If you have any questions about our privacy practices or this Policy, please contact us at firstname.lastname@example.org.
Note about Children under 13: Our Services are intended for Users 13 years of age and older; we do not knowingly collect any information from children under the age of 13.
What Is This Policy?
Summary of How We Use and Share Your Personal Information
|Personal Information we collect||Partners provide us limited Personal Information about their Users so that we can provide our Services and create User profiles.|
|How we use Personal Information||Personal Information is used to provide and maintain access to the Services.|
|Account Control||Accounts are controlled by our Partners. Hypothesis provides the Services to Users on behalf of our Partners. Partners get access to certain information about Users, such as the annotations Users make as a part of their studies in a particular course.|
|Sharing Data with Third Parties||In certain circumstances, Hypothesis may share Personal Information with third-party service providers as needed to perform services for Hypothesis or on our behalf. When we do this, it is subject to contractual restrictions protecting the security and confidentiality of this data, or as otherwise permitted by our agreements with our Partners. Hypothesis does not sell Personal Information to third parties.|
|Analytics||Hypothesis reserves the right to use de-identified or aggregated data to perform analytics in order to support our internal operations and to analyze and improve the Services, consistent with the terms of our agreements with our Partners.|
|Security||Hypothesis provides commercially reasonable administrative, technical, and physical security controls to protect User Personal Information.|
Information We Collect
We need to collect certain information about you to provide you with the Services or the support you request. We define Personal Information as information that alone, or in combination with other, non-personal information would allow someone to identify or contact the User. We only collect the Personal Information that is necessary for us to provide you with our Services. Below we have described the types of information we collect and from where we collect it.
Information Provided Directly to Us
We collect the following information from your User profile:
- First Name
- Last Name
- Name of course at the Partner institution
- Role of the person within the course at the Partner institution (e.g., instructor)
- Email address from Users with an “instructor” role in the LMS
Hypothesis uses a hosted solution for support ticket management. Upon creating a support ticket, we require that you provide an email address so we can contact you regarding your support request.
Any annotations, personal notes, or comments you create within the LMS will be associated with your account. However, you retain ownership of any work you create using Hypothesis, not your institution, and such content will solely be used for the purpose of providing our Services.
Automatically Collected Information
Like other websites and online services, we and our analytics providers, vendors and other third-party service providers may automatically collect certain “Usage Information” whenever you access and use the Services. For example, we may collect information regarding how often a User accesses certain features.
Usage Information includes: your IP address, operating system, browser type, domain names, access times and referring website addresses. This information is collected in a log file and retained for a limited time and is used for the operation of the Services, to maintain quality of the Services, and to provide general statistics regarding use of the Services. Note that we do not request or use location data for any purpose.
Information From Third Parties
- Third-Party Providers: We work with service providers like Amazon Web Services for data storage and other organizations for customer support, security, issue tracking, and to provide us with information regarding traffic on the Services, including the features used when visiting the Services.
How We Use the Information We Collect
We collect information about you when you use the Services for a variety of reasons in order to support Hypothesis and to enable our team to continue to create engaging experiences for our Users. We may use your Personal Information for the following purposes:
- To provide, maintain, and improve the Services, including monitoring and analyzing the usage, effectiveness, and User experience while using our Services.
- To deliver assistance or answer support requests.
- To create anonymous data for analytics. We may make information anonymous by excluding information that makes it personally identifiable to you, and once such information has been aggregated and anonymized so that it is no longer considered Personal Information, we use that deidentified data to operate and improve the Services.
- For compliance, fraud prevention, and safety. We use your Personal Information as we believe is necessary or appropriate to (a) enforce our terms and conditions; (b) protect our rights, privacy, safety or property, and that of you or others; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
Sharing Information With Third Parties
We may share your information in the following situations:
- With our third-party service providers, to monitor and analyze the use and effectiveness of our Services, and to help maintain, support, and improve our Services. We use service providers for tasks such as document management; data hosting; and provisioning customer service tools related to the Services. We do not and will not grant service providers the right or permission to use your Personal Information beyond what is reasonably necessary to assist us in providing the Services.
- With our Partners we may share information in accordance with the terms of our agreements with our Partners.
- With law enforcement, when we have a good-faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order; to protect and defend our rights; to prevent or investigate possible wrongdoing with respect to the Services; to protect the safety of our property, our Users, our staff, or the public; and to protect against legal liability.
- Under no circumstances do we sell or provide Personal Information to third parties for advertising or marketing purposes.
Securing Your Personal Information
Hypothesis takes data security very seriously. We follow software development and cloud infrastructure best practices to avoid common vulnerabilities and prevent unauthorized access to our Users’ data. In addition to our internal practices, we contract with a third party that performs an annual evaluation of the security of our software and infrastructure. Measures taken to protect your data include the following:
- Data stored in a database that is regularly backed up
- Personal Information encrypted in transit and at rest
- Security awareness training for our staff
- Technical infrastructure designed to prevent unauthorized access to protected information at multiple points in every transaction
- Static analysis of our code to address weaknesses that might lead to vulnerabilities
- Automatic vulnerability monitoring for third-party dependencies
- Regular security assessments of our infrastructure
- Automated log analysis and security event alerting
- Third-party audits for vulnerabilities in our software
- Third-party penetration testing of our infrastructure
Please note that no method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, while we strive to use commercially reasonable means to protect your Personal Information, we cannot guarantee its absolute security.
In the event that Hypothesis becomes aware of a data breach impacting your Personal Information, we will promptly notify your Partner institution within 48 hours of identifying any breach. Hypothesis has procedures in place that are designed to stop and contain threats that may expose personally identifiable information, identify and mitigate all vulnerabilities that were exploited, restore the Services to full functionality, and document and take proactive steps to ensure the incident cannot be repeated. Hypothesis will also preserve necessary evidence for investigation by security professionals and law enforcement as appropriate.
How Long We Retain Your Information
- We keep User Personal Information for as long as necessary to provide the Services, except where the law requires or as directed by the relevant Partner. If our contract with a Partner ends and the Partner requests removal of any Personal Information, we will promptly delete or de-identify the Personal Information, unless, consistent with applicable law, there is a legitimate reason to retain it.
- We may retain records of support tickets and other communications between you and Hypothesis, for example support emails, survey responses, feedback submissions, or comments on our blogs or other posts, indefinitely in order to better manage our support processes, maintain accurate business records, and identify other trends.
Accessing and Managing Your Personal Information
Our Services automatically create an account for anyone who launches a Hypothesis-enabled assignment in your institution’s LMS; your User information is provided by your institution. Your LMS User account only works within the LMS in which the account was created; it does not work on the open web. Individual LMS Users may not update or delete their information directly with Hypothesis. LMS Users may only delete or update their information by contacting the institution and requesting it contact Hypothesis to delete a LMS User’s information.
Communications From Hypothesis
- Hypothesis may post notices on its website.
- Hypothesis may send Users information by email (if the User is an employee of our Partner institution).
- Please note that email communications from us about our services or annotation beyond the administration of your account are opt-out. If you would like to stop receiving such email communications, you may opt out using the “unsubscribe” link provided in every email or by contacting us at email@example.com.
- Organizational emails from us may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include but shall not be limited to: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity. This information is used to refine future email campaigns and supply Users with more relevant content based on their activity.
Users Outside the United States
Consent to Transfer
While Hypothesis is used around the world, the Services are operated in the United States. If you are located outside of the United States, please be aware that information we collect will be transferred to and processed in the United States. By using the Services, or providing us with any information, you fully understand and consent to this transfer, processing and storage of your information in the United States.
Important Information for Users in the European Economic Area GDPR Compliance
We endeavor to be fully compliant with the General Data Protection Regulation (“GDPR”). The GDPR makes a distinction between “data controllers” and “data processors.” We are a “data processor” in providing our services that have been requested by our Partners. Our Partners will be the “data controllers,” as they decide whether to send us data, what data to send us and instruct us as to what we will do with it. We only process data according to the agreements and instructions of our Partners.
Additional Information or Assistance
If there are material changes to this Policy we will notify our Partners either by prominently posting a notice of such changes on our website, or by directly notifying our Partners by email prior to the changes taking effect. Your continued use of our Services after we publish or send a notice about our changes to these terms means that you are consenting to the updated terms as of their Effective Date.
Effective Date: 2 August 2022