23andMe Privacy Statement

Last updated June 24, 2010. Click here to see a summary of changes.

Summary

  • 23andMe respects your privacy. 23andMe does not sell, lease, or rent your individual-level Personal Information without explicit consent.
  • We are committed to providing a secure, user-controlled environment for our Services.
  • This summary provides highlights of our full Privacy Statement and applies to 23andMe’s collection and handling of your Personal Information. We encourage you to read the full Statement.

Definitions

  • “23andMe” means 23andMe, Inc., whose principal place of business is at 1390 Shorebird Way, Mountain View, CA 94043.
  • “23andWe Research” means scientific research that 23andMe performs with the intent to publish in a peer-reviewed scientific journal. 23andWe Research only uses Genetic and Self-Reported Information from users who have given consent according to the applicable Consent Document. 23andWe Research activities do not include R&D.
  • “R&D” means research and development activities performed by 23andMe on user data. These activities may include, among other things, improving our Services and/or offering new products or services to you; performing quality control activities; conducting data analysis that may lead to and/or include commercialization with a third party.
  • “Service” or “Services” means 23andMe’s products, software, services, and website as accessed from time to time by the user, regardless if the use is in connection with an account or not.

Which Personal Information We Collect
“Personal Information” is information that can be used to identify you, either alone or in combination with other information. 23andMe collects and stores the following types of Personal Information (see Terms of Service for a full list of related definitions):

  • “Registration Information” is the information you provide about yourself when registering for and/or purchasing our Services (e.g. name, email, address, user ID and password, and payment information).
  • “Genetic Information” is information regarding your genotype (e.g. the As, Ts, Cs, and Gs at particular locations in your genome), generated through processing of your saliva by 23andMe or by its contractors, successors, and assignees; or otherwise processed by and/or contributed to 23andMe.
  • “Self-Reported Information” is all information about yourself, including your disease conditions, other health-related information, personal traits, ethnicity, family history, and other information that you enter into surveys, forms, or features while signed in to your 23andMe account. Self-Reported Information is included in 23andWe Research only if it has been indicated for 23andWe Research use on the website and if you have given consent as described in the applicable Consent Document.
  • “User Content” is all information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials – other than Genetic Information and Self-Reported Information – generated by users of 23andMe Services and transmitted, whether publicly or privately, to or through 23andMe.
  • “Web Behavior Information” is information on how you use the 23andMe website (e.g. browser type, domains, page views) collected through log files, cookies, and web beacon technology.

How We Use Your Information

  • 23andMe collects Personal Information from you for all purposes necessary to ensure the regular operation of your account and/or availability of our Services. These include, among other things, providing you with our Services; improving our Services and/or offering new products or services to you; performing quality control activities; conducting other R&D; and, upon your authorization, conducting 23andWe Research on diseases, traits, and other conditions.
  • We use Registration Information to enable your purchase, inform you when your Genetic Information is available to you, provide you with customer service, manage our Services, and authenticate your website visits and usage. We may also use this information to offer you other products or services or to invite you to participate in specific research projects.
  • We may disclose to third parties, and/or use in our Services, “Aggregated Genetic and Self-Reported Information”, which is Genetic and Self-Reported Information that has been stripped of Registration Information and combined with data from a number of other users sufficient to minimize the possibility of exposing individual-level information while still providing scientific evidence. If you have given consent for your Genetic and Self-Reported Information to be used in 23andWe Research as described in the applicable Consent Document, we may include such information in Aggregated Genetic and Self-Reported Information intended to be published in peer-reviewed scientific journals. If you do not give consent for your Genetic and Self-Reported Information to be used in 23andWe Research, we may still use your Genetic and/or Self-Reported Information for R&D purposes as described above, which may include disclosure of Aggregated Genetic and Self-Reported Information to third-party non-profit and/or commercial research partners who will not publish that information in a peer-reviewed scientific journal.
  • We will never release your individual-level Genetic and/or Self-Reported Information to a third party without asking for and receiving your explicit consent to do so, unless required by law.
  • We use Web Behavior Information to track and monitor aggregate usage of our website, for R&D, for quality control, to improve our Services, and/or to target advertising for our products and services.
  • We give you the ability to share your Genetic Information with other 23andMe customers through sharing features.
  • We will not disclose your individual-level Personal Information to any third party, except under the following circumstances:
    • Partners or service providers (e.g. our contracted genotyping laboratory or credit card processors) use and/or store the information in order to provide you with 23andMe’s Services.
    • We are required to do so by law (see the section below titled “Information Disclosure Required By Law”).
    • You have provided explicit consent for us to do so.

Your Choices

  • Contribution of Personal Information other than Registration Information is voluntary and permission-based.
  • Whether to give consent for 23andMe to use your Genetic and Self-Reported Information for 23andWe Research is voluntary.
  • Providing Self-Reported Information through surveys, forms, or features indicated for 23andWe Research use is voluntary.
  • At your written request we will close your account. As a result, all Genetic Information will be removed from the account and will no longer be accessible. 23andMe will not use your Genetic Information in research taking place starting thirty (30) days after account closure. We cannot remove Genetic Information that has previously been used for published research or shared with external collaborators before account closure. (See the section below titled “Account Closure and Correction of Personal Information”.)

Additional Information

How to Contact Us
Questions about this Summary, our Privacy Statement, or about 23andMe’s handling of your Personal Information may be emailed to privacy@23andme.com, or sent to:

Privacy Administrator
23andMe, Inc.
1390 Shorebird Way
Mountain View, CA 94043



Full Privacy Statement

23andMe Respects Your Privacy

23andMe recognizes the importance of privacy and respects your desire to store and access your information in a private and secure manner.

This Privacy Statement is intended to make you aware of how we handle your Personal Information. We are committed to providing you a secure, user-controlled environment for the use of our Services. At the same time, you share responsibility for maintaining privacy and security – for example, by keeping your password secure.

We encourage you to familiarize yourself with our Privacy Statement. Our Consent Form and Terms of Service explain that, by using our website and signing up for our service, you are allowing us to process your personal information according to the provisions set forth in those documents and this Privacy Statement.

Your Personal Information

In the course of your relationship with 23andMe, we collect several types of Personal Information. Personal Information is information that could be used to identify you, either alone or in combination with other information. We collect such information from you when you purchase our Services, create a personal account, complete surveys and forms, and/or when you communicate with us or request information from us. Personal Information collected online can be combined with Personal Information collected offline. We collect five primary types of Personal Information through our Service and website.

  1. “Registration Information” is information that we collect from you when you purchase or sign up for our Services. Examples of such information include your name, credit card information, billing and shipping addresses, and contact information, such as email address and telephone number.
  2. “Genetic Information” consists of your genotype, e.g. the As, Ts, Cs, and Gs at particular locations in your genome. Genetic Information is generated when you purchase 23andMe’s Service and your saliva sample is analyzed and processed or you otherwise contribute or access your Genetic Information through our Services. Our instructions for sample collection and shipment clearly require you to send only your saliva sample to our third-party laboratory labeled with the unique barcode and no other identifier. The unique barcode identifies you to us but not to the laboratory. We are also required to provide sex and date of birth or age to the laboratory pursuant to CLIA requirements. No other Personal Information is required for the analysis. To protect your privacy, receiving personnel at the laboratory will remove and discard any identifying information (e.g. name, address) included with saliva samples before testing personnel receive the samples for genotyping. Receiving personnel do not perform testing, and testing personnel only handle samples labeled with the unique barcode. Unless you choose to store your sample in the biobank, DNA and saliva samples are destroyed after the laboratory completes its work, provided that laboratory legal and regulatory requirements no longer require the actual samples to be maintained. The laboratory securely sends the resulting Genetic Information to us along with your unique barcode. Genetic Information is stored securely on our servers; the laboratory also stores your Genetic Information, but labeled only with a sample barcode. The laboratory conducting DNA extraction and analysis does not have access to your name, other Registration Information, or any other Personal Information except your sex and date of birth or age, as required by CLIA.
  3. “Self-Reported Information” includes information you provide to us, including but not limited to information about your disease conditions (e.g. Type 2 Diabetes), other health-related information (e.g. pulse rate, cholesterol levels, visual acuity), personal traits (e.g., eye color, height), ethnicity, and/or family history (e.g. similar information about family members). We collect this information from you if and when you enter the information into surveys, forms, or features while signed in to your account. Self-Reported Information is included in 23andWe Research only if it has been indicated for 23andWe Research use on the website and if you have given consent as described in the applicable Consent Document.
  4. “User Content” is all information other than Genetic Information or Self-Reported Information generated by users of 23andMe Services and transmitted, whether publicly or privately, to 23andMe. User Content may include data, text, software, music, audio, photographs, graphics, video, messages, or other materials. For example, User Content includes posts made to the 23andMe community forums or emails to Customer Support. User Content does not include Genetic Information or Self-Reported Information.
  5. “Web Behavior Information” is information on how you use the 23andMe website (e.g. browser type, domains, page views) collected through log files, cookies, and web beacon technology.

How We Use Registration Information

We use your Registration Information to authenticate your website visits and usage; to enable your purchase; to communicate with you about information, services, and products that you have requested; and to manage and improve our website, software, and Services. We may also use this information to offer you services and products that may be of interest to you or invite you to participate in specific research projects. We give you the opportunity to opt out of optional communications, either through our Service or by contacting our Privacy Administrator at privacy@23andme.com.

How We Use Genetic and Self-Reported Information

We use your Genetic and Self-Reported Information to provide you with 23andMe Services, customize the user experience, and enhance our features. IF you allow sharing, Genetic and Self-Reported Information may be displayed in other users’ accounts. Self-Reported Information is used to customize your user experience – for example, by adjusting reports of genetic risk to account for your reported behaviors or environmental exposures.

If, and only if, you have given consent to participate in 23andWe Research as described in the applicable Consent Document, we may include your Genetic Information and Self-Reported Information indicated for 23andWe Research use in Aggregated Genetic and Self-Reported Information disclosed to third parties for the purpose of publication in a peer-reviewed scientific journal. 23andWe Research is intended to advance genetic knowledge and to create, commercialize, or undertake activities toward the practical applications of this learning to the improvement of health care.

If you do not give your consent to participate in 23andWe Research, 23andMe may still use your Genetic and Self-Reported Information for purposes such as quality control or other R&D activities. Genetic and Self-Reported Information used for such purposes may be included in Aggregated Genetic and Self-Reported Information disclosed to third-party research partners who will not publish the information in a peer-reviewed scientific journal. Research partners may include commercial or non-profit organizations that conduct or support scientific/medical research or conduct or support the development of drugs or devices to diagnose, predict, or treat health conditions.

How We Use User Content and Web Behavior Information

23andMe uses User Content to provide our Services and improve the overall user experience. For example, posts made to the 23andMe community forums are publicly displayed to other users. See Section 13 of the Terms of Service for a full description of your rights relating to User Content.

Web Behavior Information is collected through log files, cookies, and web beacon technology during a visit to the 23andMe website. Web Behavior Information is used to improve our Services and the overall user experience.

Log Files. When users visit our website, 23andMe gathers certain information automatically and stores it in log files. This information includes Internet Protocol (IP) addresses, browser type, Internet Service Provider, referring/exit pages, operating system, date/time stamp, and clickstream data (i.e. a list of pages or URLs visited). We use this information, which is not designed to identify individual users, to analyze trends, administer the site, track users’ movements around the site, and gather demographic information about our user base as a whole. We may, in some circumstances, need to review this automatically collected data in combination with specific Registration Information to identify and resolve issues for individual users.

Cookies. The 23andMe website also uses cookies. A cookie is a small text file that is stored on a user’s computer when you visit our website or any other website through your computer. We use both session cookies and persistent cookies to make it easier for you to navigate our site, improve the security of your Personal Information, enhance the functionality of certain features, and improve performance. The cookies we employ are used to enable secure access to your account when you are signed in to your account and are only applicable within the confines of our website.

A session cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file. However, if you set your browser to reject cookies, your ability to use our site will be significantly impaired. In particular, you will not be able to access any part of our site that requires a sign-in, such as your account.

Web Beacons. A web beacon is a clear graphic image that is loaded by your web browser when it accesses a website and that records a user’s visit to a particular web page. We, or third parties that work for us, may place cookies and web beacons on our website, in our emails, and in our advertisements that appear on other websites or in emails sent by others that mention our products and services with our permission. The purpose of our web beacons is to support operation of our website and to offer additional products and services through targeted advertisements. For example, we may use beacons to determine when someone views a web page, count how many individuals visit our website after clicking advertisements placed on other websites, or count how many people have purchased products from our website after viewing an advertisement we placed. Web beacons may also help us determine the effectiveness of an email campaign because the beacons can count the number of individuals who open an email or forward it to others. We use this Web Behavior Information to better tailor our marketing to you and may also use this information to customize content on our website, enable a shopping cart, or conduct research. Third parties only collect anonymous Web Behavior Information through the use of web beacons, allowing statistical analysis relating to the performance of our advertising.

If you wish to disable web beacons, it is possible to prevent your browser from loading them, although there is not currently a standard method for doing so.

Information Sharing

23andMe gives you the ability to connect with other individuals who have 23andMe accounts through our community forums, relative finding features, and other sharing features. For some features, opt-out is required to avoid notifications. In addition, you may choose to disclose, through other means not associated with 23andMe, any part of your Personal Information to friends and/or family members, groups of individuals, third-party service providers, doctors or other health care professionals, and/or other individuals. We recommend that you make such choices carefully.

Personal Information, once released or shared, can be difficult to contain. 23andMe will have no responsibility or liability for any consequences that may result because you have released or shared Personal Information with a third party. Likewise, if you are reading this because you have access to the Personal Information of a 23andMe customer through a multi-profile account, we urge you to recognize your responsibility to protect the privacy of that person. It is incumbent upon customers to share Personal Information only with people they know and trust. Users with multi-profile accounts should use caution in setting profile-level privacy settings.

Information Disclosure

As a general rule, 23andMe will not disclose your individual-level Personal Information to any third party, except under the following circumstances:

  • Partners or service providers (e.g. credit card processors or our contracted genotyping laboratory) process and/or store the information in order to provide you with 23andMe’s Services.
  • We are required to do so by law (see the section below titled “Information Disclosure Required By Law”).
  • You have provided explicit consent for us to do so.

23andMe may disclose Personal Information for the following reasons:

  • 23andWe Research. 23andMe may disclose Aggregated Genetic and Self-Reported Information intended to be published in a peer-reviewed scientific journal to research collaborators or as a result of publication. You may give/withhold consent for your data to be used in 23andWe Research when viewing the applicable Consent Document during the process of claiming your Genetic Information into your account. You may also give consent or change your global consent status through your Account Settings at any subsequent time; however, we cannot withdraw information that has previously been used for published research or shared with external collaborators prior to your request to withdraw consent.
  • Contact information. 23andMe will ask for and require your explicit consent to allow partner organizations direct access to your Registration Information.
  • Commercial partnerships. 23andMe may enter into commercial arrangements to enable partners to provide our Service to their customers and/or to provide you access to their products and services. We will not provide any individual-level Personal Information to these commercial partners without your explicit consent. 23andMe may include your Genetic and/or Self-Reported Information in Aggregated Genetic and Self-Reported Information disclosed to these commercial partners even if you have not given consent for your data to be used in 23andWe Research.

Information Disclosure Required By Law

Under certain circumstances Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders. You acknowledge and agree that 23andMe is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal process (such as a judicial proceeding, court order, or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce the 23andMe TOS; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of 23andMe, its employees, its users, its clients, and the public. In such event we will notify you through the contact information you have provided to us in advance, unless doing so would violate the law or a court order.

Linked Websites

23andMe provides links to third-party websites operated by organizations not affiliated with 23andMe. 23andMe does not disclose your Personal Information to organizations operating linked third-party websites. 23andMe does not review or endorse, and is not responsible for, the privacy practices of these organizations. We encourage you to read the privacy statements of each and every website that you visit. This Privacy Statement applies solely to information collected by 23andMe.

Account Closure and Correction of Personal Information

If you no longer wish to participate in our Services, you may close your account by sending a request to Customer Support at help@23andme.com. When closing an account, we remove all Genetic Information within your account (or profile) within thirty (30) days of our receipt of your request. As stated in the applicable Consent Document, however, Genetic Information and/or Self-Reported Information that you have previously provided and for which you have given consent to use in 23andWe Research will not be removed from ongoing or completed studies that use the information. Our contracted genotyping laboratory may also retain your Genetic Information as required by local law and we may retain backup copies for a limited period of time pursuant to our data protection policies. In addition, we retain limited Registration Information related to your order history (e.g., name, contact, and transaction data) for accounting and compliance purposes.

If your Personal Information changes, you may correct or update your Registration Information via your Account Settings page. You may also correct or reset Self-Reported Information entered into a survey, form, or feature indicated for 23andWe Research use by emailing a request to Customer Support at help@23andme.com and including the name of the specific survey, form, or feature.

Children’s Privacy

23andMe is committed to protecting the privacy of children as well as adults. Neither 23andMe nor any of its Services are designed or intended to attract children under the age of 13. A parent or guardian, however, may collect a saliva sample from, create an account for, and provide Self-Reported Information on behalf of his or her child. The parent or guardian assumes full responsibility for ensuring that the information that he/she provides to 23andMe about his or her child is kept secure and that the information submitted is accurate.

Security

23andMe takes seriously the trust you place in us. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of information, 23andMe uses a range of reasonable physical, technical, and administrative measures to safeguard your Personal Information, in accordance with current technological and industry standards. In particular, all connections to and from our website are encrypted using Secure Socket Layer (SSL) technology.

Please recognize that protecting your Personal Information is also your responsibility. We ask you to be responsible for safeguarding your password, secret questions and answers, and other authentication information you use to access our Services. You should not disclose your authentication information to any third party and should immediately notify 23andMe of any unauthorized use of your password. 23andMe cannot secure Personal Information that you release on your own or that you request us to release.

Business Transitions

In the event that 23andMe goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, your Personal Information will likely be among the assets transferred. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Statement.

Changes to This Privacy Statement

This Privacy Statement was last updated June 24, 2010. Whenever this Privacy Statement is changed in a material way, a notice will be posted as part of this Privacy Statement and on our customers’ account login pages for 30 days. After 30 days the changes will become effective. In addition, all customers will receive an email with notification of the changes.

Contact Information

If you have questions about this statement, please email 23andMe’s Privacy Administrator at privacy@23andme.com. You can also contact us at this address if you have a question about 23andMe’s handling of your information:

Privacy Administrator
23andMe, Inc.
1390 Shorebird Way
Mountain View, CA 94043

Return to top