Privacy Statement
Last Updated: September 24, 2024
What you should know about privacy at 23andMe
At 23andMe, Privacy is in our DNA.
This Privacy Statement applies to all websites owned and operated by 23andMe, Inc., including www.23andme.com, and any other websites, pages, features, or content we own or operate, and to your use of the 23andMe mobile app and any related Services. Should you choose to receive Telehealth Services coordinated through 23andMe, with clinical services provided through licensed healthcare providers, there is a separate Medical Record Privacy Notice that describes how your medical information is used, disclosed, and maintained.
To keep things simple, we use the same terms here as in our Terms of Service. We’ll let you know in this Privacy Statement if we have a new or different definition for a term. You should read our entire Privacy Statement, but if you only have a few minutes you can take a look at this summary.
The information 23andMe collects
We try not to speak in legalese, but there are some useful definitions we use to describe data we collect in providing the Services to you.
When we say Personal Information, we use this as a general term to refer to the different data categories we describe in this section that either personally identify you or are about you. Your Personal Information can be either
- Individual-level Information: information about a single individual, such as their genotypes, diseases or other traits or characteristics.
- De-identified Information: information that has been stripped of identifying data, such as name and contact information, so that an individual cannot reasonably be identified.
Here are the types of Personal Information we collect:
- Registration Information: information you provide during account registration or when purchasing the Services, such as a name, user ID, password, date of birth, billing address, shipping address, payment information (e.g., credit card), account authentication information, or contact information (e.g., email, phone number).
- Genetic Information: information regarding your genotype (e.g., the As, Ts, Cs, and Gs at particular locations in your DNA). Genetic Information includes the 23andMe genetic data and reports provided to you as part of our Services.
- Sample Information: information regarding any sample, such as a saliva sample, that you submit for processing to be analyzed to provide you with Genetic Information, laboratory values or other data provided through our Services.
- Self-Reported Information: information you provide to 23andMe including your gender, disease conditions, health-related information, traits, ethnicity, family history, or anything else you provide to us within our Service(s).
- Biometric information: certain Self-Reported Information you provide to us or our service providers to verify your identity using biological characteristics.
- User Content: information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials, other than Genetic Information and Self-Reported Information, generated by users of 23andMe Services and transmitted, whether publicly or privately, to or through 23andMe. For example, User Content includes comments posted on our Blog or messages you send through our Services.
- Web-Behavior Information: information on how you use our Services or about the way your devices use our Services is collected through log files, cookies, web beacons, and similar technologies (e.g., device information, device identifiers, IP address, browser type, location, domains, page views).
Aggregate Information is different from Personal Information
Aggregate Information is not Personal Information because Aggregate Information does not contain information about, nor can it reasonably be linked to, a specific individual. Aggregate Information is information about a group of people, such as an analysis or evaluation of a group. Aggregate Information describes the group as a whole in such a way that no specific individual may be reasonably identified. For example, the number of 23andMe customers with a specific variant or health condition is Aggregate Information.
How we collect information
- You: We collect information you provide to us when you request or purchase Services or information from us (including authorizations to share data with us from another entity, like lab test results and other medical information), register with us (including when you link your account on a third-party site or platform with your 23andMe account, such as via Google or Apple), participate in forums or other activities on our sites, features, and applications, respond to surveys, visit our physical properties, call our Customer Care support line, or otherwise interact with us using one or more devices. You may provide information in a variety of ways, including by typing or using voice commands.
- Service Providers: We may collect information through service providers who use a variety of technologies and tools, such as cookies, analytics tools, software development kits, application program interfaces, web beacons, pixels, and tags when you visit, use or interact with our Services. For more detail on how we collect and use Web-Behavior Information, please see our Cookie Policy.
- Other Third Parties: We may receive information about you from other users, individuals, our corporate affiliates, or other third parties. For example, if someone gifts you a testing kit or Subscription, invites you to view their 23andMe Report, or otherwise refers you to 23andMe, we may collect information about you.
- 23andMe: We may infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics. For example, we use your Genetic Information to predict certain health predispositions, or we may infer your location (such as city, state, and country) based on your IP address.
How we use your information
Now that we’ve covered the types of information we collect and how we collect it, let’s review how we may use it. As a reminder, we will not use your Genetic Information for personalized or targeted marketing and/or advertising without your explicit consent. If you want to dig into the details of how we use your information, check out our How We Use Your Information page.
We use your information to:
- Provide our Services, including to develop, operate, improve, maintain, and safeguard our Services, including developing new product tools and features
- Analyze and measure trends and usage of the Services
- Communicate with you, including customer support, or to share information about our Services or other offers or information we think may be relevant to you
- Personalize, contextualize and market our Services to you
- Provide cross-context behavioral or targeted advertising (learn more in our Cookie Policy and Cookie Choices page)
- Enhance the safety, integrity, and security of our Services, including prevention of fraud and other unauthorized or illegal activities on our Services
- Verify your identity and administer your User Account
- Enforce, investigate, and report conduct violating our Terms of Service or other policies
- Conduct surveys or polls, and obtain testimonials or stories about you
- Comply with our legal, licensing, and regulatory obligations
- Conduct 23andMe Research, if you choose to participate
What 23andMe Research participation means for you
23andMe has an opt-in research program, meaning that for eligible customers, taking part in 23andMe Research is completely voluntary. Refer to the Main Research Consent for information to help you make an informed choice about participating. Here are key points about 23andMe Research, how Research uses personal information, and other ways we safeguard your privacy.
Before explaining how Research uses Personal Information, let’s cover a few basics:
What is 23andMe Research?
The purpose of 23andMe Research is to make new discoveries about genetics and other factors behind diseases and traits. “23andMe Research” means research activities performed by 23andMe, either independently or jointly with third parties, and overseen by an independent ethics review board (also called an Institutional Review Board or “IRB”). 23andMe Research may be sponsored by, conducted on behalf of, or in collaboration with third parties, including non-profit foundations, academic institutions or pharmaceutical companies.
What if I do not want to participate in Research?
If you are eligible to participate in Research, you choose whether to participate or not, and you can change your mind any time. Customers never need to participate in Research to use 23andMe. Nothing changes about your core 23andMe experience if you do not participate in Research. We do not use your information for Research unless you explicitly choose to participate in Research.
How does 23andMe protect my information in Research?
23andMe Research analyses are conducted with information that has been stripped of your identifying Registration Information. You can read more about protections for your data in the Main Research Consent.
If you choose to consent to the Main Research Consent...
- Your de-identified Genetic Information and/or Self-Reported Information may be used for Research.
- We may use de-identified individual-level Genetic Information and Self-Reported Information internally at 23andMe for research purposes.
- We may share summaries of research results, which do not identify any particular individual, with qualified research collaborators and in scientific publications.
- We may inform you of research opportunities for which you may be eligible. We will not share individual-level Personal Information without your explicit consent. To change your preferences for these communications, go to your Account Settings.
Some participants choose to contribute in additional ways to Research. For example, you can choose to participate in Individual Level Data Sharing, or additional study-specific agreement(s). Those consents are separate and, like the Main Research Consent, you can withdraw from them anytime. You should review those specific consents for the details. Take a look at your other Research consent documents.
Data sharing
We appreciate the level of trust you put into us. Here’s how we do, and do not share your information.
Who we share with:
Service providers: Our service providers and contractors help us provide our Services and act on our behalf to get things done. We implement procedures and maintain contractual terms with each service provider and contractor to protect the confidentiality and security of your Personal Information. For example, some of the things we use service providers and contractors to help us with include: order fulfillment and shipping; processing and analyzing your samples (check out the How We Use Info page to learn more!); sample storage (as we like to call it, “biobanking”); customer care support; cloud storage, IT, and security; marketing and analytics; and more. Learn more about cookies, analytics, and advertising partners we use on our Services in our Cookie Policy.
Your sharing choices: You may direct us to share your Personal Information with friends, family members, doctors or other healthcare professionals, and/or any other individuals or entities who may or may not be using our Services, including through third party services such as social networks and third-party apps that connect to our Services. If you share your Personal Information with a third party, they may use your Personal Information differently than we do under this Privacy Statement. Please make such choices carefully and review the privacy policies of all other third parties involved.
Commonly owned entities, affiliates and change of ownership: If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.
Third parties related to law, harm, and the public interest: We can’t say it enough – 23andMe will not provide information to law enforcement unless required by law to comply with a valid court order, subpoena, or search warrant. We require all law enforcement inquiries to follow a valid legal process, such as a court order or search warrant, and are prepared to exhaust available legal remedies to protect customer privacy. If we are compelled to disclose your Personal Information to law enforcement, we will try our best to provide you with prior notice, unless we are prohibited from doing so under the law.
23andMe will preserve and disclose any and all information if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce the 23andMe Terms of Service and other policies; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of 23andMe, its employees, officers, directors, contractors or other personnel, its users, and the public. Nothing in this Privacy Statement is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your Personal Information.
Who we DO NOT share with:
You can rest assured, we will not voluntarily share your Personal Information with:
- Public databases
- Insurance companies or employers
- Law enforcement, absent a valid court order, subpoena, or search warrant (Check out our track record on this promise in our Transparency Report)
Your privacy settings and controls
It’s your data, and we make it easy to make decisions and certain choices about it. We do not make choices on your behalf for the privacy settings described below. Below are the types of controls you have in your Account Settings and we’ve listed what it means to opt-out or to opt-in:
Storing your sample
- Opt-out: No, I do not want my sample stored. If you choose to discard your sample, it will be securely destroyed after the lab completes its analysis, subject to laboratory legal and regulatory requirements. Note, a discard choice cannot be reversed.
- Opt-in: Yes, I want my sample stored. Learn more about Biobanking.
Viewing your health reports
- Opt-out: No, I do not want to receive my health reports.
- Opt-in: Yes, I do want to receive Genetic Health Risk and Carrier Status reports, as well as other reports (e.g., Pharmacogenetics reports) if available.
Sharing features
- Opt-out: No, I do not want to share my information with genetic relatives or other users via features like DNA Relatives or My Connections.
- Opt-in: Yes, I want to be able to share my information so I can discover genetic relatives or connect with others.
Personalized recommendations
- Opt-out: No, I do not want to receive Personalized Recommendations based on my sensitive data categories.
- Opt-in: Yes, I want to receive Personalized Recommendations to receive custom health and wellness recommendations, offers, and other information based on my sensitive data categories. Learn more about Personalized Recommendations.
Communications preferences
- Opt-out: Please don’t contact me for promotional purposes. In addition to changing your preferences via Account Settings or your device, you can also click the “unsubscribe” button at the bottom of promotional email communications.
- Opt-in: Yes, you can contact me (such as through email, in-product notifications, or push notifications) for product or promotional purposes.
Research participation
- Opt-out: I don’t want to participate in 23andMe Research. If you experience difficulties changing your consent status in Account Settings, contact the Human Protections Administrator at hpa@23andMe.com. You can change your mind any time about your participation, however any Research involving your data that has already been performed or published prior to your withdrawal from 23andMe Research will not be reversed, undone, or withdrawn.
- Opt-in: Yes, I’d like to participate in 23andMe Research. Learn more about Research.
You can also:
Access & Download: You can access and download your Personal Information processed by 23andMe. Please note, if you lose access to your 23andMe Account, we require that you submit additional information to verify your identity before providing access or otherwise releasing information to you.
Correct Information: You can correct your Registration Information and modify Self-Reported Information entered into surveys.
Delete your Account: You can delete your 23andMe account within your Account Settings at any time. Upon account deletion, we will automatically opt you out of Research and discard your sample.
Keep in mind this process cannot be canceled, undone, withdrawn, or reversed, and your account deletion is subject to retention requirements and certain exceptions. For exact instructions, please read our Customer Care guidance.
Other things to know about privacy
Security Measures
We implement physical, technical, and administrative measures aimed at preventing unauthorized access to or disclosure of your Personal Information. Our team regularly reviews and improves our security practices to help ensure the integrity of our systems and your Personal Information. To learn more about our practices, please visit our Customer Care guidance.
Please recognize that protecting your Personal Information is also your responsibility. Be mindful of keeping your password and other authentication information safe from third parties, and immediately notify 23andMe of any unauthorized use of your login credentials. Your password is not visible to 23andMe staff, and we encourage you not to share your password with 23andMe or any third parties. 23andMe cannot secure Personal Information that you release on your own or that you request us to release.
Third Party Content and Integrations
Our Services may contain third party content, integrations or links to third party websites operated by organizations not affiliated with 23andMe. Through these integrations, you may be providing information to the third party as well as to 23andMe. Since we can only control our own Services, we are not responsible for how those third parties collect or use your information so please review the privacy policies of every third-party service that you visit or use, including those third parties you interact with through our Services.
Federal, State, and Region-Specific Information
You may have specific privacy rights in your state or region. For example, in the United States, residents of California and other states have specific privacy rights, as well as 23andMe residents of the European Economic Area (EEA), the UK, Switzerland and other jurisdictions.
Federal and state laws (including the federal Genetic Information Non-discrimination Act or “GINA”) provide some protection from employer and health insurance discrimination based on your genetics. Learn more.
Retention of Personal Information
We retain Personal Information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.
23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professions Code Section 1265 and College of American Pathologists (CAP) accreditation requirements, even if you chose to delete your account. 23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.
Changes to this Privacy Statement
We may make changes to this Privacy Statement from time to time. We’ll let you know about those changes here or by reaching out to you via email or some other contact method, such as through in-app notification, or on another website page or feature.
Contact Information
If you have questions about this Privacy Statement, or have a complaint or inquiry, please email 23andMe’s Privacy Administrator at privacy@23andme.com, call us at 1.800.239.5230, or send a letter to:
Privacy Administrator
23andMe, Inc.
223 N. Mathilda Ave.
Sunnyvale, CA 94086