This privacy policy covers use of Hypothesis within a Learning Management System (LMS). For use of Hypothesis on the open web, see our companion privacy policy.

Hypothesis (“Hypothesis” or the “Services”) is an easy to add Learning Management System (“LMS”) tool that enables Users to have conversations in the margins of digital texts. We have established this Privacy Policy (the “Privacy Policy” or “Policy“) to clearly articulate the Personal Information that we collect and how we protect, use, and share it. We collect information from students, teachers, staff, and contractors from our Partners who use Hypothesis (“Users“) to provide and improve the Services. We do not and will not sell or rent your Personal Information to third parties. We pride ourselves in ensuring that we collect, use, process and erase any Personal Information from our LMS Users in accordance with current applicable laws in the United States of America (USA) and the General Data Privacy Regulation (GDPR).

If you have any questions about our privacy practices or this Policy, please contact us at support@hypothes.is.

Note about Children under 13: Our Services are intended for Users 13 years of age and older; we do not knowingly collect any information from children under the age of 13.

What Is This Policy?

We provide Hypothesis directly to schools, colleges, universities, school districts, and other institutions that enter into an agreement with us to use Hypothesis for educational purposes (“Partners“). This Privacy Policy describes how we collect and use information from Users at our Partner institutions.

Summary of How We Use and Share Your Personal Information

This summary provides an overview of some important information regarding our use and sharing of your information. Please read the entire privacy policy very carefully. By using our services, you agree to be bound by this privacy policy in its entirety.

Personal Information we collect	Partners provide us limited Personal Information about their Users so that we can provide our Services and create User profiles.
How we use Personal Information	Personal Information is used to provide and maintain access to the Services.
Account Control	Accounts are controlled by our Partners. Hypothesis provides the Services to Users on behalf of our Partners. Partners get access to certain information about Users, such as the annotations Users make as a part of their studies in a particular course.
Sharing Data with Third Parties	In certain circumstances, Hypothesis may share Personal Information with third-party service providers as needed to perform services for Hypothesis or on our behalf. When we do this, it is subject to contractual restrictions protecting the security and confidentiality of this data, or as otherwise permitted by our agreements with our Partners. Hypothesis does not sell Personal Information to third parties.
Analytics	Hypothesis reserves the right to use de-identified or aggregated data to perform analytics in order to support our internal operations and to analyze and improve the Services, consistent with the terms of our agreements with our Partners.
Security	Hypothesis provides commercially reasonable administrative, technical, and physical security controls to protect User Personal Information.

Information We Collect

We need to collect certain information about you to provide you with the Services or the support you request. We define Personal Information as information that alone, or in combination with other, non-personal information would allow someone to identify or contact the User. We only collect the Personal Information that is necessary for us to provide you with our Services. Below we have described the types of information we collect and from where we collect it.

Information Provided Directly to Us

Since your account is created by your institution solely for use within your institution’s LMS, your institution generally decides how your Personal Information is used. We provide our Services to Users as a so-called ‘data processor’ on behalf of our Partners. Since your institution acts as the ‘data controller’ of your information, your institution determines what information we collect through our Services and how it is used, and we process your information according to your institution’s instructions and the terms of our agreements with your institution. The information we collect is subject to this Privacy Policy, but the use of your Personal Information is also subject to your institution’s privacy policy.

We collect the following information from your User profile:

• First Name
• Last Name
• Name of course at the Partner institution
• Role of the person within the course at the Partner institution (e.g., instructor)
• Email address from Users with an “instructor” role in the LMS

Support

Hypothesis uses a hosted solution for support ticket management. Upon creating a support ticket, we require that you provide an email address so we can contact you regarding your support request.

Annotations

Any annotations, personal notes, or comments you create within the LMS will be associated with your account. However, you retain ownership of any work you create using Hypothesis, not your institution, and such content will solely be used for the purpose of providing our Services.

Automatically Collected Information

Like other websites and online services, we and our analytics providers, vendors and other third-party service providers may automatically collect certain “Usage Information” whenever you access and use the Services. For example, we may collect information regarding how often a User accesses certain features.

Usage Information includes: your IP address, operating system, browser type, domain names, access times and referring website addresses. This information is collected in a log file and retained for a limited time and is used for the operation of the Services, to maintain quality of the Services, and to provide general statistics regarding use of the Services. Note that we do not request or use location data for any purpose.

Information From Third Parties

• Your LMS: Our Services are connected through your institution’s LMS, which is a third-party service. We do not control the institution’s use of your Personal Information. The information we collect is subject to this Privacy Policy, the information collected and stored by your institution remains subject to the institution’s privacy practices, including whether the institution continues to share information with us and the types of information shared.
• Third-Party Providers: We work with service providers like Amazon Web Services for data storage and other organizations for customer support, security, issue tracking, and to provide us with information regarding traffic on the Services, including the features used when visiting the Services.

How We Use the Information We Collect

We collect information about you when you use the Services for a variety of reasons in order to support Hypothesis and to enable our team to continue to create engaging experiences for our Users. We may use your Personal Information for the following purposes:

• To provide, maintain, and improve the Services, including monitoring and analyzing the usage, effectiveness, and User experience while using our Services.
• To deliver assistance or answer support requests.
• To create anonymous data for analytics. We may make information anonymous by excluding information that makes it personally identifiable to you, and once such information has been aggregated and anonymized so that it is no longer considered Personal Information, we use that deidentified data to operate and improve the Services.
• For compliance, fraud prevention, and safety. We use your Personal Information as we believe is necessary or appropriate to (a) enforce our terms and conditions; (b) protect our rights, privacy, safety or property, and that of you or others; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.
• To support academic collaboration and personal research, we have introduced a feature that allows Users (students and teachers) to export and import any annotations they can see that are made within the same assignment. This capability is designed to facilitate the management and analysis of educational content beyond the Learning Management System. Any student may export annotations that are part of a shared assignment seen within the LMS. Such exported information is for personal and academic use only and must comply with educational and ethical standards.

Sharing Information With Third Parties

We may share your information in the following situations:

• With our third-party service providers, to monitor and analyze the use and effectiveness of our Services, and to help maintain, support, and improve our Services. We use service providers for tasks such as document management; data hosting; and provisioning customer service tools related to the Services. We do not and will not grant service providers the right or permission to use your Personal Information beyond what is reasonably necessary to assist us in providing the Services.
• With our Partners we may share information in accordance with the terms of our agreements with our Partners.
• In relation to a business transfer, we are committed to protecting User Personal Information in the event an acquisition, sale or reorganization results in a transfer of Personal Information to a successor entity. You will be notified via e-mail and/or a prominent notice on the Services of any completed change in ownership of your Personal Information, as well as any choices you may have regarding your Personal Information. This Privacy Policy along with any agreements with our Partners governing the use or processing of User Personal Information will become binding upon the new owner of the information.
• With law enforcement, when we have a good-faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order; to protect and defend our rights; to prevent or investigate possible wrongdoing with respect to the Services; to protect the safety of our property, our Users, our staff, or the public; and to protect against legal liability.
• Under no circumstances do we sell or provide Personal Information to third parties for advertising or marketing purposes.

Securing Your Personal Information

Hypothesis takes data security very seriously. We follow software development and cloud infrastructure best practices to avoid common vulnerabilities and prevent unauthorized access to our Users’ data. In addition to our internal practices, we contract with a third party that performs an annual evaluation of the security of our software and infrastructure. Measures taken to protect your data include the following:

• Data stored in a database that is regularly backed up
• Personal Information encrypted in transit and at rest
• Security awareness training for our staff
• Technical infrastructure designed to prevent unauthorized access to protected information at multiple points in every transaction
• Static analysis of our code to address weaknesses that might lead to vulnerabilities
• Automatic vulnerability monitoring for third-party dependencies
• Regular security assessments of our infrastructure
• Automated log analysis and security event alerting
• Third-party audits for vulnerabilities in our software
• Third-party penetration testing of our infrastructure

Please note that no method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, while we strive to use commercially reasonable means to protect your Personal Information, we cannot guarantee its absolute security.

Data Breaches

In the event that Hypothesis becomes aware of a data breach impacting your Personal Information, we will promptly notify your Partner institution within 48 hours of identifying any breach. Hypothesis has procedures in place that are designed to stop and contain threats that may expose personally identifiable information, identify and mitigate all vulnerabilities that were exploited, restore the Services to full functionality, and document and take proactive steps to ensure the incident cannot be repeated. Hypothesis will also preserve necessary evidence for investigation by security professionals and law enforcement as appropriate.

How Long We Retain Your Information

• We keep User Personal Information for as long as necessary to provide the Services, except where the law requires or as directed by the relevant Partner. If our contract with a Partner ends and the Partner requests removal of any Personal Information, we will promptly delete or de-identify the Personal Information, unless, consistent with applicable law, there is a legitimate reason to retain it.
• We may retain records of support tickets and other communications between you and Hypothesis, for example support emails, survey responses, feedback submissions, or comments on our blogs or other posts, indefinitely in order to better manage our support processes, maintain accurate business records, and identify other trends.
• Even if your account is closed, Hypothesis may retain any information provided by Users of the Services in backup or archive records for Hypothesis’ own use in: internally improving the Services with analysis of aggregated, non-personally-identifiable or de-identified data; account recovery; or if required by law. All retained data will continue to be subject to this Privacy Policy.

Accessing and Managing Your Personal Information

Our Services automatically create an account for anyone who launches a Hypothesis-enabled assignment in your institution’s LMS; your User information is provided by your institution. Your LMS User account only works within the LMS in which the account was created; it does not work on the open web. Individual LMS Users may not update or delete their information directly with Hypothesis. LMS Users may only delete or update their information by contacting the institution and requesting it contact Hypothesis to delete a LMS User’s information.

Communications From Hypothesis

• Hypothesis may post notices on its website.
• Hypothesis may send Users information by email (if the User is an employee of our Partner institution).
  • Please note that email communications from us about our services or annotation beyond the administration of your account are opt-out. If you would like to stop receiving such email communications, you may opt out using the “unsubscribe” link provided in every email or by contacting us at support@hypothes.is.
  • Organizational emails from us may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include but shall not be limited to: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity. This information is used to refine future email campaigns and supply Users with more relevant content based on their activity.

Users Outside the United States

Consent to Transfer

While Hypothesis is used around the world, the Services are operated in the United States. If you are located outside of the United States, please be aware that information we collect will be transferred to and processed in the United States. By using the Services, or providing us with any information, you fully understand and consent to this transfer, processing and storage of your information in the United States.

Important Information for Users in the European Economic Area GDPR Compliance

We endeavor to be fully compliant with the General Data Protection Regulation (“GDPR”). The GDPR makes a distinction between “data controllers” and “data processors.” We are a “data processor” in providing our services that have been requested by our Partners. Our Partners will be the “data controllers,” as they decide whether to send us data, what data to send us and instruct us as to what we will do with it. We only process data according to the agreements and instructions of our Partners.

Additional Information or Assistance

We encourage you to reach out to us at support@hypothes.is to resolve any issues or concerns that you may have with this Privacy Policy or the ways we manage your Personal Information. In the event that you feel that we have not resolved your issue via email or support ticket communications, you have the right to file a complaint with your local supervisory authority or regulatory agency.

Modifications and Changes to this Privacy Policy

We may modify, add to, suspend, or delete this Privacy Policy, in whole or in part, at our sole discretion at any time, with such modifications, additions or deletions being effective on the “Effective Date” set out below. You can review the change history of this Policy at https://github.com/hypothesis/agreements/commits/main/privacy-policy/lms.

If there are material changes to this Policy we will notify our Partners either by prominently posting a notice of such changes on our website, or by directly notifying our Partners by email prior to the changes taking effect. Your continued use of our Services after we publish or send a notice about our changes to these terms means that you are consenting to the updated terms as of their Effective Date.

Effective Date: 2 August 2022