These “privacy highlights” provide an overview of some core components of our data handling practices. Please be sure to read our full privacy statement.
CONSENT TO THE USE OF SENSITIVE INFORMATION
- We use information in general (i) to provide, analyze and improve our Services, (ii) as we reasonably believe is permitted by laws and regulations, including for marketing and advertising purposes, (iii) to protect the security and safety of our company, employees, customers as we reasonably believe permitted by laws and regulations, (iv) to comply with laws and regulations we are subject to.
By agreeing to our Privacy Statement and Terms of Service, you consent to sensitive information, such as information about your health, Genetic Information, and Self-Reported Information such as racial and ethnic origin and sexual orientation (where you provide it) being used by us to:
- analyze and provide you with our Services;
- analyze and provide you with information about your ancestry;
- determine whether you would be suitable to take part in surveys, polls or questionnaires that we are conducting; and
- monitor and improve existing products or services that we offer or develop new products and services
We will not use your sensitive information without your consent unless: (i) the information has been anonymized or aggregated so that you cannot reasonably be identified as an individual; or (ii) a legal obligation requires us to use it in some way e.g. a court order requires us to disclose the information.
CONSENT TO THE TRANSFER OF YOUR PERSONAL INFORMATION
- By agreeing to our Privacy Statement and Terms of Service, you consent to the storing and processing of your personal information, including sensitive information, in the USA and countries outside of the country you live in. We use a range of measures to safeguard information but these countries may have laws that are different from those of your country of residence. You also consent to your personal information, including sensitive information, being transferred in the event of a business transition such as a merger, acquisition by another company, or other transaction or proceeding. In such a case, your information would be used as set out in any pre-existing Privacy Statement.
- We will not sell, lease, or rent your individual-level information (i.e., information about a single individual’s genotypes, diseases or other traits/characteristics) to any third party or to a third party for research purposes without your explicit consent.
- We give you the ability to share information with other individuals through features like DNA Relatives. You will always need to take a positive action to share your information, for example, DNA Relatives is subject to an opt-in requirement before we share your information with potential relative matches.
- You may independently decide to disclose your information to friends and/or family members, doctors, health care professionals, or other individuals outside our Services, including through third party services such as social networks and third-party apps that connect to our website and mobile apps through our application programming interface (“API”); always review the privacy policies of third-party apps and services before sharing your information.
- We may share anonymized and aggregate information with third parties; anonymized and aggregate information is any information that has been stripped of your name and contact information and aggregated with information of others or anonymized so that you cannot reasonably be identified as an individual.
- We will use your information and share it with third parties for scientific research purposes only if you sign a Consent Document. Note that we will disclose your individual-level information only if we obtain additional explicit consent from you.
- There may be some consequences of using 23andMe Services that you haven’t thought of, you should read our guide of the surprising things you may find out from using the service before submitting your saliva sample and personal information.
- If you have any questions about our privacy practices, please email us at email@example.com or send a letter to the address provided at the bottom of our full privacy statement.
Full Privacy Statement
- We collect and handle information (i) to provide, analyze and improve our Services, (ii) as we reasonably believe is permitted by laws and regulations, such as for marketing and advertising purposes, and (iii) as reasonably necessary to comply with laws and regulations, and to protect the security and safety of our company, employees, customers and others.
- We will not sell, lease, or rent your individual-level information (i.e., information about a single individual’s genotypes, diseases or other traits/characteristics) to any third party or to a third party for research purposes without your explicit consent.
- We understand and respect the sensitive nature of the information you may provide to us, including information about your genetic characteristics, disease conditions, racial and ethnic origin, etc. To that end, we strive to be transparent in our collection, use and disclosure of this information and to ask for your explicit consent to share such sensitive information with third parties. Please see below to learn more about our sharing and consent practices.
- We are committed to providing a secure and safe environment for our Services.
Please review this Privacy Statement and our Terms of Service. By using our Services, you agree to all of the policies and procedures described in the foregoing documents. 23andMe, Inc. is headquartered at 1390 Shorebird Way, Mountain View, CA 94043 and is referred to herein as 23andMe (or “we,” “us,” “our”) and includes all of our commonly owned companies.
1. What information we collect
- Information you provide directly to us
- Registration Information. When you register an account with us or purchase our Services, we collect personal information, such as your name, billing and shipping address, payment information (e.g., credit card) and contact information such as your email and phone number.
- Self-Reported Information. You have the option to provide us with additional information about yourself through surveys, forms, features or applications. For example, you may provide us with information about your personal traits (e.g., eye color, height), ethnicity, disease conditions (e.g. Type 2 Diabetes), other health-related information (e.g. pulse rate, cholesterol levels, visual acuity), and family history information (e.g. information similar to the foregoing about your family members). Where you are disclosing information about a family member, you should make sure that you have permission from the family member to do so.
- User Content. Some of our Services allow you to create and post or upload content, such as data, text, software, music, audio, photographs, graphics, video, messages, or other materials that you create or provide to us through either a public or private transmission (“User Content”). For example, User Content includes any post or message you place on 23andMe’s community forums.
- Testimonials. We may post customer testimonials either on our website or in other online or offline formats. Customer testimonials may contain personal information and it is our policy to request consent from customers in advance of using testimonials. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org.
- Referral Information and Sharing. When you refer a person to 23andMe or choose to share results information with another person, we will ask for that person’s email address. We will use the email address solely, as applicable, to make the referral or to share your results information, and we will let your contact know that you requested the communication. By participating in a referral program or by choosing to share information with another person, you confirm that the person has given you consent for 23andMe to communicate (e.g., via email) with him or her. For more information on our referral program, see here.
- Address books. If you choose to use your computer’s or mobile device’s address book in connection with our Services to make referrals or to request that we communicate with another person, we may collect the names and contact information of those persons for these purposes only.
- Third-party services (e.g., social media). If you use a third-party site, such as Facebook or Twitter, in connection with our Services to communicate with another person (e.g., to make or post referrals or to request that we communicate with another person), then in addition to that person’s name and contact information, we may also collect other information (e.g., your profile picture, network, gender, username, user ID, age range, language, country, friends lists or followers) depending on your privacy settings on the third-party site. We do not control third-party site’s information practices, so please review their privacy policies and your settings on those sites carefully.
- Gifts. If you provide us personal information about others, or if others give us your information for purposes of ordering the Service as a gift, we will only use that information for the specific reason for which it was provided to us. Once a gift recipient registers for his or her Services and agrees to our Privacy Statement, our Terms of Service, and if applicable, Consent Document, his or her information will be used consistent with this Privacy Statement and those agreements, and we will not share any of the gift recipient’s personal information with the user who purchased the gift.
- Customer service. When you contact our Customer Care center or correspond with us about our Service, we collect information to: track and respond to your inquiry; investigate any breach of our Terms of Service, Privacy Statement or applicable laws or regulations; and analyze and improve our Services.
- Information related to our genetic testing services
- Saliva sample and bio-banking. To use our genetic testing services, you must purchase, or receive as a gift, a 23andMe Personal Genome Service® testing kit, register an online account, and ship your saliva sample to our third-party laboratory. Once received, your saliva sample will be identified by its unique barcode, along with your gender and your date of birth. The barcode label identifies you to us but not to our third-party laboratory. Unless you choose to store your sample with 23andMe (called “bio-banking”), your saliva samples and DNA are destroyed after the laboratory completes its work, unless the laboratory’s legal and regulatory requirements require it to maintain physical samples.
- Genetic Information. Genetic Information refers to features of your DNA that distinguish you from other people (e.g. the As, Ts, Cs, and Gs at particular locations in your genome) and is generated when we analyze and process your saliva sample, or when you otherwise contribute or access your Genetic Information through our Services. Genetic Information includes the 23andMe Results information reported to you as part of our Services, and may be used for other purposes, as outlined in Section 2 below.
- Information collected through tracking technology (e.g. from cookies and similar technologies)
As is true of most web sites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We may combine this automatically collected log information with other information we collect about you, such as your user profile ID or order number. We do this to improve services we offer you, and to improve marketing, analytics, and site functionality.
Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use Flash Cookies (Local Shared Objects) to collect and store information. To learn how to manage privacy and storage settings for Flash cookies click here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117118
- Other Types of Information.
We are always working to enhance our Services with new products, applications and features that may result in the collection of new and different types of information. We will update our privacy statement, as needed.
2. How we use and share information
- Using information to provide, analyze and improve our Services
We use the information described above in Section 1 to operate, provide, analyze and improve our Services. These activities may include, among other things, using your information in a manner consistent with other commitments in this privacy statement, to:
- open your account, enable purchases and process payments, communicate with you, and implement your requests (e.g., referrals);
- host our website, run our mobile application(s), authenticate your visits, provide custom, personalized content and information, and track your usage of our Services;
- conduct analytics to improve and enhance our Services;
- offer new products or services to you, including through emails, promotions or contests;
- implement online marketing campaigns and targeted advertising, including by utilizing third party ads (subject to your cookie settings and preferences), and to measure the effectiveness of our marketing and targeted advertising;
- conduct surveys or polls, and obtain testimonials;
- process and deliver your genetic testing results;
- perform research & development activities, which may include, for example, conducting data analysis and research in order to develop new or improve existing products and services, and performing quality control activities.
You may be able to opt-in, opt-out or otherwise adjust your preferences of having your information used for certain of these activities. Please see below to learn more.
- Information you choose to share with others
23andMe gives you the ability to share information with other individuals who have 23andMe accounts through (i) our community forums, (ii) relative finding features (e.g., “DNA Relatives”), and (iii) other sharing features (such information is “User Content”). Please refer to your settings. You may be required to opt-in to some of this sharing, but some features require an opt-out. For example, we provide the ability to opt-in to our ancestry DNA Relatives Database where your information will be shared with potential relative matches. Alternatively, if you were participating in the DNA Relatives Database you may opt-out or change the visibility of your profile data by visiting your Settings. Also, please note that certain types of your User Content may be viewable by other 23andMe users and once posted, you may not be able to delete or modify such content.
You may decide to disclose your personal information to friends and/or family members, doctors or other health care professionals, and/or other individuals outside of our Services, including through third-party services such as social networks and third-party apps that connect to our website and mobile apps through our application programming interface (“API”). These third parties may use your personal information differently than we do under this Privacy Statement. Please make such choices carefully and review the privacy policies of all other third parties involved in the transaction. For example, if you have enabled a 23andMe sharing feature with another person who downloads a third-party app that uses our API, your information may also be obtained by that third-party app developer and, potentially, by other users of that third-party app.
In general, personal information, once shared or disclosed, can be difficult to contain or retrieve. 23andMe will have no responsibility or liability for any consequences that may result because you have released or shared personal information with others. Likewise, if you are reading this because you have access to the personal information of a 23andMe customer through a multi-profile account, we urge you to recognize your responsibility to protect the privacy of each person within that account. It is incumbent upon all users to share personal information and account access only with people they know and trust. Users with multi-profile accounts (e.g., where family member accounts are linked) should use caution in setting profile-level privacy settings.
- Information we share with third parties
- General service providers. We share the information described above in Section 1 with our service providers, as necessary to provide their services to us. Service providers are third parties (other companies or individuals) that help us to provide, analyze and improve our Services. For example, we work with third-party laboratories and contractors to process and analyze your saliva sample for purposes of generating your Genetic Information.
NOTE: Our service providers act on 23andMe’s behalf. While we implement procedures and contractual terms to protect the confidentiality and security of your information, we cannot guarantee the confidentiality and security of your information due to the inherent risks associated with storing and transmitting data electronically.
For example, to learn more about our third-party laboratories, click here.
When you purchase a testing kit from 23andMe, you are instructed to send a saliva sample to our third-party laboratory with a unique barcode label. The unique barcode identifies you to us but not to the laboratory. We are also required to provide to the laboratory, your sex/gender and date of birth or age pursuant to clinical laboratory requirements such as the Clinical Laboratory Improvement Amendments (CLIA). No other Registration Information (such as your name, address, email, phone number or other contact information) is required or provided to the laboratory. The receiving personnel at the laboratory will remove and discard your “sender information” from the packaging (e.g., name, address) before testing personnel receive the samples for processing. Receiving personnel do not perform testing, and testing personnel handle saliva samples that are labeled only with the unique barcode. Unless you choose to store your sample, DNA and saliva samples are destroyed after the laboratory completes its work, provided that laboratory legal and regulatory requirements no longer require the actual samples to be maintained. The laboratory securely sends the resulting Genetic Information to us along with your unique barcode. Genetic Information is stored securely on our servers; the laboratory also stores your Genetic Information, but again, labeled only with the barcode.
click to close.
If you wish to not have this information used for the purpose of serving you targeted ads, you may be able to opt-out of many advertising networks by visiting here and here (if you are located in Canada, click here; or if you are located in the European Union click here). Please note this does not mean that you have opted-out of being served advertising. You will continue to receive generic ads.
- Aggregate information. We may share aggregate information with third parties, which is any information that has been stripped of your Registration Information (e.g., your name and contact information) and aggregated with information of others so that you cannot reasonably be identified as an individual (“Aggregate Information”). This Aggregate Information is different from “individual-level” information. Individual-level Genetic Information or Self-Reported Information consists of data about a single individual’s genotypes, diseases or other traits/characteristics information. For example, Aggregate Information may include a statement that “30% of our female users share a particular genetic trait,” without providing any data or testing results specific to any individual user. We may provide such Aggregate Information in commercial arrangements with our business partners. In contrast, individual-level Genetic Information could reveal whether a specific user has a particular genetic trait, or all of the Genetic Information about that user. 23andMe will ask for your consent to share individual-level Genetic Information or Self-Reported Information with any third party, other than our service providers as necessary for us to provide the Services to you.
- Information we share with commonly owned entities. We may share some or all of your information with other companies under common ownership or control of 23andMe, which may include our subsidiaries, our corporate parent, or any other subsidiaries owned by our corporate parent. We may provide additional notice and ask for your consent if we wish to share your information with our commonly owned entities in a materially different way than discussed in this Privacy Statement.
- Information we share with third parties with your consent
23andMe conducts research and works with public, private, and government partnerships to develop research and advance genetic understanding. With your consent, 23andMe may share aggregate or individual-level Genetic Information, Self-Reported Information, and Web Behavior Information with other parties for various purposes.
23andMe Research. “23andMe Research” refers to scientific research conducted by 23andMe or by third parties in collaboration with 23andMe with the goal of advancing genetic knowledge and to create, commercialize, and apply this new knowledge to the improvement of health care. 23andMe Research may study a specific group or population and may build upon existing scientific knowledge. At times, this research is conducted with the intent to publish findings in a peer-reviewed scientific journal, and may be funded by the federal government. 23andMe Research involves the use and analysis of aggregate or individual-level Genetic Information, Self-Reported Information and Web Behavior Information as specified in the Consent Document.
- Consent process for 23andMe Research. Your Genetic, Self-Reported and Web Behavior Information may be used for 23andMe Research only if you have consented to this use by completing a Consent Document. If you have completed a Consent Document:
- 23andMe may use individual-level Genetic Information, Self-Reported Information and Web Behavior Information internally at 23andMe for research purposes. 23andMe may use this information to publish the results of the research in peer-reviewed scientific journals. In addition, we may allow select third party research contractors to access your individual level Genetic and/or Self-Reported Information onsite at 23andMe’s offices for the purpose of conducting scientific research, provided that all such research contractors will be supervised by 23andMe and subject to 23andMe’s access rules and guidelines.
- 23andMe may disclose Aggregate Information (including aggregate Genetic Information, Self-Reported Information and Web Behavior Information to third-party research partners in accordance with the terms of our research Consent Document(s). Disclosure of individual-level information to third party research partners will occur only if we have obtained additional explicit consent from you, which may be requested as part of a particular research study. These research partners may include commercial or non-profit organizations that conduct or support scientific and medical research and/or conduct or support the development of drugs or devices to diagnose, predict, or treat health conditions. These research partners may publish the results of their research in peer-reviewed scientific journals.
- When your Genetic Information, Self-Reported Information and/or Web Behavior Information is being used for research purposes (whether internally by 23andMe researchers, shared in aggregate or individual-level form with third parties, or used by third party researchers onsite at 23andMe), it will never be combined with your Registration Information.
- Withdrawing your Consent. You may withdraw your consent to participate in 23andMe Research at any time by changing your consent status on your 23andMe Account Settings page, or by sending a request to the Human Protections Administrator at hpa@23andMe.com. 23andMe will not include your Genetic Information, Self-Reported Information or Web Behavior Information in new 23andMe Research occurring after 30 days from the receipt of your request. Any research involving your data that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn. You may also discontinue your participation in 23andMe Research by closing your Personal Genome Service account. If you withdraw your consent for 23andMe Research your Genetic Information and Self-Reported Information may still be used by us and shared with our third-party service providers to provide and improve our Services (as described in Sections 2.a and 2.b, above), and shared as Aggregate Information that does not identify you as an individual (as described above in Section 2.c).
- What happens if you do NOT consent to 23andMe Research? If you do not complete a Consent Document or any additional consent agreement with 23andMe, your information will not be shared or used for 23andMe Research. However, your Genetic Information and Self-Reported Information may still be used by us and shared with our third-party service providers to provide and improve our Services (as described in Section 2.a and 2.b, above), and shared as Aggregate Information that does not identify you as an individual (as described in Section 2.c, above).
- Disclosures required by law
Under certain circumstances your information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. 23andMe will preserve and disclose any and all information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce the 23andMe Terms of Service and other policies; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of 23andMe, its employees, its users, its clients, and the public.
NOTE: If you are participating in 23andMe Research, 23andMe will withhold disclosure of your personal information involved in such research in response to judicial or other government subpoenas, warrants or orders in accordance with any applicable Certificate of Confidentiality that 23andMe has obtained from the National Institutes of Health (NIH). There are limits to what the Certificate of Confidentiality covers so please visit the Certificates of Confidentiality Kiosk (http://grants.nih.gov/grants/policy/coc/index.htm).
3. Your choices
- Access to your account
If your Registration Information changes, you may access, correct or update most of it from your Account Settings page. You may also modify and delete certain of your information, or update your consent status and biobanking options. You may be able to correct or reset Self-Reported Information entered into a survey, form, or feature from your account on the surveys page. If the feature does not enable you to correct or reset information, you may do so by contacting Customer Care. Please note that you may not be able to delete User Content that has been shared with others through the Service and that you may not be able to delete information that has been shared with third parties, though we can work with you to prohibit your data from being shared with third parties in the future. We will respond to your request to access within 30 days.
- Marketing communications
By registering for an account, you are agreeing that we may send you promotional emails about our Services. You can opt-out of receiving certain messages or notifications from us by visiting your Account page (go to Account, Settings, Notifications) or by contacting our Privacy Administrator at privacy@23andMe.com. You can also click the “unsubscribe” button at the bottom of promotional email communications. Please note that you may not opt-out of receiving non-promotional messages regarding your account, such as technical notices, purchase confirmations, or Service-related emails.
- Account closure
If you no longer wish to participate in our Services or no longer wish to have your personal information be used, you may close your account by sending a request to Customer Care. When closing an account, we remove all Genetic Information within your account (or profile) within thirty (30) days of our receipt of your request. As stated in any applicable Consent Document, however, Genetic Information and/or Self-Reported Information that you have previously provided and for which you have given consent to use in 23andMe Research cannot be removed from ongoing or completed studies that use the information. Our contracted genotyping laboratory may also retain your Genetic Information as required by local law and we may retain backup copies for a limited period of time pursuant to our data protection policies. In addition, we retain limited Registration Information related to your order history (e.g., name, contact, and transaction data) as long as your account is active or as needed to provide you services, as well as for accounting, audit and compliance purposes.
4. Important Information
23andMe, Inc. has received TRUSTe's Privacy Seal signifying that this privacy statement and our practices have been reviewed for compliance with the TRUSTe program viewable on the validation page available by clicking the TRUSTe seal. The TRUSTe program covers only information that is collected through this Web site, www.23andme.com and through our mobile application.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact TRUSTe here.
- Safe Harbor
23andMe complies with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union (EU) member countries and Switzerland. 23andMe has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view 23andMe’s certification, please visit: http://www.export.gov/safeharbor/.
- Security measures
23andMe takes seriously the trust you place in us. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of information, 23andMe uses a range of physical, technical, and administrative measures to safeguard your Personal Information. In particular, all connections to and from our website and mobile application are encrypted using Secure Socket Layer (SSL) technology.
Please recognize that protecting your Personal Information is also your responsibility. We ask you to be responsible for safeguarding your password, secret questions and answers, and other authentication information you use to access our Services. You should not disclose your authentication information to any third party and should immediately notify 23andMe of any unauthorized use of your password. 23andMe cannot secure Personal Information that you release on your own or that you request us to release.
Your information collected through the Service may be stored and processed in the United States or any other country in which 23andMe or its subsidiaries, affiliates or service providers maintain facilities and, therefore, your information may be subject to the laws of those other jurisdictions which may be different from the laws of your country of residence.
- Business transactions
In the event that 23andMe goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, your information will likely be among the assets transferred. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Statement.
- Linked websites
23andMe provides links to third-party websites operated by organizations not affiliated with 23andMe. 23andMe does not disclose your information to organizations operating such linked third-party websites. 23andMe does not review or endorse, and is not responsible for, the privacy practices of these organizations. We encourage you to read the privacy statements of each and every website that you visit. This Privacy Statement applies solely to information collected by 23andMe.
- Children’s privacy
23andMe is committed to protecting the privacy of children as well as adults. Neither 23andMe nor any of its Services are designed for, intended to attract, or directed toward children under the age of 13. A parent or guardian, however, may collect a saliva sample from, create an account for, and provide information related to, his or her child. The parent or guardian assumes full responsibility for ensuring that the information that he/she provides to 23andMe about his or her child is kept secure and that the information submitted is accurate.
- Changes to this Privacy Statement
Whenever this Privacy Statement is changed in a material way, a notice will be posted as part of this Privacy Statement and on our customers’ account login pages for 30 days. After 30 days the changes will become effective. In addition, all customers will receive an email with notification of the changes prior to the change becoming effective.
5. Contact Information
If you have questions about this Privacy Statement, please email 23andMe’s Privacy Administrator at email@example.com, or send a letter to:
1390 Shorebird Way
Mountain View, CA 94043
*This Privacy Statement was last updated on Nov 13, 2014.