⚠ Why DNA Privacy Matters More Than Other Data
Your DNA is uniquely risky: Unlike passwords or credit cards, genetic data cannot be changed if exposed. It reveals information about your biological relatives who never consented. And despite legal protections like GINA, genetic information could theoretically impact insurance (life, disability, long-term care are NOT covered by GINA) and employment. This review documents exactly what MyHeritage can and cannot do with your most sensitive data.
🌎 International Company Notice
MyHeritage describes itself as an Israel-headquartered company, and the policy and DNA pages state that DNA testing is processed at the Gene by Gene laboratory in Texas, USA, with US-based data centers. Per the policy, data transfers between jurisdictions are handled under standard contractual clauses for GDPR purposes. Because the corporate structure spans more than one country, a cross-border access or deletion request can be more complex.
⚠ Past Security Incident (Disclosed by MyHeritage)
MyHeritage's own published cybersecurity statement disclosed an incident affecting user email addresses and hashed passwords. The figure it reported:
92,283,889 users, per MyHeritage's statement
According to that same statement, the file was found on a private server outside of MyHeritage. The company stated that "Credit card information is not stored on MyHeritage" and that "family trees and DNA data are stored on segregated systems, separate from those that store the email addresses." The figure and these descriptions are quoted from MyHeritage's own statement, linked below.
📊 Data Collection Scope
Genetic Information (DNA Data)
MyHeritage collects genetic data from DNA tests or uploaded results:
Biometric Data (Facial Recognition)
MyHeritage collects biometric information from photos through their Photo Tagger feature:
Health Data
MyHeritage collects self-reported family health history:
Family Tree and Genealogical Data
MyHeritage collects names, emails, family tree data, photos, and contact details:
Web Behavior and Tracking
MyHeritage collects usage data through automated means:
👥 Third-Party Sharing
No Sale or License of Personal Data (Strong Commitment)
MyHeritage makes an explicit and emphatic commitment not to sell personal data:
No Sale of Genetic or Health Data
Additional specific commitment regarding genetic data:
Service Providers
Per the policy, MyHeritage shares data with specific third-party service providers it identifies:
DNA Matching Feature
DNA data may be shared with genetic matches if the feature is enabled:
Research (Requires Explicit Consent)
Research use of data requires explicit user consent:
Insurance Companies (Explicitly Excluded)
MyHeritage explicitly states they will never provide data to insurance companies:
Law Enforcement Access
MyHeritage has explicit policies regarding law enforcement:
Law Enforcement - Court Orders
Information will only be provided under legal compulsion:
Business Transactions
Data transfer in case of company sale:
🔑 Data Ownership Statement
MyHeritage explicitly recognizes user ownership of DNA data:
Additionally:
🕐 Data Retention
General Retention Policy
MyHeritage retains personal information as necessary for services:
DNA Sample Retention - Up to 10 Years
Physical DNA samples may be stored for an extended period:
DNA Sample Storage Location
DNA samples are stored at the Texas laboratory:
Facial Recognition Model Retention
Biometric data has an automatic deletion policy:
Post-Deletion
Account deletion effects:
☑ User Control and Consent
Data Deletion Rights
Users can delete their data at any time:
DNA Sample Destruction
Users can request destruction of their biological sample:
DNA Matching Control
Users can control the DNA matching feature:
Research Consent Withdrawal
Users can withdraw research consent, but with limitations:
User Rights (GDPR, CCPA, etc.)
MyHeritage acknowledges various regional rights:
🔒 Security Measures
Security Implementation
MyHeritage describes their security approach:
Penetration Testing
Regular security assessments:
Access Controls
Limited personnel access:
Encryption
DNA data protection:
Laboratory Certifications
DNA testing laboratory credentials:
Security Disclaimer
MyHeritage acknowledges limitations:
🌎 GDPR/CCPA Compliance
Regional Privacy Laws
MyHeritage acknowledges jurisdiction-specific rights:
GDPR Data Protection Officer
MyHeritage has designated a DPO:
International Data Transfers
Data transfer mechanisms for international transfers:
Data Center Location
Where data is stored:
Policy Change Notification
MyHeritage commits to notifying users of material changes:
🔬 Research Program
Research Scope
Types of research MyHeritage conducts:
Scope Limitation
Research is limited to stated purposes:
No Third-Party Sale for Research
Research data will not be sold to third parties:
Anonymization of Research Data
Research data is anonymized:
No Individual Research Results
Research results are not communicated to individual participants:
⚖ MyHeritage vs AncestryDNA vs 23andMe: Police Access and Privacy
The biggest practical difference between the major DNA services is how reachable your data is by police and how your sample is handled. This is a plain-language summary of each company's stated policies, not legal advice, and policies change, so confirm the current terms before you rely on them.
| What matters | MyHeritage | AncestryDNA | 23andMe |
|---|---|---|---|
| Law-enforcement use of the database | Per its terms, prohibited; data only on valid court order or subpoena | Per its published terms, responds only to valid legal process | Per its published terms, responds only to valid legal process |
| Open to police "genetic genealogy" uploads | No, per the terms barring law-enforcement use of the DNA services | Check the current published terms | Check the current published terms |
| Sells or licenses genetic data | Never, per an explicit, capitalized commitment in the policy | Read the policy's no-sale / sharing section | Read the policy's research-consent and do-not-sell sections |
| Physical sample handling | Per the policy, up to 10 years at a US lab unless you request destruction | Review the storage and destruction options in account settings | Review the option to store or discard the sample |
| Public breach disclosure | MyHeritage has publicly disclosed a past credentials incident (DNA reported segregated) | Check the company's own security and breach-notice disclosures | Check the company's own security and breach-notice disclosures |
| Headquarters / jurisdiction | Israel-headquartered, with US-based data centers and a Texas lab | US-based per its own materials | US-based per its own materials |
★ marks the more privacy-protective option on that row. No DNA service is risk-free; the right choice depends on what you are most worried about. Read the full AncestryDNA and 23andMe reviews, or see all DNA testing privacy scores.
🎯 Highest-Stakes Points at a Glance
Color-coded so you can see what is genuinely dangerous, what to watch, and what is actually reassuring.
⚠ DNA can never be re-secured
Unlike a password or card number, exposed genetic data cannot be changed. Treat the decision to test, and to store the sample, as effectively permanent.
⚠ Two-step deletion or it is not deleted
Deleting your account leaves your physical sample in a Texas lab for years. You must separately request sample destruction, in writing, to be truly out.
⚡ Relatives never consented
Your results expose biological family. Matching can reveal unknown relatives. Disable DNA Matching if that concerns you or your family.
⚡ Research cannot be un-done
Research needs your opt-in, but studies already completed or published before you withdraw cannot be reversed. Decide before you consent.
🌎 Two jurisdictions touch your data
MyHeritage is Israeli-headquartered with US data centers and a Texas lab. Cross-border transfers add complexity for any access or deletion request.
✅ No sales, police use prohibited
MyHeritage will not sell genetic data and prohibits law-enforcement use of its DNA services, releasing data only under a valid court order or subpoena.
❓ MyHeritage Privacy FAQ
If I delete my account, is my DNA really gone?
Can the police get my DNA from MyHeritage?
Does MyHeritage sell my genetic data?
What about my relatives who never agreed to a DNA test?
DNA › DNA Settings. One person's testing choices affect the whole biological line.
Analysis
⚖ My take
If you read the privacy policy in isolation, MyHeritage actually looks good: per its terms, no data sales, law-enforcement use prohibited, you own your DNA data, and a real two-factor option. In my framework's view the 35/100 score is driven almost entirely by two things, MyHeritage's own disclosed past breach and the policy's up-to-10-year physical-sample retention, not by the company quietly monetizing your genome.
So my practical advice splits in two. If you mostly care about police access and selling, MyHeritage is, on paper, one of the more restrictive major services. If you care about the permanence of a saliva sample sitting in a Texas freezer and about relatives who never consented, then test deliberately, disable DNA Matching, and if you ever want out, do both deletion steps and keep the written confirmations. The non-consent issue is the one I would weigh most heavily, because it affects people who never agreed to anything.
This page is attorney-supervised general information about a published privacy policy. It is not legal advice and does not create an attorney-client relationship. If you want a deletion or access demand drafted, or you think a breach harmed you, that is a fact-specific question I would need to look at directly.