Privacy is in our DNA

Everyone deserves a secure, private place to explore and understand their genetics. At 23andMe, we put you in control of deciding what information you want to learn and what information you want to share.

See our privacy statement for more info.

Five key ways we ensure your privacy

The information presented here is meant to be a general guide to our privacy and security practices. For specific details about our practices, see our privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions.

We're committed to complying with the EU's new data protection law, referred to as the GDPR. Visit our GDPR page to learn about our data protection approach.

Please contact us at privacy@23andMe.com if you have questions.

One

1. Meaningful Choice

23andMe gives you control over your genetic information. We want you to decide how your information is used and with whom it is shared.

More on: meaningful choice

You decide how your information is stored, used and shared.

There are several important decisions you can make:

  • Whether or not to store your saliva sample
  • If you wish your account to be visible to other 23andMe members
  • If you want to participate in our DNA Relatives tool connecting you with both known and unknown close and distant relatives

Your decisions concerning how your information is stored, used and shared can be changed at any time. Go to "account settings" when you are logged into your 23andMe account. For a more detailed description about these settings, see our terms of service, account settings: privacy/consent, and DNA Relatives: privacy settings .

Two

2. Privacy by design

We take great care to design our product with privacy in mind. And we think it is important for you to understand how we handle your information. Below is an overview of the information we collect, how it is used and when it is disclosed.

More on: privacy by design

Types of information we collect

We collect personal information from you when you register and use the site, such as your name, credit card, email and web behavior information (such as your IP address). Through the saliva sample and the survey responses you provide to us, we collect genetic, phenotypic and familial information.

How we store your information

Your personal and registration information is stored separately from any genetic information to reduce the likelihood that you could be identified. Your personal information is assigned a randomized customer identification number for identification and customer support services. Your genetic information is only identified using a barcode system.

How we keep your research details private

If you provide responses to our online surveys and opt into our research program, your genetic information is stripped of personally identifying information and transferred into our research environment where it is stored with your survey response data and is assigned a randomized research identification number.

Three

3. Third Party Sharing

We will not sell, lease or rent your individual-level information to any third party or to a third party for research purposes without your explicit consent. However, we do use and share aggregate information with third parties in order to perform business development, initiate research, send you marketing emails and improve our services.

Aggregate information has been stripped of your personal details (e.g., your name and contact information) and aggregated with the information of others so that you cannot reasonably be identified as an individual.

More on: third party sharing

Considerations for children and incapacitated individuals

We care strongly about protecting the information of children and other individuals who do not have the legal capacity to make decisions for themselves. In the case of children, a parent or guardian may collect a saliva sample from, create an account for, and provide information related to his or her child. The parent or guardian assumes full responsibility for ensuring that the information he or she provides to 23andMe about his or her child is kept secure and that the information submitted is accurate.

When a customer has lost capacity or passed away, we will only give their account information to individuals who are legally authorised to make decisions on their behalf, such as an executor, a personal representative, or a beneficiary of a deceased's estate. The person requesting the information must complete an authorisation form and provide evidence and legal documentation indicating they are allowed to act on behalf of the individual before we will provide any information.


Law enforcement requests

We work very hard to protect your information from unauthorised access from law enforcement. However, under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities. If such a situation arises, we have to comply with valid governmental requests and we will notify the affected individual(s) unless the legal request prevents us from doing so. Our transparency report details the government requests for data we receive and how we have responded.


Insurance company requests

23andMe will not provide any person's data (genetic or non-genetic) to an insurance company.

We have been long-time supporters of legislative efforts intended to prevent genetic discrimination and to safeguard individuals' genetic privacy. In the UK, we support the Concordat and Moratorium on Genetics and Insurance. The Concordat and Moratorium on Genetics and Insurance is a voluntary agreement (‘the Concordat’) between the UK Government and the ABI (Association of British Insurers) that prevents insurance companies from accessing or using genetic test results in making insurance coverage and rate decisions. Predictive genetic tests ordered directly by consumers from commercial providers, such as 23andMe, are covered by this agreement.

Under the agreement, individuals will not be required to reveal the results of any predictive genetic test unless the test is first approved by the Genetics and Insurance Committee (GAIC).

The Concordat came into effect on 14 March 2005. The Moratorium came into effect on 1 November 2001. These policy safeguards will be in place until November 2019.

Four

4. Security

23andMe believes genetic information, as well as the systems put in place to protect it, deserve the highest level of security.

23andMe employs software, hardware and physical security measures to protect the computers where customer data is stored. We use robust authentication methods to access our systems. Personal information and genetic data are stored in physically separate computing environments, which is in line with the industry standards for security.

It is important to note 23andMe cannot protect your information if you share it with others. In addition, despite using the most current technical and industry guidelines for protection of your information, it is never possible to fully guarantee against breaches in security.

Please help us by submitting any issues or vulnerabilities with the 23andme.com website, product experience or applications.

More on: security

  • Security by Design. 23andMe produces secure applications by design, by following principles such as Confidentiality, Integrity and Availability. 23andMe incorporates explicit security reviews in the software development lifecycle, quality assurance testing and operational deployment. 23andMe's security controls are audited on a regular basis by a third party auditor.
  • Separation of Environments. 23andMe ensures processing, production, and research environments are separated and access is restricted.
  • Availability and Resilience. 23andMe's application components are deployed in a highly redundant configuration, in geographically distributed data centers to minimize any disruption. This ensures high availability of 23andMe services and prevents data loss of our customers' information.
  • Access Controls. At 23andMe all access is limited to authorized personnel, based on job function and roles. 23andMe access controls include multi-factor authentication, single sign-on, and follow a strict least-privileged authorization policy by default. 23andMe also uses industry standard, advanced protocols for authorization to supported internal platforms and Third-Party Apps. Furthermore, access to genetic and account information is enforced through different policies and encryption keys. That means your genetic information requires additional privileges to access.
  • Encryption. 23andMe uses industry standard security measures to encrypt sensitive personal data at rest. 23andMe also uses HTTPS by default to encrypt all data in transit.
  • Monitoring and Logging. 23andMe uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. Monitoring and logging used at 23andMe provides real-time monitoring, correlation and analysis of logs and alerts across virtually any system implemented.
  • Vulnerability Management. 23andMe has integrated continuous vulnerability scanning in its build pipeline. In addition, regular penetration tests are conducted by third-party security experts. 23andMe has also established a program for users to report security-related issues associated with our web application. If you'd like to report an issue, click here.
  • Incident Management. 23andMe maintains a formal incident management program designed to ensure the secure, continuous delivery of its Services. We implemented our incident management program, using industry best practices, including National Institute of Standards and Technology (NIST) guidance. The incident response plans are tested regularly to ensure our teams are adequately prepared to handle any type of incident, quickly and efficiently.
  • Security Awareness and Training. 23andMe requires all of our employees to complete security and privacy training on an annual basis.
Five

5. Research participation

23andMe offers customers the opportunity to participate in a new way of conducting research (at home and online). Participating in our research is completely voluntary. Customers can choose not to consent to research, and choosing not to participate will not impact their 23andMe experience.

More on: research participation

If you choose to consent to participate in research, your data will be used to help power the work done by 23andMe scientists or third-party researchers working with 23andMe. Consenting allows our researchers, or approved third-party researchers, to use a customer's de-identified data in aggregate for a variety of studies.

23andMe has condition-specific research communities for Lupus, Parkinson's disease and Irritable Bowel Disease (IBD). Participants in condition-specific research communities may be invited to provide an additional level of consent that enables researchers to reference their de-identified, individual-level information for ongoing research.

Other research studies may require fully identified, information. In these instances, 23andMe will ask participants for explicit permission to use their fully identified, individual-level data for research.

Customers can opt in or opt out of our research at any time. If you opt out, we will discontinue using your information for research within 30 days.

Learn more about 23andMe Research here.

If you have any questions about the ways in which we use or disclose your aggregate or individual-level information, feel free to email us at privacy@23andMe.com. You can always reference our privacy statement, our terms of service and our research consent document for more specific details.

Two easy ways to discover you.

£79 £
Ancestry
Service
Get a breakdown of your global ancestry, connect with DNA relatives and more.
£149 £
Health +
Ancestry Service
Receive 90+ online reports on your ancestry, traits and health - and more.
shop now