Hypothesis cares about your privacy and does not share your personal data with anyone.
We keep a fairly limited amount of information in the user table: username, email and last login date. We have optional fields for a display name, location and a description on your profile.
As specified in our Terms Of Service, we support pseudonyms. The only requirement for signing up is a working email address.
Users younger than 18 should always check with their parents or guardians before entering information on any website, mobile or tablet-based application, and discuss with their parents or guardians the online sharing of personal information.
Access to this information is restricted to system administrators. For support purposes, the Hypothesis staff has limited access to user data (email, username, active status, number of annotations, group membership).
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows our service to recognize you. Cookies allow us to remember if you’re logged in and if you were annotating privately, in a group, or publicly.
Teachers and students
When a user signs up with a school email address, the School or District may request access to all user data generated by these accounts, and may request its deletion. These requests will only be processed by previous agreement between Hypothes.is and the School or District, with specific terms and time allowances.
If you are a teacher, you should be aware students younger than 18 may need parental release to publish on a Public group or the Hypothes.is public channel.
Handling user data
User passwords are salted and hashed using the industry standard “bcrypt” algorithm. No Hypothesis staff member has access to user passwords. Hypothes.is staff has access to user emails only for support purposes.
We retain user IP address information and request information for a strictly limited period (2 weeks) for diagnostic purposes only. We also collect some information in aggregate about your activities in our application from the client. This de-identified information is used for internal metrics and operational support, but we do not track your individual activity.
On third parties:
Hypothesis doesn’t share user information with advertisers, affiliates or partners. We do not monetize our customer traffic in any way.
Access to annotation data
There are a few ways in which a user’s annotations are available to other users:
- Annotations made in the public channel are visible to every Hypothesis user
- Annotations made in groups are only visible to group members
- Annotations published for “Only Me” are only visible to the person who made the annotation
The same applies to our API users: authenticated users can only retrieve annotations for which they have the right permissions. Unauthenticated users can only retrieve public annotations.
With respect to Hypothesis staff, a small number of engineering staff have database access that lets them see any annotation or profile data in your account, in order to operate the service and address problems with the system. Staff is not allowed to re-disclose private user information.
Chrome extension permissions
The Hypothesis extension for Chrome will ask users to grant certain permissions at the time of installation. The extension needs them in order to work with the user’s browser and the websites the user visits. More detailed information about how we use these permissions on this blog post: https://hypothes.is/blog/hypothes-is-chrome-extension-permissions/
Contact with users
Updated: October 19, 2016