What happened to 23andMe's user data after bankruptcy, and what you should do about it
If you took a 23andMe test any time in the last fifteen years, your DNA data is part of one of the largest consumer genetic databases ever assembled. In 2024 and 2025, that database sat at the center of a slow-motion corporate crisis. The company filed for bankruptcy in March 2025. The court oversaw a sale process. And the disposition of fifteen million users' genetic records, including raw genotypes for hundreds of thousands of SNPs per person, became the central question of the proceedings.
The short version of what happened to 23andMe user data: the database was sold. The 23andMe bankruptcy data sold to the new owner under court approval, and where it ended up matters. What you, the user, can do about it matters more. The question of who owns your genetic data has never been more concrete than it is right now.
This post is intentionally neutral. We don't link to or speak ill of the specific acquirer. We focus on the facts that matter for what you should do next.
What actually happened
23andMe filed for Chapter 11 bankruptcy in March 2025. The bankruptcy court was tasked with maximizing recovery for creditors, which meant putting the company's most valuable asset, the genetic database, through a court-supervised sale process.
The sale closed. The new owner inherited the customer database, the genetic data, the right to operate the existing 23andMe service, and the obligations laid out in 23andMe's original privacy notice. Importantly, the legal floor on what the new owner can do is set by that original policy plus applicable laws (GINA in the US, GDPR for European customers, plus state-level genetic-privacy laws where they exist). This is the entire surface area of the question "is 23andMe data safe": whatever was permitted under the old policy is now permitted to the new owner.
What the new owner can do under the existing policy is broad. The policy permitted research uses, commercial partnerships, and de-identified data sharing with academic and pharmaceutical collaborators. Most users opted into research at sign-up without fully reading the consent. That opt-in passed through with the data.
What is harder under the existing policy: re-identifying individuals, selling identifiable records to data brokers, or using genetic data in employment or insurance decisions (the latter is independently illegal under GINA in the US).
What the realistic risks are
Genetic privacy debates often jump straight to worst-case scenarios that aren't actually plausible. The realistic concerns are different:
Insurance. US health insurance is barred by GINA from using genetic information for underwriting. Life insurance, disability insurance, and long-term care insurance are not covered by GINA. They can theoretically request and use genetic information. In practice, most insurers don't, but the legal lane is open.
Forensic identification. A handful of cold cases have been solved using consumer genetic databases (GEDmatch, originally; others since). The relevant DNA database for forensic identification is partial-match: even if you didn't submit your DNA, a distant relative who did may make you identifiable. This concern is real but doesn't get worse because of a corporate transaction.
Future re-identification. As genome science advances, what counts as "de-identified" gets weaker. Records that were unidentifiable in 2018 might be identifiable from twenty SNPs plus public records in 2030. This is the under-appreciated long-tail risk and it applies to any genetic database that retains data, not just 23andMe's.
Commercial use you didn't expect. This is the most likely actual outcome: the data gets used for pharma research partnerships, drug-target identification, advertising-targeting via inferred traits, or sold in de-identified aggregate form to research consortia. Whether you mind depends on what you opted into at signup.
What you can actually do
Three concrete things you can do right now, in order of urgency:
1. Download your raw data file. Whatever happens with the 23andMe corporate entity, the raw file you can download from your account is yours. Save it somewhere you control. 23andMe's customer-care site has the official 23andMe raw data download instructions, and we wrote a step-by-step guide to 23andMe's raw data export with annotated screenshots. Doing this takes ten minutes and is independent of whether you delete your account.
2. Decide whether to delete 23andMe data, opt out of 23andMe data sharing, or both. Under California's Consumer Privacy Act (CCPA), the EU's GDPR, and 23andMe's own privacy policy, you can request deletion of your account and associated data. 23andMe documents the procedure on their account deletion help page. The new owner is bound by the policy's deletion clause. Whether you delete depends on whether you opted into research (those records may be retained for research purposes you consented to, under most policies) and how much you value the platform continuing to work for you. If you want to keep your account but stop new sharing, the same settings page lets you withdraw research consent without nuking the account.
3. Move to a privacy-first genetic testing service for the raw file. This is what we built Expressive for. You upload your raw file (we accept the standard 23andMe txt or AncestryDNA tsv to interpret 23andMe raw data without a re-test), our system encrypts it with keys derived from a wallet signature (not a password we hold), processes it server-side only with encrypted reads, and never sells, shares, or has the technical capability to de-anonymize aggregated views. Your genome stays yours. That is the literal architecture, not the marketing slogan: data sovereignty enforced by the key model, not by a promise. Plenty of other services exist with different posture; we describe our model in detail in our technical privacy explainer. The point is: you have control of the file now. Use it.
The bigger lesson
The 23andMe bankruptcy isn't an isolated incident. Any centralized genetic database is a single point of failure, for security, for corporate continuity, and for legal scope creep. Companies get bought. Privacy policies change. Bankruptcy courts have broad authority. Encryption keys held by a vendor can be subpoenaed.
The right design for consumer genomics is to put control of the data, and the keys, in the hands of the person whose body it describes. That's not where the industry was built. It's where the industry is moving.
Expressive is being built that way from the start: genetic data you actually own, not licensed back to you by a vendor that can be acquired tomorrow. Our technical write-up on how we handle DNA walks through the actual cryptography. Short version: the keys live with the user, not with us. We process the file server-side because we have to, but the reads are over encrypted blocks the user controls.
You can start there. Or you can take your raw file somewhere else. The point is: take it somewhere. The era of "trust the corporation to never sell" is over, and the question of 23andMe data after bankruptcy is the cleanest example anyone is going to get.
Want updates when we ship new variant pages or a research deep-dive? Read the latest issue or get notified about early access.