Privacy Policy
This Privacy Policy explains how Fathom Medicine, PLLC ("Fathom," "we," "us," or "our") handles information collected through fathommedicine.com (the "Site"). It applies only to information collected through this website.
If you become a Fathom patient, the information we collect and maintain about you in connection with your care — through the patient portal, electronic medical record, clinical visits, hospital encounters, and any communications about your care — is governed by our separate Notice of Privacy Practices (NPP) under the federal Health Insurance Portability and Accountability Act (HIPAA), not by this policy.
If you are a Washington resident, Section 7 (Your Washington Consumer Health Data Privacy Policy) contains additional disclosures and rights that apply to you under the Washington My Health My Data Act (RCW 19.373).
1. Information We Collect
Information you give us directly
When you submit our contact form, we collect the information you choose to share. Our form is processed by Formspree, a third-party form-processing service that delivers your submission to us by email. Typical fields include your name, email address, phone number, and any message content you write.
We are unable to guarantee the security of free-form text you enter into the contact form. Please do not transmit detailed personal health information through the contact form. A short description of why you are interested in Fathom is fine; clinical detail is not appropriate for an unencrypted website form. If you need to share clinical information, please call us, or wait until you are a member and have access to the patient portal.
Information we collect automatically
We use Cloudflare Web Analytics to understand aggregate Site traffic. Cloudflare Web Analytics is a privacy-respecting, cookieless analytics tool that does not place cookies in your browser, does not run client-side tracking scripts that identify individual visitors, and does not build cross-site profiles. The data captured is limited to:
- Aggregate page views and visitor counts
- Approximate (country/region-level) location, derived from your IP address
- Browser type, operating system, and device category
- Referring URLs
IP addresses are processed transiently by Cloudflare for the purpose of generating these aggregate statistics and are not retained in a form that identifies you as an individual. We do not combine this data with information from any other source to identify you.
Patient portal
The Fathom patient portal is operated by our electronic medical record (EMR) vendor, [TODO: vendor name]. When you click through to the portal from this Site, you leave fathommedicine.com and enter the vendor's environment. Your use of the portal is governed by (a) the EMR vendor's own privacy practices and (b) Fathom's Notice of Privacy Practices under HIPAA — not by this policy.
2. How We Use Information
We use the information we collect to:
- Respond to your inquiries and follow up about prospective membership
- Operate, maintain, and improve the Site
- Understand aggregate Site usage
- Comply with legal obligations and protect our legal rights
We do not sell personal information. We do not share contact form content with third parties for advertising or marketing purposes.
3. Cookies and Tracking Technologies
The Site does not use cookies. We do not run advertising trackers, marketing pixels, or cross-site tracking technologies. Our analytics tool (Cloudflare Web Analytics) is cookieless by design.
4. Third Parties Who Process Information on Our Behalf
We rely on the following service providers to operate the Site and process inquiries:
- Formspree — processes contact form submissions and forwards them to us by email
- Cloudflare — hosts the Site (Cloudflare Pages) and provides aggregate Site analytics (Cloudflare Web Analytics)
- Google Workspace — receives and stores form submissions and other inbound email sent to us
Each is bound by its own privacy practices and, where applicable, by data processing terms with us. We disclose information to legal authorities only when required by law or compelled by valid legal process.
5. Data Retention
- Contact form submissions are retained for as long as necessary to respond to your inquiry and follow up about membership — typically no longer than 24 months for inquiries that do not result in membership.
- Analytics data is aggregate-only and is retained by Cloudflare according to its default retention period for Web Analytics.
- Server logs are retained by our hosting provider (Cloudflare) for a short rolling window for security and operational purposes.
If you become a Fathom patient, information about you transitions to our medical record system and is retained according to applicable law (in Washington, generally at least 10 years for adult records, and longer for pediatric records). At that point, the medical record — not this policy — governs.
6. Security
We implement reasonable technical and organizational measures intended to protect information collected through the Site. No method of transmission over the internet or electronic storage is fully secure, however, and we cannot guarantee absolute security. As noted above, the contact form is not an appropriate channel for detailed personal health information.
7. Your Washington Consumer Health Data Privacy Policy
This section applies if you are a resident of Washington State, or if your consumer health data is collected while you are physically located in Washington. It is required by the Washington My Health My Data Act, RCW 19.373.
Categories of consumer health data we may collect
- Health-related interests, concerns, symptoms, conditions, or treatment goals that you voluntarily disclose in a contact form submission, email, or phone call
We do not collect consumer health data through analytics or tracking technologies. Our analytics tool (Cloudflare Web Analytics) is cookieless and aggregate-only and does not identify individual visitors or build profiles based on browsing behavior.
Sources of consumer health data
- Directly from you, when you submit a form, send an email, or otherwise communicate with us through the Site
How we use consumer health data
- To respond to your membership inquiry and to communicate with you about Fathom's services
Categories of third parties and affiliates with whom we share consumer health data
- Formspree (form processor — receives the contents of contact form submissions)
- Google Workspace (email provider — receives and stores form submissions delivered to us by Formspree)
We do not sell consumer health data. We do not share consumer health data for targeted advertising. We do not authorize any third party to collect consumer health data through the Site for that party's own purposes.
Your rights under MHMDA
If you are a Washington consumer, you have the right to:
- Confirm whether we are collecting, sharing, or selling your consumer health data, and to access that data
- Withdraw consent to our collection and sharing of your consumer health data
- Request deletion of your consumer health data
- Appeal if we deny one of the requests above
To exercise any of these rights, contact us at [TODO: privacy@fathommedicine.com] or by mail at the address in Section 10. We will respond within 45 days; we may extend that period by up to an additional 45 days when reasonably necessary, in which case we will notify you of the extension and the reason.
If we deny your request, you may appeal by replying to the denial notice. If your appeal is also denied, you may file a complaint with the Washington Attorney General's Office at https://www.atg.wa.gov/file-complaint.
Consent
The contact form on this Site includes a checkbox by which you affirmatively consent to our collection, use, and processing of any health-related information you choose to include in your submission, for the purposes described in this section. We will not process a submission until that consent is provided.
You may withdraw consent at any time by contacting us using the information in Section 10. Withdrawing consent will not affect the lawfulness of processing that occurred before the withdrawal, but it will stop further use of your information and trigger our deletion process.
8. Children
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the Site. If a child becomes a Fathom patient, information about that child is governed by HIPAA and Washington medical records law, not this Site policy.
9. Changes to This Policy
We may update this policy from time to time. The "Last Updated" date at the top of the policy reflects the most recent change. Material changes will be flagged conspicuously at the top of the policy for at least 30 days following the change.
10. Contact
Fathom Medicine, PLLC
[TODO: mailing address]
[TODO: phone]
[TODO: privacy@fathommedicine.com]
For questions specifically related to HIPAA-protected health information — your medical record, the patient portal, or clinical privacy — please refer to our Notice of Privacy Practices, available at [TODO: link] or by request.