Five key ways we ensure your privacy
The information presented here is meant to be a general guide to our privacy and security practices. For specific details about our practices, see our privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions.
We're committed to complying with the EU's new data protection law, referred to as the GDPR. Visit our GDPR page to learn about our data protection approach.
Please contact us at privacy@23andMe.com if you have questions.
1. Meaningful Choice
23andMe gives you control over your genetic information. We want you to decide how your information is used and with whom it is shared.Learn about your choices
More on: meaningful choice
You decide how your information is stored, used and shared.
There are several important decisions you can make:
- Whether or not to store your saliva sample
- If you wish your account to be visible to other 23andMe members
- If you want to participate in our DNA Relatives tool connecting you with both known and unknown close and distant relatives
Your decisions concerning how your information is stored, used and shared can be changed at any time. Go to "account settings" when you are logged into your 23andMe account. For a more detailed description about these settings, see our terms of service, account settings: privacy/consent, and DNA Relatives: privacy settings .
2. Privacy by design
We take great care to design our product with privacy in mind. And we think it is important for you to understand how we handle your information. Below is an overview of the information we collect, how it is used and when it is disclosed.Learn what we do with your information
More on: privacy by design
Types of information we collect
We collect personal information from you when you register and use the site, such as your name, credit card, email and web behavior information (such as your IP address). Through the saliva sample and the survey responses you provide to us, we collect genetic, phenotypic and familial information.
How we store your information
Your personal and registration information is stored separately from any genetic information to reduce the likelihood that you could be identified. Your personal information is assigned a randomized customer identification number for identification and customer support services. Your genetic information is only identified using a barcode system.
How we keep your research details private
If you provide responses to our online surveys and opt into our research program, your genetic information is stripped of personally identifying information and transferred into our research environment where it is stored with your survey response data and is assigned a randomized research identification number.
3. Third Party Sharing
We will not sell, lease or rent your individual-level information to any third party or to a third party for research purposes without your explicit consent. However, we do use and share aggregate information with third parties in order to perform business development, initiate research, send you marketing emails and improve our services.
Aggregate information has been stripped of your personal details (e.g., your name and contact information) and aggregated with the information of others so that you cannot reasonably be identified as an individual.See how we share
More on: third party sharing
We care strongly about protecting the information of children and other individuals who do not have the legal capacity to make decisions for themselves. In the case of children, a parent or guardian may collect a saliva sample from, create an account for, and provide information related to his or her child. The parent or guardian assumes full responsibility for ensuring that the information he or she provides to 23andMe about his or her child is kept secure and that the information submitted is accurate.
When a customer has lost capacity or passed away, we will only give their account information to individuals who are legally authorized to make decisions on their behalf, such as an executor, a personal representative, or a beneficiary of a deceased's estate. The person requesting the information must complete an authorization form and provide evidence and legal documentation indicating they are allowed to act on behalf of the individual before we will provide any information.
We work very hard to protect your information from unauthorized access from law enforcement. However, under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities. If such a situation arises, we have to comply with valid governmental requests and we will notify the affected individual(s) unless the legal request prevents us from doing so. Our transparency report details the government requests for data we receive and how we have responded.
23andMe will not provide any person's data (genetic or non-genetic) to an insurance company or employer.
We have been long-time supporters of legislative efforts intended to prevent genetic discrimination and to safeguard individuals' genetic privacy.
In May 2017, Senate Bill S-201, the Genetic Non-Discrimination Act , became law in Canada. This Act regulates the use of Genetic Information by insurers, employers, and other organizations. It prevents employers and insurance companies from requiring individuals to take a genetic test or to disclose results from such testing. S-201 doesn’t cover tests required by healthcare practitioners and researchers.
23andMe believes genetic information, as well as the systems put in place to protect it, deserve the highest level of security.
23andMe implements physical, technical, and administrative measures to prevent unauthorized access to or disclosure of customer information, to maintain data accuracy, to ensure the appropriate use of information, and otherwise safeguard our customers' Personal Information.
It is important to note 23andMe cannot protect your information if you share it with others. In addition, while our teams regularly review and improve our security practices to help ensure the integrity of our systems and customer information, it is never possible to fully guarantee against breaches in security.
Please help us by submitting any issues or vulnerabilities with the 23andme.com website, product experience or applications.Learn more about our security practices
Our practices include, but are not limited to the following areas:
- ISO/IEC 27001:2013 certification. Our information security management system, which protects 23andMe systems, has been certified under the ISO/IEC 27001:2013 standard. View or download our certification here.
- Encryption. 23andMe uses industry standard security measures to encrypt Sensitive Information both at rest and in transit.
- Limited access to essential personnel. We limit access to Sensitive Information to authorized personnel, based on job function and role. 23andMe access controls include multi-factor authentication, single sign-on, and strict least-privileged authorization policy.
5. Research participation
23andMe offers customers the opportunity to participate in a new way of conducting research (at home and online). Participating in our research is completely voluntary. Customers can choose not to consent to research, and choosing not to participate will not impact their 23andMe experience.Learn more about research
More on: research participation
If you choose to consent to participate in research, your data will be used to help power the work done by 23andMe scientists or third-party researchers working with 23andMe. Consenting allows our researchers, or approved third-party researchers, to use a customer's de-identified data in aggregate for a variety of studies.
23andMe has condition-specific research communities for Lupus, Parkinson's disease and Irritable Bowel Disease (IBD). Participants in condition-specific research communities may be invited to provide an additional level of consent that enables researchers to reference their de-identified, individual-level information for ongoing research.
Other research studies may require fully identified, information. In these instances, 23andMe will ask participants for explicit permission to use their fully identified, individual-level data for research.
Customers can opt in or opt out of our research at any time. If you opt out, we will discontinue using your information for research within 30 days.
Learn more about 23andMe Research here.
Two easy ways to discover you.
Information that has been stripped of your registration information (e.g., your name and contact information) and aggregated with information of others so, that you cannot reasonably be identified as an individual.
Aggregate information is different from "individual-level" information. Individual-level genetic information or self-reported information consists of data about a single individual's genotypes, diseases or other traits and characteristics.