Is Your DNA Data Safe? A Privacy Comparison of Every Major Genome Testing Provider

Your genome is the most permanent, personally identifiable data that exists. You can change your password. You can't change your DNA. Here's how each provider handles it.

In late 2023, 23andMe disclosed a data breach that exposed the personal information and genetic ancestry results of roughly 6.9 million users — about half their entire customer base. Hackers used a credential-stuffing technique to access accounts, then exploited the company's DNA Relatives feature to scrape connected profiles at scale.

The incident crystallized something that privacy advocates had been warning about for years: genetic data is fundamentally different from other personal data. A leaked credit card number can be replaced. A leaked password can be changed. A leaked genome cannot be un-leaked. Your DNA is permanent, shared with relatives who didn't consent to its exposure, and increasingly valuable to insurers, employers, law enforcement, and pharmaceutical companies.

If you're considering genome testing in 2026, privacy isn't a footnote. It's the first thing you should evaluate.

What to Look for in a DNA Privacy Policy

Not all privacy policies are created equal, and the genetics industry has a particular talent for burying concerning practices in consumer-friendly language. Here are the six questions that actually matter:

Provider-by-Provider Privacy Comparison

Dante Labs Better

Dante Labs states it does not sell individual genetic data. Aggregated, anonymized data may be shared with research partners if you opt in — the key word being opt-in rather than opt-out. The company is HIPAA and GDPR compliant and allows data deletion on request. Full raw data (FASTQ/BAM/VCF) can be downloaded at any time, giving you a local copy independent of their platform. Following the April 2026 acquisition by Bio Cell Tech FZCO (UAE), the privacy policy at the time of writing remains unchanged — but worth monitoring, as corporate acquisitions can trigger policy updates.

Key concern: The acquisition introduces jurisdictional complexity. UAE data protection laws differ from GDPR and HIPAA frameworks. Watch for policy changes.

23andMe Concerning

23andMe's privacy record is the most scrutinized in the industry, and not favorably. The 2023 data breach affected 6.9 million users. The company's business model has increasingly centered on monetizing aggregated genetic data through pharmaceutical research partnerships — their deal with GlaxoSmithKline to use customer data for drug target discovery was a $300 million agreement. While 23andMe says research participation is opt-in, the interface design has been criticized for making it easy to consent without fully understanding what you're agreeing to.

During 23andMe's financial restructuring, privacy advocates raised serious concerns about whether customer DNA data could be treated as a corporate asset in a sale or bankruptcy — a scenario that would potentially transfer genetic data to an acquiring company with different privacy commitments. The legal protections against this are ambiguous in most jurisdictions.

Key concern: Financial instability creates data-as-asset risk. The $300M GSK data deal demonstrated the company views genetic data as a revenue stream.

AncestryDNA Mixed

Ancestry's privacy policy is long and layered. They state they don't sell personal information and allow data deletion. However, Ancestry was acquired by Blackstone Group in 2020 for $4.7 billion — and private equity firms are fundamentally motivated by return on investment, which raises structural questions about long-term data handling incentives. Ancestry uses both opt-in and opt-out mechanisms for different research programs, which can be confusing. They offer the option to destroy your physical DNA sample after testing.

Key concern: Private equity ownership creates long-term incentive questions about data monetization.

Sequencing.com Better

Sequencing.com's privacy policy is branded "Privacy First" and explicitly states they will never sell or monetize customer data. Users can delete their account and data at any time. However, Sequencing.com operates as a marketplace with third-party analysis apps — and when you use those apps, your genetic data is processed by those third parties under their own privacy policies. This creates a privacy surface area that's hard to fully assess.

Key concern: Third-party app marketplace means your data may be handled by multiple entities with varying privacy standards.

SelfDecode Mixed

SelfDecode is primarily an analysis platform — you upload existing data rather than providing a DNA sample. This means they handle your genetic data file but don't retain a biological sample. Their privacy policy states they don't sell data and use it only for providing their services. As with any platform that stores genetic data in the cloud, the practical question is whether their security infrastructure matches the sensitivity of the data they hold.

Key concern: Cloud-based storage of genetic data always carries inherent breach risk.

The Bankruptcy Problem

This is the privacy question that keeps genomics privacy advocates up at night, and it doesn't have a clear legal answer in most jurisdictions.

When a company goes bankrupt, its assets are typically sold to satisfy creditors. Customer databases are routinely treated as corporate assets in these sales. With traditional customer data — email addresses, purchase history — this is concerning but manageable. With genetic data, the stakes are categorically different.

If a DNA testing company enters bankruptcy, your genome could theoretically be transferred to an acquiring entity with no obligation to honor the original privacy commitments you agreed to. Some states have begun addressing this through genetic privacy legislation, but the legal framework is incomplete and untested.

The practical takeaway: don't rely solely on a company's privacy policy to protect your genetic data. Download your raw data files locally, then request deletion from the provider's platform. This gives you a local copy you control while minimizing the data exposure surface if the company changes hands.

Legal Protections You Should Know About

GINA (US). The Genetic Information Nondiscrimination Act prohibits health insurers and employers from using genetic information to make coverage or employment decisions. However, GINA does not cover life insurance, disability insurance, or long-term care insurance — a significant gap that means your genome data could theoretically be used against you in those contexts.

GDPR (EU). The General Data Protection Regulation classifies genetic data as a "special category" requiring explicit consent for processing. It provides rights to access, correction, deletion, and data portability. Companies processing EU residents' data must comply regardless of where they're headquartered — though enforcement against non-EU companies has been inconsistent.

State laws (US). Illinois, California, and several other states have passed genetic privacy laws that go beyond GINA, with varying levels of protection and enforcement mechanisms. The patchwork of state-level regulation makes the US landscape complicated.

France. Worth noting for international readers: under Article 226-28-1 of the French Penal Code, submitting a DNA sample for recreational genetic testing is technically illegal, with a potential fine of €3,750. French citizens using services like Dante Labs via foreign addresses should be aware of this.

Our Recommendations

Download your raw data immediately. Whatever provider you use, download your complete raw data files (FASTQ/BAM/VCF for WGS, or the SNP export for genotyping) as soon as they're available. Store them on a local drive you control. Don't depend on indefinite cloud access.

Read the research consent carefully. If a provider asks you to opt into research, understand what that means: your genetic data, even if aggregated and anonymized, will be shared with third parties including pharmaceutical companies. Decide whether you're comfortable with that before clicking "agree."

Favor providers with genuine deletion options. Look for companies that allow you to delete both your digital data and your physical DNA sample. Some providers only delete account data while retaining the biological sample or de-identified genetic data.

Prioritize raw data access. Providers that give you complete, downloadable raw data in standard formats (FASTQ/BAM/VCF) are giving you independence from their platform. If they shut down, get acquired, or change their policies, your data lives on your hard drive.

Full Raw Data Ownership from Day One

Dante Labs includes complete FASTQ, BAM, and VCF downloads — your genome on your drive, not just their cloud.

Get 10% Off with Code GENOME → HIPAA + GDPR compliant · Full data deletion on request