Last Updated: June 8, 2022
What you should know about privacy at 23andMe
At 23andMe, Privacy is in our DNA.
This Privacy Statement applies to all websites owned and operated by 23andMe, including www.23andme.com, and any other websites, pages, features, or content we own or operate, and to your use of the 23andMe mobile app and any related Services.
To keep things simple, we use the same terms here as in our Terms of Service. We’ll let you know in this Privacy Statement if we have a new or different definition for a term. You should read our entire Privacy Statement, but if you only have a few minutes you can take a look at this summary.
The information 23andMe collects
We try not to speak in legalese, but there are some useful definitions we use to describe data we collect in providing the Services to you.
When we say Personal Information, we use this as a general term to refer to the different data categories we describe in this section that personally identify you. Your Personal Information can be either:
- Individual-level Information: information about a single individual, such as their genotypes, diseases or other traits or characteristics.
- De-identified Information: information that has been stripped of identifying data such that an individual cannot reasonably be identified.
Here are the types of information we collect:
- Registration Information: information you provide during account registration or when purchasing the Services, such as a name, user ID, password, date of birth, billing address, shipping address, payment information (e.g., credit card), account authentication information, or contact information (e.g., email, phone number).
- Genetic Information: information regarding your genotype (e.g., the As, Ts, Cs, and Gs at particular locations in your DNA). Genetic Information includes the 23andMe genetic data and reports provided to you as part of our Services.
- Sample Information: information regarding any sample, such as a saliva sample, that you submit for processing to be analyzed to provide you with Genetic Information, laboratory values or other data provided through our Services.
- Self-Reported Information: information you provide to 23andMe regarding your disease conditions, health-related information, traits, ethnicity, family history, or anything else you provide to us within our Service(s).
- User Content: information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials, other than Genetic Information and Self-Reported Information, generated by users of 23andMe Services and transmitted, whether publicly or privately, to or through 23andMe. For example, User Content includes comments posted on our Blog or messages you send through our Services.
- Web-Behavior Information: information on how you use our Services or about the way your devices use our Services is collected through log files, cookies, web beacons, and similar technologies (e.g., device information, device identifiers, IP address, browser type, domains, page views).
Aggregate Information is different from Personal Information
Aggregate Information is not Personal Information because Aggregate Information does not contain information about a specific individual. Aggregate Information is information about a group of people where names and contact information are stripped and the remaining data is combined with that of other individuals and is analyzed or evaluated as a whole, such that no specific individual may be reasonably identified.
How we collect information
- You: We collect information you provide to us when you request or purchase Services or information from us, register with us (including when you link your account on a third-party site or platform with your 23andMe account, such as via Google or Apple), participate in forums or other activities on our sites, features, and applications, respond to surveys, visit our physical properties, call our Customer Care support line, or otherwise interact with us using one or more devices. You may provide information in a variety of ways, including by typing or using voice commands.
- Other Third Parties: We may receive information about you from other users, individuals, our corporate affiliates, or other third parties. For example, if someone gifts you a testing kit or Subscription, invites you to view their 23andMe Report, or otherwise refers you to 23andMe, we may collect information about you.
How we use your information
Now that we’ve covered the types of information we collect and how we collect it, let’s review how we may use it. As a reminder, we do not sell information, and we will not use your Genetic Information for marketing or personalized advertising without your explicit consent. If you want to dig into the details of how we use your information, check out our How We Use Your Information page.
We use your information to:
- Provide our Services, including to develop, operate, improve, maintain, and safeguard our Services
- Analyze and measure trends and usage of the Services
- Communicate with you, this includes customer support, or to share information about our Services or other offers or information we think may be relevant to you
- Personalize or contextualize our Services to you
- Enhance the safety, integrity, and security of our Services, including prevention of fraud and other unauthorized or illegal activities on our Services
- Enforce, investigate, and report conduct violating our Terms of Service or other policies
- Conduct surveys or polls, and obtain testimonials or stories about you
- Comply with our legal, licensing, and regulatory obligations
- Conduct 23andMe Research if you choose to participate
What 23andMe Research participation means for you
23andMe has an opt-in research program, meaning that for eligible customers, taking part in 23andMe Research is completely voluntary. Refer to the Main Research Consent for information to help you make an informed choice about participating. Here are key points about 23andMe Research, how Research uses personal information, and other ways we safeguard your privacy.
Before explaining how Research uses Personal Information, let’s cover a few basics:
What is 23andMe Research?
The purpose of 23andMe Research is to make new discoveries about genetics and other factors behind diseases and traits. “23andMe Research” means research activities performed by 23andMe, either independently or jointly with third parties, and overseen by an independent ethics review board (also called an Institutional Review Board or “IRB”). 23andMe Research may be sponsored by, conducted on behalf of, or in collaboration with third parties, including non-profit foundations, academic institutions or pharmaceutical companies. For more information on our academic collaborations, see Research.
What if I do not want to participate in Research?
If you are eligible to participate in Research, you choose whether to participate or not, and you can change your mind any time. Customers never need to participate in Research to use 23andMe. Nothing changes about your core 23andMe experience if you do not participate in Research. We do not use your information for Research unless you choose to specifically participate in Research.
How does 23andMe protect my information in Research?
23andMe Research analyses are conducted with information that has been stripped of your identifying Registration Information.
If you choose to consent to the Main Research Consent...
- Your de-identified Genetic Information and/or Self-Reported Information may be used for Research.
- We may use de-identified individual-level Genetic Information and Self-Reported Information internally at 23andMe for research purposes.
- We may share summaries of research results, which do not identify any particular individual, with qualified research collaborators and in scientific publications.
- We may inform you of research opportunities for which you may be eligible. We will not share individual-level Personal Information without your explicit consent. To change your preferences for these communications, go to your Account Settings.
Some participants choose to contribute in additional ways to Research. For example, you can choose to participate in Individual Level Data Sharing, or additional study-specific agreement(s). Those consents are separate and, like the Main Research Consent, you can withdraw from them anytime. You should review those specific consents for the details. Take a look at your other Research consent documents.
We appreciate the level of trust you put into us. Here’s how we do, and do not share your information.
Who we share with:
Service providers: Our service providers help us provide our Services and act on our behalf to get things done. We implement procedures and maintain contractual terms with each service provider to protect the confidentiality and security of your Personal Information. For example, some of the things we use service providers to help us with include: order fulfillment and shipping; processing and analyzing your samples (check out the How We Use Info page to learn more!); sample storage (as we like to call it, “biobanking”); customer care support; cloud storage, IT, and security; marketing and analytics; and more.
Your sharing choices: You may direct us to share your Personal Information with friends, family members, doctors or other healthcare professionals, and/or any other individuals or entities who may or may not be using our Services, including through third party services such as social networks and third-party apps that connect to our Services. If you share your Personal Information with a third party, they may use your Personal Information differently than we do under this Privacy Statement. Please make such choices carefully and review the privacy policies of all other third parties involved.
Commonly owned entities, affiliates and change of ownership: If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.
Third parties related to law, harm, and the public interest: We can’t say it enough – 23andMe will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant for Genetic or Personal Information. We require all law enforcement inquiries to follow a valid legal process, such as a court order or search warrant, and are prepared to exhaust available legal remedies to protect customer privacy. If we are compelled to disclose your Personal Information to law enforcement or regulatory authorities, we will try our best to provide you with prior notice, unless we are prohibited from doing so under the law.
23andMe will preserve and disclose any and all information if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce the 23andMe Terms of Service and other policies; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of 23andMe, its employees, officers, directors, contractors or other personnel, its users, and the public. Nothing in this Privacy Statement is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your Personal Information.
Who we DO NOT share with:
You can rest assured, we will not voluntarily share your Personal Information with:
- Public databases
- Insurance companies or employers
- Law enforcement or regulatory authorities (Check out our track record on this promise in our Transparency Report)
Your privacy settings and controls
It’s your data, and we make it easy to make decisions and choices about it. Below are the types of controls you have in your Account Settings and we’ve listed what it means to opt-out or to opt-in:
Storing your sample
- Opt-out: No, I do not want my sample stored. If you choose to discard your sample, it will be securely destroyed after the lab completes its analysis, subject to laboratory legal and regulatory requirements. Note, a discard choice cannot be reversed.
- Opt-in: Yes, I want my sample stored. Learn more about Biobanking.
Viewing your health reports
- Opt-out: No, I do not want to receive my health reports.
- Opt-in: Yes, I do want to receive Genetic Health Risk and Carrier Status reports, as well as other reports (e.g., Pharmacogenetics reports) if available.
- Opt-out: No, I do not want to share my information with genetic relatives or other users via features like DNA Relatives or My Connections.
- Opt-in: Yes, I want to be able to share my information so I can discover genetic relatives or connect with others.
- Opt-out: Please don’t contact me for product or promotional purposes. In addition to changing your preferences via Account Settings or your device, you can also click the “unsubscribe” button at the bottom of promotional email communications.
- Opt-in: Yes, you can contact me (such as through email, in-product notifications, or push notifications) for product or promotional purposes.
- Opt-out: I don’t want to participate in 23andMe Research. If you experience difficulties changing your consent status in Account Settings, contact the Human Protections Administrator at hpa@23andMe.com. You can change your mind any time about your participation, however any Research involving your data that has already been performed or published prior to your withdrawal from 23andMe Research will not be reversed, undone, or withdrawn.
- Opt-in: Yes, I’d like to participate in 23andMe Research.
You can also:
Access & Download: You can access and download your Personal Information processed by 23andMe. Please note, if you lose access to your 23andMe Account, we require that you submit additional information to verify your identity before providing access or otherwise releasing information to you.
Correct Information: You can correct your Registration Information and modify Self-Reported Information entered into surveys.
Delete your Account: You can delete your 23andMe account within your Account Settings at any time. Upon account deletion, we will automatically opt you out of Research and discard your sample.
Keep in mind this process cannot be cancelled, undone, withdrawn, or reversed. For exact instructions, please read our Customer Care guidance.
Other things to know about privacy
We implement physical, technical, and administrative measures aimed at preventing unauthorized access to or disclosure of your Personal Information. Our team regularly reviews and improves our security practices to help ensure the integrity of our systems and your Personal Information. To learn more about our practices, please visit our Customer Care guidance.
Please recognize that protecting your Personal Information is also your responsibility. Be mindful of keeping your password and other authentication information safe from third parties, and immediately notify 23andMe of any unauthorized use of your login credentials. Your password is not visible to 23andMe staff, and we encourage you not to share your password with 23andMe or any third parties. 23andMe cannot secure Personal Information that you release on your own or that you request us to release.
Third Party Content and Integrations
Our Services may contain third party content, integrations or links to third party websites operated by organizations not affiliated with 23andMe. Through these integrations, you may be providing information to the third party as well as to 23andMe. Since we can only control our own Services, we are not responsible for how those third parties collect or use your information so please review the privacy policies of every third-party service that you visit or use, including those third parties you interact with through our Services.
State and Region-Specific Information
You may have specific privacy rights in your state or region. For example, in the United States, residents of California and other states have specific privacy rights, as well as 23andMe residents of the European Economic Area (EEA), the UK, Switzerland and other jurisdictions.
Legal Retention Requirements
23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professions Code Section 1265 and College of American Pathologists (CAP) accreditation requirements. 23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.
Changes to this Privacy Statement
We may make changes to this Privacy Statement from time to time. We’ll let you know about those changes here or by reaching out to you via email or some other contact method, such as through in-app notification, or on another website page or feature.
If you have questions about this Privacy Statement, or have a complaint or inquiry, please email 23andMe’s Privacy Administrator at firstname.lastname@example.org, call us at 1.800.239.5230, or send a letter to:
349 Oyster Pt. Blvd
South San Francisco CA 94080