Five key ways we ensure your privacy
The information presented here is meant to be a general guide to our privacy and security practices. For specific details about our practices, see our privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions.
We're committed to complying with the EU's new data protection law, referred to as the GDPR. Visit our GDPR page to learn about our data protection approach.
Please contact us at privacy@23andMe.com if you have questions.
1. Meaningful Choice
23andMe gives you control over your genetic information. We want you to decide how your information is used and with whom it is shared.Learn about your choices
More on: meaningful choice
You decide how your information is stored, used and shared.
There are several important decisions you can make:
- Whether or not to store your saliva sample
- If you wish your account to be visible to other 23andMe members
- If you want to participate in our DNA Relatives tool connecting you with both known and unknown close and distant relatives
Your decisions concerning how your information is stored, used and shared can be changed at any time. Go to "account settings" when you are logged into your 23andMe account. For a more detailed description about these settings, see our terms of service, account settings: privacy/consent, and DNA Relatives: privacy settings .
2. Privacy by design
We take great care to design our product with privacy in mind. And we think it is important for you to understand how we handle your information. Below is an overview of the information we collect, how it is used and when it is disclosed.Learn what we do with your information
More on: privacy by design
Types of information we collect
We collect personal information from you when you register and use the site, such as your name, credit card, email and web behavior information (such as your IP address). Through the saliva sample and the survey responses you provide to us, we collect genetic, phenotypic and familial information.
How we store your information
Your personal and registration information is stored separately from any genetic information to reduce the likelihood that you could be identified. Your personal information is assigned a randomized customer identification number for identification and customer support services. Your genetic information is only identified using a barcode system.
How we keep your research details private
If you provide responses to our online surveys and opt into our research program, your genetic information is stripped of personally identifying information and transferred into our research environment where it is stored with your survey response data and is assigned a randomized research identification number.
3. Third Party Sharing
We will not sell, lease or rent your individual-level information to any third party or to a third party for research purposes without your explicit consent. However, we do use and share aggregate information with third parties in order to perform business development, initiate research, send you marketing emails and improve our services.
Aggregate information has been stripped of your personal details (e.g., your name and contact information) and aggregated with the information of others so that you cannot reasonably be identified as an individual.See how we share
More on: third party sharing
We care strongly about protecting the information of children and other individuals who do not have the legal capacity to make decisions for themselves. In the case of children, a parent or guardian may collect a saliva sample from, create an account for, and provide information related to his or her child. The parent or guardian assumes full responsibility for ensuring that the information he or she provides to 23andMe about his or her child is kept secure and that the information submitted is accurate.
When a customer has lost capacity or passed away, we will only give their account information to individuals who are legally authorized to make decisions on their behalf, such as an executor, a personal representative, or a beneficiary of a deceased's estate. The person requesting the information must complete an authorization form and provide evidence and legal documentation indicating they are allowed to act on behalf of the individual before we will provide any information.
We work very hard to protect your information from unauthorized access from law enforcement. However, under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities. If such a situation arises, we have to comply with valid governmental requests and we will notify the affected individual(s) unless the legal request prevents us from doing so. Our transparency report details the government requests for data we receive and how we have responded.
23andMe will not provide any person's data (genetic or non-genetic) to an insurance company or employer.
We have been long-time supporters of legislative efforts intended to prevent genetic discrimination and to safeguard individuals' genetic privacy. In the US, we were active in the development of the Genetic Information Nondiscrimination Act (GINA) enacted in 2008. In addition, we were an active supporter of S-201 in Canada.
23andMe believes genetic information, as well as the systems put in place to protect it, deserve the highest level of security.
23andMe employs software, hardware and physical security measures to protect the computers where customer data is stored. We use robust authentication methods to access our systems. Personal information and genetic data are stored in physically separate computing environments, which is in line with the industry standards for security.
It is important to note 23andMe cannot protect your information if you share it with others. In addition, despite using the most current technical and industry guidelines for protection of your information, it is never possible to fully guarantee against breaches in security.
Please help us by submitting any issues or vulnerabilities with the 23andme.com website, product experience or applications.Learn more about our security practices
More on: security
- Security by Design. 23andMe produces secure applications by design, by following principles such as Confidentiality, Integrity and Availability. 23andMe incorporates explicit security reviews in the software development lifecycle, quality assurance testing and operational deployment. 23andMe's security controls are audited on a regular basis by a third party auditor.
- Separation of Environments. 23andMe ensures processing, production, and research environments are separated and access is restricted.
- Availability and Resilience. 23andMe's application components are deployed in a highly redundant configuration, in geographically distributed data centers to minimize any disruption. This ensures high availability of 23andMe services and prevents data loss of our customers' information.
- Access Controls. At 23andMe all access is limited to authorized personnel, based on job function and roles. 23andMe access controls include multi-factor authentication, single sign-on, and follow a strict least-privileged authorization policy by default. 23andMe also uses industry standard, advanced protocols for authorization to supported internal platforms and Third-Party Apps. Furthermore, access to genetic and account information is enforced through different policies and encryption keys. That means your genetic information requires additional privileges to access.
- Encryption. 23andMe uses industry standard security measures to encrypt sensitive personal data at rest. 23andMe also uses HTTPS by default to encrypt all data in transit.
- Monitoring and Logging. 23andMe uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. Monitoring and logging used at 23andMe provides real-time monitoring, correlation and analysis of logs and alerts across virtually any system implemented.
- Vulnerability Management. 23andMe has integrated continuous vulnerability scanning in its build pipeline. In addition, regular penetration tests are conducted by third-party security experts. 23andMe has also established a program for users to report security-related issues associated with our web application. If you'd like to report an issue, click here.
- Incident Management. 23andMe maintains a formal incident management program designed to ensure the secure, continuous delivery of its Services. We implemented our incident management program, using industry best practices, including National Institute of Standards and Technology (NIST) guidance. The incident response plans are tested regularly to ensure our teams are adequately prepared to handle any type of incident, quickly and efficiently.
- Security Awareness and Training. 23andMe requires all of our employees to complete security and privacy training on an annual basis.
5. Research participation
23andMe offers customers the opportunity to participate in a new way of conducting research (at home and online). Participating in our research is completely voluntary. Customers can choose not to consent to research, and choosing not to participate will not impact their 23andMe experience.Learn more about research
More on: research participation
If you choose to consent to participate in research, your data will be used to help power the work done by 23andMe scientists or third-party researchers working with 23andMe. Consenting allows our researchers, or approved third-party researchers, to use a customer's de-identified data in aggregate for a variety of studies.
23andMe has condition-specific research communities for Lupus, Parkinson's disease and Irritable Bowel Disease (IBD). Participants in condition-specific research communities may be invited to provide an additional level of consent that enables researchers to reference their de-identified, individual-level information for ongoing research.
Other research studies may require fully identified, information. In these instances, 23andMe will ask participants for explicit permission to use their fully identified, individual-level data for research.
Customers can opt in or opt out of our research at any time. If you opt out, we will discontinue using your information for research within 30 days.
Learn more about 23andMe Research here.
Information that has been stripped of your registration information (e.g., your name and contact information) and aggregated with information of others so, that you cannot reasonably be identified as an individual.
Aggregate information is different from "individual-level" information. Individual-level genetic information or self-reported information consists of data about a single individual's genotypes, diseases or other traits and characteristics.