Ancestry states it retains personal information for the duration necessary to provide services and meet legal obligations, and may continue retaining certain data after account closure for legal compliance and business purposes.
This analysis describes what Ancestry's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that account closure does not result in immediate or complete deletion of personal data. The retention of data post-closure for undefined 'legitimate business purposes' introduces ambiguity regarding the specific categories of data retained, the duration of retention, and the uses to which retained data may be put.
Interpretive note: The specific categories of data retained post-closure and the duration of such retention are not precisely defined in the reviewed document text, creating ambiguity about the operational scope of this provision.
The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.
View change record →California residents lose direct navigation to the CCPA-mandated 'Do Not Sell or Share My Personal Information' disclosure page from Ancestry's privacy footer. While California law requires the company to honor data sale opt-out requests, removing the link reduces visibility and accessibility of this right. California residents can locate this right by searching Ancestry's website or contacting the company directly, but the removal creates an additional barrier to exercising a legally protected option.
View change record →New provision with vague 'legitimate business purposes' language allows indefinite retention post-deletion, weakening user control over personal data.
View full change record →This clause states that submitting a request to close an Ancestry account does not necessarily result in deletion of all associated personal data, as the agreement reserves the right to retain information for legal compliance and business purposes for an unspecified duration. Users seeking deletion of specific data categories should submit a separate data deletion request through Ancestry's privacy contact mechanisms.
How other platforms handle this
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
Monitoring
Ancestry has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Even after you close your account, we may retain certain information as required by law or for our legitimate business purposes.— Excerpt from Ancestry's Ancestry Privacy Statement
REGULATORY LANDSCAPE: Post-closure data retention practices engage GDPR's storage limitation principle, which requires that personal data not be retained longer than necessary for the original processing purpose. CPRA similarly requires that retention periods be disclosed and justified. The FTC may examine retention practices under its unfair or deceptive practices authority if retained data is used inconsistently with disclosed purposes. GOVERNANCE EXPOSURE: Medium. The phrase 'legitimate business purposes' is not defined in the excerpt reviewed, creating potential tension with GDPR's requirement for specific, documented retention periods and lawful bases. Compliance teams should verify that retention schedules are documented and that post-closure retention does not extend to genetic or health data beyond legally required periods. JURISDICTION FLAGS: GDPR requires that data subjects be informed of specific retention periods or the criteria used to determine them; vague 'legitimate business purposes' language may not satisfy this requirement for EU users. California's CPRA requires disclosure of retention periods for each category of personal information collected. CONTRACT AND VENDOR IMPLICATIONS: Vendors processing Ancestry user data should have contractual obligations that mirror Ancestry's retention and deletion commitments, including obligations to delete data upon account closure or upon receipt of a deletion instruction from Ancestry, subject to applicable legal hold requirements. COMPLIANCE CONSIDERATIONS: Compliance teams should document specific retention periods for each data category, including genetic data, family tree content, payment records, and device identifiers, and ensure that deletion workflows triggered by account closure or data subject requests are technically implemented and auditable. Retention of genetic data post-closure requires particular scrutiny given the sensitivity of the data category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that account closure does not result in immediate or complete deletion of personal data. The retention of data post-closure for undefined 'legitimate business purposes' introduces ambiguity regarding the specific categories of data retained, the duration of retention, and the uses to which retained data may be put.
This clause states that submitting a request to close an Ancestry account does not necessarily result in deletion of all associated personal data, as the agreement reserves the right to retain information for legal compliance and business purposes for an unspecified duration. Users seeking deletion of specific data categories should submit a separate data deletion request through Ancestry's privacy contact …
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ancestry.