Your 23andMe Data

23andMe is committed to GDPR compliance through our robust data privacy and security protections. This page, our full privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions all provide information meant to help you understand our practices. If you have questions, please contact us at privacy@23andMe.com.

Step One

1. When, how, and why your data is processed.

23andMe is committed to being transparent about the kinds of information we collect, the reasons we collect it, and how it is used.

For a full overview of 23andMe's processing activities, please review our privacy statement. To change your cookie settings, please visit our cookie policy.

23andMe generally processes Personal Information for the following purposes:

  • Complete kit purchase(s).
  • Create an account and register a kit(s) to that account.
  • Market and advertise our products and promotions.
  • Perform website maintenance, usage, and analytics, as well as network and infrastructure security.

We generally process sensitive personal information, including genetic information, and other personal information in order to:

  • Process your sample at our contracted lab.
  • Compute and populate your reports.
  • Maintain and develop your account's tools, features, and functionality.
  • Participate in 23andMe Research.
  • Assist you through our Customer Care channel.
Step Two

2. Accessing, downloading, and deleting your data.

At its core, the GDPR is about enabling individuals to find out what Personal Information we hold about them, why we hold it, and who we disclose it to.

As a 23andMe customer, you can access and download your data from within your account. Specifically, you can:

  • Access and download your 23andMe reports, genetic data, self-reported survey data, and other Personal Information at any time within your account.
  • Request a copy of your Personal Information processed by 23andMe's third party service providers. We work with these third party service providers to provide, analyze, and improve our Service.
  • Learn more about accessing and downloading your data here or contact privacy@23andme.com for further assistance.

You can delete your 23andMe account and data from within your account settings at any time. Once you submit and confirm your request, we will delete your data. Data deletion is permanent and cannot be canceled, undone, withdrawn, or reversed. Learn more about deleting your Personal Information here or contact privacy@23andme.com for further assistance.

23andMe customers in the EU have additional rights under the GDPR, including the right to object to the processing of their Personal Information, restrict the processing of their Personal Information, and to rectify inaccurate or incomplete Personal Information. You can make changes to your data in Account Settings, and/or you can reach out to privacy@23andme.com if you would like to exercise such rights.
Step Three

3. Managing our third party service providers.

23andMe directly conducts the majority of data processing activities required to provide our Ancestry and Health + Ancestry Services to you. However, we do engage some third party service providers to assist in supporting these Services, including in the following areas:

  • Our genotyping lab, LabCorp
  • Customer Care
  • Cloud storage
  • Marketing and analytics
  • IT and Security

Our rigorous selection process ensures each third party service provider complies with the GDPR and can deliver the appropriate level of security and data protection. Please review our Privacy Statement for more information about our third party service providers.

Step Four

4. Safeguarding your data.

Under the GDPR, organizations that collect and store Personal Information must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with processing Personal Information. 23andMe uses industry-leading organizational and technical measures to keep Personal Information secure. Learn more.

Step Five

5. International data transfers.

When Personal Information is transferred out of the European Economic Area, United Kingdom, and Switzerland, we use appropriate safeguards and controls to protect your Personal Information in accordance with applicable laws.

Want to learn more? Review our FAQ's on data protection or submit an inquiry to Customer Care.