23andMe is committed to GDPR compliance through our robust data privacy and security protections. This page, our full privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions all provide information meant to help you understand our practices. If you have questions, please contact us at privacy@23andMe.com.
23andMe is committed to being transparent about the kinds of information we collect, the reasons we collect it, and how it is used.
23andMe generally processes personal data for the following purposes:
- Complete kit purchase(s).
- Create an account and register a kit(s) to that account.
- Market and advertise our products and promotions.
- Perform website maintenance, usage, and analytics, as well as network and infrastructure security.
We generally process sensitive personal information, including genetic information, and other personal information in order to:
- Process your sample at our contracted lab.
- Compute and populate your reports.
- Maintain and develop your account's tools, features, and functionality.
- Participate in 23andMe Research.
- Assist you through our Customer Care channel.
At its core, the GDPR is about enabling individuals to find out what personal data we hold about them, why we hold it, and who we disclose it to.
As a 23andMe customer, you can access and download your data from within your account. Specifically, you can:
- Access and download your 23andMe reports, genetic data, self-reported survey data, and other personal data at any time within your account.
- Request a copy of your personal data processed by 23andMe's third party service providers. We work with these third party service providers to provide, analyze, and improve our Service.
- Learn more about accessing and downloading your personal data here.
You can delete your 23andMe account and data from within your account settings at any time. Once you submit and confirm your request, we will delete your data. Data deletion is permanent and cannot be canceled, undone, withdrawn, or reversed. Learn more about deleting your personal data here.
23andMe directly conducts the majority of data processing activities required to provide our Ancestry and Health + Ancestry Services to you. However, we do engage some third party service providers to assist in supporting these Services, including in the following areas:
- Our genotyping lab, LabCorp
- Customer Care
- Cloud storage
- Marketing and analytics
- IT and Security
Our rigorous selection process ensures each third party service provider complies with the GDPR and can deliver the appropriate level of security and data protection. Please review our Privacy Statement for more information about our third party service providers.
Under the GDPR, organizations that collect and store personal data must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with processing personal data. 23andMe uses industry-leading organizational and technical measures to keep personal data secure. Learn more.
To comply with European legal requirements around international data transfer mechanisms, we self-certify under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
Two easy ways to discover you.