⚠ Why DNA Privacy Matters More Than Other Data

Your DNA is uniquely risky: Unlike passwords or credit cards, genetic data cannot be changed if exposed. It reveals information about your biological relatives who never consented. And despite legal protections like GINA, genetic information could theoretically impact insurance (life, disability, long-term care are NOT covered by GINA) and employment. This review documents exactly what MyHeritage can and cannot do with your most sensitive data.

🌎 International Company Notice

MyHeritage is headquartered in Or Yehuda, Israel, with additional offices in Tel Aviv, Lehi (Utah), Kyiv (Ukraine), and Burbank (California). DNA testing is processed at Gene by Gene's laboratory in Houston, Texas, USA. The company was acquired by U.S. investment firm Francisco Partners in 2021. Data transfers between Israel, the US, and other jurisdictions are subject to Standard Contractual Clauses under GDPR.

⚠ 2018 Security Incident

On June 4, 2018, MyHeritage disclosed a cybersecurity breach:

92,283,889 user email addresses and hashed passwords exposed

According to MyHeritage's official statement, the breach occurred on October 26, 2017 and was discovered when a security researcher found a file on a private server outside of MyHeritage. The company stated that "Credit card information is not stored on MyHeritage" and that "family trees and DNA data are stored on segregated systems, separate from those that store the email addresses."

Source: MyHeritage Official Statement (June 4, 2018)

📊 Data Collection Scope

Genetic Information (DNA Data)

MyHeritage collects genetic data from DNA tests or uploaded results:

"DNA information: Genetic data from DNA tests or uploaded results"
Source: MyHeritage Privacy Policy - "Information We Collect" section

Biometric Data (Facial Recognition)

MyHeritage collects biometric information from photos through their Photo Tagger feature:

"Biometric data: Facial recognition models from the Photo Tagger feature"
Source: MyHeritage Privacy Policy - "Information We Collect" section

Health Data

MyHeritage collects self-reported family health history:

"Health data: Self-reported family health history via questionnaire"
Source: MyHeritage Privacy Policy - "Information We Collect" section

Family Tree and Genealogical Data

MyHeritage collects names, emails, family tree data, photos, and contact details:

"Direct submissions: Names, emails, family tree data, photos, and contact details"
Source: MyHeritage Privacy Policy - "Information We Collect" section

Web Behavior and Tracking

MyHeritage collects usage data through automated means:

"Usage data: web-behavior information using automated means of data collection"
Source: MyHeritage Privacy Policy - "Information We Collect" section

👥 Third-Party Sharing

No Sale or License of Personal Data (Strong Commitment)

MyHeritage makes an explicit and emphatic commitment not to sell personal data:

"PERSONAL INFORMATION PROVIDED BY YOU, INCLUDING GENETIC INFORMATION AND HEALTH INFORMATION, WILL NEVER BE SOLD OR LICENSED BY US TO THIRD PARTIES, INCLUDING INSURANCE COMPANIES, GOVERNMENT AGENCIES, OTHER CORPORATIONS OR EMPLOYERS."
Source: MyHeritage Privacy Policy - "Third-Party Sharing" section

No Sale of Genetic or Health Data

Additional specific commitment regarding genetic data:

"MYHERITAGE HAS NEVER SOLD OR LICENSED GENETIC DATA OR HEALTH DATA, AND WILL NEVER DO SO IN THE FUTURE."
Source: MyHeritage Privacy Policy - "Genetic Data" section

Service Providers

MyHeritage shares data with specific third-party service providers:

"Service providers (payment processors, cloud storage, AI services)" including "payment processing platforms (mainly Adyen, Stripe, BlueSnap and PayPal) and cloud storage services"
Source: MyHeritage Privacy Policy - "How We Share Information" section

DNA Matching Feature

DNA data may be shared with genetic matches if the feature is enabled:

"DNA data shared only with DNA Matches (if enabled) and matched individuals"
Source: MyHeritage Privacy Policy - "DNA Services" section

Research (Requires Explicit Consent)

Research use of data requires explicit user consent:

"We may use data for research (aggregated and anonymized) only with the user's explicit consent"
Source: MyHeritage DNA Privacy Page

Insurance Companies (Explicitly Excluded)

MyHeritage explicitly states they will never provide data to insurance companies:

"MyHeritage will never provide data to insurance companies under any circumstances"
Source: MyHeritage Privacy Policy - "Third-Party Sharing" section

Law Enforcement Access

MyHeritage has explicit policies regarding law enforcement:

"MyHeritage prohibits law enforcement use of its DNA Services."
Source: MyHeritage Privacy Policy - "Law Enforcement" section

Law Enforcement - Court Orders

Information will only be provided under legal compulsion:

"We will not provide information to law enforcement unless we are required by a valid court order or subpoena for genetic information."
Source: MyHeritage Privacy Policy - "Law Enforcement" section

Business Transactions

Data transfer in case of company sale:

"In the event that MyHeritage, or substantially all of its assets or stock, are acquired, transferred, or disposed of, personal information including DNA Data Files will be one of the transferred assets. In such an event, your personal information would remain subject to the promises made in the pre-existing Privacy Policy prior to the event."
Source: MyHeritage Privacy Policy - "Business Transactions" section

🔑 Data Ownership Statement

MyHeritage explicitly recognizes user ownership of DNA data:

"DNA users are the sole owners of their DNA data. We hold no rights to your data."

Additionally:

"Only you have access to your raw DNA data and control of your privacy settings"
Source: MyHeritage DNA Privacy Page

🕐 Data Retention

General Retention Policy

MyHeritage retains personal information as necessary for services:

"Personal information retained only for as long as necessary for service delivery and legal compliance"
Source: MyHeritage Privacy Policy - "Data Retention" section

DNA Sample Retention - Up to 10 Years

Physical DNA samples may be stored for an extended period:

"DNA samples: up to 10 years with explicit approval"
Source: MyHeritage Privacy Policy - "DNA Sample Storage" section

DNA Sample Storage Location

DNA samples are stored at the Texas laboratory:

"DNA samples stored in Texas at Gene by Gene lab"
Source: MyHeritage Privacy Policy - "DNA Services" section

Facial Recognition Model Retention

Biometric data has an automatic deletion policy:

"Facial recognition models: automatically deleted 3 months after last use"
Source: MyHeritage Privacy Policy - "Biometric Data" section

Post-Deletion

Account deletion effects:

"Deleted account data will not be available to you or other users"
Source: MyHeritage Privacy Policy - "Account Deletion" section

☑ User Control and Consent

Data Deletion Rights

Users can delete their data at any time:

"You can delete your data permanently at any time"
Source: MyHeritage DNA Privacy Page

DNA Sample Destruction

Users can request destruction of their biological sample:

"Users can delete DNA Results and request sample destruction anytime"
Source: MyHeritage Privacy Policy - "Your Choices" section

DNA Matching Control

Users can control the DNA matching feature:

"'DNA Matching' feature can be disabled to prevent comparisons"
Source: MyHeritage Privacy Policy - "DNA Privacy Options" section

Research Consent Withdrawal

Users can withdraw research consent, but with limitations:

"any research or studies using anonymized or aggregate information that has already begun, studies that have been completed, and any study results or findings that have been published prior to your withdrawal cannot be reversed."
Source: MyHeritage DNA Informed Consent

User Rights (GDPR, CCPA, etc.)

MyHeritage acknowledges various regional rights:

"Users can: Access their personal information; Request rectification or deletion; Withdraw consent; Obtain portable copies of data; Disable Smart Matches and DNA Matching; Delete accounts permanently and irreversibly; Opt out of marketing communications"
Source: MyHeritage Privacy Policy - "Your Rights" section

🔒 Security Measures

Security Implementation

MyHeritage describes their security approach:

"Technical, physical, and administrative safeguards implemented"
Source: MyHeritage Privacy Policy - "Security" section

Penetration Testing

Regular security assessments:

"Periodic penetration tests" conducted
Source: MyHeritage Privacy Policy - "Security" section

Access Controls

Limited personnel access:

"Only authorized personnel have access to personal information"
Source: MyHeritage Privacy Policy - "Security" section

Encryption

DNA data protection:

"DNA data is protected by multiple layers of encryption and stored on secure servers"
Source: MyHeritage DNA Privacy Page

Laboratory Certifications

DNA testing laboratory credentials:

"Lab holds CLIA certification and CAP accreditation - industry gold standards"
Source: MyHeritage DNA Privacy Page

Security Disclaimer

MyHeritage acknowledges limitations:

"no such program can be perfect; in other words, all risks cannot reasonably be eliminated."
Source: MyHeritage Privacy Policy - "Security" section

🌎 GDPR/CCPA Compliance

Regional Privacy Laws

MyHeritage acknowledges jurisdiction-specific rights:

"Regional rights specified for GDPR (EU/EEA), LGPD (Brazil), POPIA (South Africa), and US state laws."
Source: MyHeritage Privacy Policy - "Regional Privacy" section

GDPR Data Protection Officer

MyHeritage has designated a DPO:

"Data Protection Officer available at dpo@myheritage.com"
Source: MyHeritage Privacy Policy - "GDPR Compliance" section

International Data Transfers

Data transfer mechanisms for international transfers:

"EU standard contractual clauses for international transfers"
Source: MyHeritage Privacy Policy - "International Transfers" section

Data Center Location

Where data is stored:

"Data centers in the United States"
Source: MyHeritage Privacy Policy - "Data Storage" section

Policy Change Notification

MyHeritage commits to notifying users of material changes:

"If anything material ever changes in this privacy policy, we will notify you by email."
Source: MyHeritage Privacy Policy - "Policy Updates" section

🔬 Research Program

Research Scope

Types of research MyHeritage conducts:

"to conduct research studies designed to further our understanding of genealogy, anthropology, cultures, human evolution and migration, human genetics, population genetics, epidemiology, population health issues, and regional health issues."
Source: MyHeritage DNA Informed Consent

Scope Limitation

Research is limited to stated purposes:

"MyHeritage will not conduct research on topics unrelated to the Project, or use Personal Information for Research beyond what is described in this Informed Consent."
Source: MyHeritage DNA Informed Consent

No Third-Party Sale for Research

Research data will not be sold to third parties:

"MyHeritage will never sell or license your genetic information, your health information, or any of your other personal information...to any third parties, including insurance companies, government agencies, other corporations, or employers."
Source: MyHeritage DNA Informed Consent

Anonymization of Research Data

Research data is anonymized:

"Whenever Personal Information for Research from multiple individuals is aggregated, personal identifiers (such as names, birth dates and specific locations, etc.) from those participants will be removed."
Source: MyHeritage DNA Informed Consent

No Individual Research Results

Research results are not communicated to individual participants:

"It is not anticipated that the Project will provide significant benefit to an individual participant, and Project results will not be communicated by MyHeritage to you."
Source: MyHeritage DNA Informed Consent

Compare With Other DNA Testing Services

23andMe
Review
Ancestry
Review
View All