specializing in data privacy to navigate potential liabilities and ensure full compliance.

By making informed choices, your company can protect sensitive information and maintain the trust of the individuals you work with.

Disclaimer: This post is for informational purposes only and does not constitute legal advice. Companies should consult with qualified legal professionals to address specific concerns related to privacy and data protection.