Hypothesis Privacy Policy

Hypothesis Privacy Policy 2017-05-24T11:16:09+00:00

Hypothesis cares about your privacy and does not share your personal data with anyone.

User Information

We keep a fairly limited amount of information in the user table: username, email and last login date. We have optional fields for a display name, location and a description on your profile.

As specified in our Terms Of Service, we support pseudonyms. The only requirement for signing up is a working email address.

Users younger than 18 should always check with their parents or guardians before entering information on any website, mobile or tablet-based application, and discuss with their parents or guardians the online sharing of personal information.

Access to this information is restricted to system administrators. For support purposes, the Hypothesis staff has limited access to user data (email, username, active status, number of annotations, group membership).


Hypothesis may place a number of cookie files on your web browser. By using the service you consent to the use of cookies.

Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows our service to recognize you. Cookies allow us to remember if you’re logged in and if you were annotating privately, in a group, or publicly.

If you’d like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser. Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.

More about cookies.

Teachers and Students

When a user signs up with a school email address, the School or District may request access to all user data generated by these accounts, and may request its deletion. These requests will only be processed by previous agreement between Hypothes.is and the School or District, with specific terms and time allowances.

If you are a teacher, you should be aware students younger than 18 may need parental release to publish on a Public group or the Hypothes.is public channel.

Handling User Data

User passwords are salted and hashed using the industry standard “bcrypt” algorithm. No Hypothesis staff member has access to user passwords. Hypothes.is staff has access to user emails only for support purposes.

We retain user IP address information and request information for a strictly limited period (2 weeks) for diagnostic purposes only. We also collect some information in aggregate about your activities in our application from the client. This de-identified information is used for internal metrics and operational support, but we do not track your individual activity.

On third parties:

Hypothesis doesn’t share user information with advertisers, affiliates or partners. We do not monetize our customer traffic in any way.

Access to Annotation Data

There are a few ways in which a user’s annotations are available to other users:

  • Annotations made in the public channel are visible to every Hypothesis user
  • Annotations made in groups are only visible to group members
  • Annotations published for “Only Me” are only visible to the person who made the annotation

The same applies to our API users: authenticated users can only retrieve annotations for which they have the right permissions. Unauthenticated users can only retrieve public annotations.

With respect to Hypothesis staff, a small number of engineering staff have database access that lets them see any annotation or profile data in your account, in order to operate the service and address problems with the system. Staff is not allowed to re-disclose private user information.

Chrome Extension Permissions

The Hypothesis extension for Chrome will ask users to grant certain permissions at the time of installation. The extension needs them in order to work with the user’s browser and the websites the user visits. More detailed information about how we use these permissions on this blog post: https://hypothes.is/blog/hypothes-is-chrome-extension-permissions/

Contact with Users

We send account registration, activation and password reset notifications via email. We also send event notifications such as about replies to annotations via email, with the option to opt-out. Approximately every quarter we send out a newsletter, “The Margin”, with the option to opt-out. In the future we may also send information about important service updates or substantial changes in Privacy Policy or our Terms of Service.

Breaches of Privacy

In case of a breach of private information, we will notify affected users via the email address associated with their account within 24 hours of uncovering the breach.

By using Hypothesis and this website, you consent to this Privacy Policy.

Changes to the Privacy Policy

If we decide to change our privacy policy, we will post those changes on this page, and/or update the Privacy Policy modification date below.

Updated: 11 April 2016