In March 2025, 23andMe filed for bankruptcy. Within days, the conversation among its roughly 15 million customers shifted from “what does this company know about me” to “who is going to own what this company knows about me.” The answer, it turned out, was: whoever bought the company’s assets — and customer data was one of those assets.
This wasn’t a data breach in the traditional sense. No hacker was involved in the bankruptcy itself. It was a contractual mechanism, sitting in plain text in a privacy policy that users had agreed to years earlier, that made an entire database of genetic profiles — among the most sensitive personal data that exists — into something that could be sold to satisfy creditors.
The 23andMe case is specific to genetic data, but the underlying mechanism applies to almost every digital service you use. It’s worth understanding, because it changes how you should think about where you store anything you’d consider irreplaceable.
The Clause Hiding in Almost Every Privacy Policy
Most privacy policies contain a section, often near the bottom, that addresses what happens to user data in the event of a “business transition” — a merger, acquisition, sale of assets, or bankruptcy. The standard language is something like: “If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.”
This clause exists in the privacy policies of companies across every industry — cloud storage, social media, fitness trackers, genetic testing, dating apps, photo storage. It’s treated as boilerplate. Almost no one reads it, and almost everyone has agreed to it, repeatedly, across dozens of services.
What 23andMe demonstrated is that this clause is not boilerplate. It’s an operative legal mechanism that determines what happens to your most personal data when a company’s business fails — and “your most personal data” can mean your genetic code, your photos, your private messages, your health records, or your financial documents, depending on which service you’re talking about.
What Actually Happened to 23andMe’s Data
23andMe’s privacy notice stated, in effect, that customer data could be accessed, sold, or transferred in the event of bankruptcy or a similar transaction. When the company filed for bankruptcy following a major 2023 data breach (which had already compromised data on 6.9 million users) and declining sales, that clause became directly relevant to 15 million people’s genetic profiles.
A court-appointed Consumer Privacy Ombudsman was brought in to evaluate the sale — a process required in bankruptcy cases involving personal information. The ombudsman’s conclusion was notable: it found it “highly unlikely that a typical 23andMe customer acting reasonably knew or understood what they were agreeing to” regarding the sale of their data in a bankruptcy scenario, and recommended the company obtain separate, affirmative consent before any sale proceeded.
A bipartisan coalition of 28 state attorneys general argued that biometric and genetic data shouldn’t be transferable this way at all. Roughly 1.9 million users responded by deleting their data from the platform once the bankruptcy became public — a number that gives some sense of how differently people feel about this once the abstract clause becomes a concrete event.
The eventual buyer was TTAM Research Institute, a nonprofit founded by 23andMe’s own co-founder, after an earlier bid from a pharmaceutical company was withdrawn amid the controversy.
This Isn’t Just About Genetic Data
It’s tempting to read the 23andMe story as a genetics-specific cautionary tale — and genetic data does carry unique risks, since it’s permanent, identifies your relatives as well as you, and can’t be changed if compromised. But the legal mechanism that put 23andMe’s data on the auction block exists, in nearly identical form, in the terms of service for:
- Cloud photo storage services holding decades of your family photos
- Journaling and note-taking apps containing years of private writing
- Fitness and health apps with your medical history and biometric data
- Email providers holding your entire correspondence history
- Document storage services with your financial and legal records
Any of these companies could, in principle, go bankrupt. Many startups in these categories operate on venture funding with uncertain paths to profitability — which means the “business transition” clause in their privacy policy is not a remote hypothetical. It’s a live possibility that depends on the company’s financial health, something users have no visibility into and no control over.
Bankruptcy Court vs. The Privacy Promises You Were Made
Here’s the part that surprises most people: promises a company makes about your privacy — “we’ll never sell your data,” “your photos are private,” “we respect your data” — are commercial commitments, not absolute legal protections. In a bankruptcy proceeding, a company’s assets are evaluated and potentially liquidated to pay creditors, and a large database of user information is, from a bankruptcy court’s perspective, an asset like any other.
Privacy commitments made during normal operation don’t automatically bind whoever acquires those assets afterward. The acquiring company may have entirely different policies, may be in a different jurisdiction, or may have different incentives entirely. The Consumer Privacy Ombudsman process exists specifically because bankruptcy courts recognized this gap — but ombudsman recommendations are advisory, not guaranteed outcomes, and the process only triggers in certain bankruptcy filings.
The uncomfortable conclusion is this: the privacy policy you agreed to describes how a company treats your data while it’s a going concern. It says much less about what happens to that data if the company stops being one.
What Regulators Can — and Can’t — Do
GDPR (in the EU) and various US state laws including CCPA give individuals rights over their personal data: the right to access it, correct it, and request deletion. These rights generally survive a change of corporate ownership — the data, and the obligations attached to it, transfer along with the business.
But there are limits. Regulatory frameworks were largely designed around ongoing business operations, not insolvency proceedings, and the interaction between privacy law and bankruptcy law is still being worked out in real time — the 23andMe case is one of the first major instances forcing courts to reconcile the two. For genetic data specifically, federal protections like HIPAA and GINA don’t apply to a direct-to-consumer company like 23andMe at all; only a patchwork of about a dozen state laws addresses genetic data specifically.
The practical takeaway: regulators provide a backstop, but a backstop that activates after the fact — after a sale has been proposed, after public pressure has built, after an ombudsman has been appointed. None of that helps if you’d rather your data simply never be in that position.
Questions Worth Asking Before You Trust a Service With Anything Permanent
Before storing something you’d genuinely mind losing control of — family photos spanning decades, financial records, health information, your entire personal archive — a few questions are worth asking about any provider:
What does the privacy policy say about mergers, acquisitions, and bankruptcy? This section exists in almost every policy. Read it once for the services holding your most important data.
What’s the company’s business model? A company funded by subscription revenue from users has a more stable, less data-dependent business than one funded by venture capital chasing growth metrics, or one whose core asset (in an acquisition scenario) would be its user data.
Can you export everything, easily, at any time? A service that makes full export simple gives you a practical way to maintain an independent copy, regardless of what happens to the company. A service that makes export difficult is, whether intentionally or not, increasing your dependency.
What does “delete” actually mean, and on what timeline? If you delete your account today, is your data gone immediately, or retained for some period “for backup purposes” — a period during which a bankruptcy filing could still occur?
What “Permanent Deletion” Should Mean
The 23andMe situation is also a useful lens for evaluating deletion policies generally. A deletion policy is only meaningful if it operates faster than the timelines on which a company’s circumstances can change. A company that retains “deleted” data for months, with vague language about backup systems, is holding onto an asset that remains part of its estate in any future bankruptcy — even for users who believed they’d already left.
A clear, bounded deletion window — disclosed upfront, genuinely enforced — is what makes a “delete my account” decision actually mean something, including in scenarios the user never anticipated when they made it.
How daftei Approaches This
daftei’s account deletion process includes a 30-day grace window, after which deletion is permanent and irreversible. This window exists for the ordinary case — giving you time to change your mind if you delete by mistake — but it also defines, clearly and in advance, the outside boundary of how long your data exists after you’ve asked for it to be gone.
daftei is funded by subscription revenue — $5.99/month, $44.99/year, or a one-time $89.99 lifetime option (₹249/month or ₹1,799/year in India) — not by data monetization, advertising, or a venture-growth model that depends on accumulating user data as a strategic asset. daftei is GDPR and CCPA compliant, never sells user data, and never trains third-party AI models on user content.
No privacy policy, including daftei’s, can promise that a company will never face financial difficulty. What a policy can do is be honest about what happens to your data if it does — and structure the business so that user data isn’t the asset the company is counting on if things go wrong.
The Habit Worth Building
The single most useful habit to take from the 23andMe case isn’t about any particular company — it’s about portability. Keep your own copies of anything irreplaceable. Use services that make export easy and don’t punish you for using it. Read the “what happens if we’re acquired or go bankrupt” section of the privacy policy for any service holding something you couldn’t recreate.
None of this requires distrust of any specific company. It requires recognizing that a privacy policy describes a relationship that both parties expect to continue — and building in your own protection for the scenario where it doesn’t.
Start storing your memories somewhere built around that principle.