US STATE PRIVACY NOTICE

Last Updated: March 29 2023

This US State Privacy Notice (this "Notice") supplements the information contained in the Privacy Policy of MyHeritage ("MyHeritage", the "Company", "we", "us", or "our"). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 ("CCPA"), Nevada’s internet privacy law (NRS 603A.300 et seq.), and the Virginia Consumer Data Privacy Act ("VCDPA"). Any terms defined in those laws have the same meaning when used in this Notice.

This Notice describes our practices regarding the collection, use, disclosure, and sale of personal information when you use our Website and when you engage with us offline. It addresses legal obligations and rights that apply to "personal information" or "personal data," which is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular resident or household.

Capitalized terms used but not defined in this Notice or our Privacy Policy will have the meaning ascribed to them in our Terms and Conditions.

By accessing the Website, you agree to our collection and use of personal information as described in this Notice. If you do not agree to this Notice, do not use the Website or the Service and delete your account.

The Categories and Sources of Personal Information We Collect

In the 12 months preceding the date of this Notice, we have collected personal information, and will continue to collect personal information, in the following circumstances:

In the 12 months preceding the date of this Notice, we have collected the following categories of personal information, and will continue to collect such information:

1) Personal identifiers, such as names, postal and email address, phone number, account id, IP address, names of relatives and their relationships to the account owner, birth dates, marriage date and similar information you may provide us.

2) Credit card or payment card information, such as credit card numbers and information required to facilitate payments through our payment service providers.

3) Protected class information, should you voluntarily share such with us, such as: gender, marital status, ancestry, national origin information and, if you use the DNA Services, also genetic and genetic-health information, ethnic origin information and self-reported health history information.

4) Commercial information, such as records of MyHeritage products or services obtained, purchased, or considered.

5) Internet or other electronic network activity information, such as web log information, "clickstream" data (for example, the type of computer and browser you use, the address of the web site from which you linked to the Website), page views.

6) Professional information we collect from vendors or other businesses, such as the name of your employer or entity that you represent, your job title, names of your supervisors or those who you supervise, and other information you voluntarily provide to us regarding your professional life.

7) Audio, electronic, and visual information, such as information provided telephonically to our customer service representatives; identifying information included in comments provided by users in emails sent to us, messages or comments on our blogs, social media accounts; audio recordings you add to a photo or a profile in your family tree; photographic images.

In certain states, including Virginia and Nevada, we offer our Photo Tagger feature which identifies faces in your photos and creates facial recognition models (i.e., biometric information) of you and your deceased relatives, in order to help you tag people in your photos quickly and easily. It clusters faces of the same person appearing in multiple photos and allows you to tag them in all photos in one go. In the United States, we do not offer Photo Tagger in California, Illinois, Texas, and Washington and do not, therefore, collect biometric information in those states.

The Purposes for Which We Collect Personal Information

We use personal information for the following purposes:

1) To provide the Service to You: This includes, without limitation, displaying your family tree, re-running family history searches made to find more records for you; features that allow your photographs to be animated, colorized, restored, enhanced, converted into an AI model to create time travel or avatar images, or if you choose to use our Photo Tagger feature- to identify faces in your photos; processing your subscription; and providing you with customer support. We also use your personal information to serve you features such as Smart Matches™ and Record Matches for your family tree, or to enable you and other members of the MyHeritage community to contact each other.

If you are using our DNA Services: We will process and store your DNA samples, conduct genetic analysis, and provide you with the DNA Results and DNA Reports. If DNA Matching is enabled, we will compare your DNA data to other users to serve you DNA Matches. If you are interested in the DNA Health Reports, the Health Questionnaire Information will allow us to determine your eligibility to receive them. For U.S. customers, the DNA Health Reports are provided pursuant to a physician’s order. We may add new DNA Health Reports for you as they become available.

2) To communicate with you: We may communicate with you for the purpose of informing you of updates or additions to the Service, to seek feedback from you about the Service, or to conduct business with the entity you represent in your professional capacity. Our communications with you will be conducted primarily via email, but may also be made via telephone, direct mail, or another method of communication in some circumstances. If you do not want to continue to receive emails from us, you may opt out at any time by using the unsubscribe link listed in the email or by setting your Email Preferences. If you wish to opt out of other methods of communication, contact us at privacy@myheritage.com.

3) To market our services: By signing up to the Service, you agree that we may use your contact information as well as information about your use of the Service and, to offer you complementary MyHeritage products or services.

The aggregated information gathered from you and other users through the Surveys may be used in our marketing.

4) For internal business purposes: In order to improve the Service and to develop new products and services, we may use your personal information for internal data analysis, for studying how the Website is used, to help us diagnose problems and secure the Service, identifying usage trends and determining the effectiveness of promotional campaigns. For example, we may examine how much time you spend on each page of the Website and how you navigate through the Website.

We use your IP address or equivalent to deliver the Website and our Service to you and to help diagnose problems with our servers. Your IP address is also used to gather broad demographic information such as geographic distribution of our members. When you use the Service for the first time, we use your IP address to suggest the Service to you in the language deemed most appropriate for the geographical region from which it originates.

5) To perform research: If you voluntarily agreed to the DNA Informed Consent, we may use your information (such as Survey Research information, DNA Results, and other DNA information) for the purposes of research as specified in the Informed Consent. Your Informed Consent may be revoked at any time through the Website. Your identity and the identity of your family members will never be disclosed by us in any publication of any research results.

Disclosure of Personal Information for Business Purposes in the Past 12 Months

The following chart describes the categories of personal information that we disclosed to third parties for a business purpose in the 12 months prior to the date of this Notice:

Categories of Consumers’ Personal Information Categories of Third Parties With Which We Shared Personal Information for a Business Purpose
Personal identifiers such as name, email address, home or billing address, telephone numbers, customer number, account password, and IP address or other unique identifier you may provide us with. Service providers that process payments, verify customer information, manage customer information and provide customer service (including through our call center), ship DNA kits, facilitate email communications, provide security services and cloud-based data storage, host our Website and assist with other IT-related functions, advertise and market our Services, provide analytics services.
Credit card or payment card information, such as credit card numbers and information required to facilitate payments. Service providers that process payments.
Protected class information, should you share such with us, for example: gender, marital status, ancestry, national origin information, and, if you use the DNA Services, also genetic and genetic-health information, ethnic origin information and self-reported health history information. Non genetic/health info: If Smart Matches™ are enabled- other users of MyHeritage and users of MyHeritage’s Genealogy Partners.

With respect to DNA services:
-The DNA sample is shipped by you to our DNA lab;
-if you purchased our DNA Health Upgrade– information is shared with PWNHealth, LLC. - an independent network of fully licensed, board certified physicians and genetic counselors.
-DNA Matches – if your DNA Matches are enabled- other users who are potential relatives, based on DNA.
Internet or other electronic network activity information, such as web log information, "clickstream" data (for example, the type of computer and browser you use, the address of the website from which you linked to the Website), page views. Service providers that assist us in marketing to those who visit our Website.
Professional information we collect from vendors or other businesses, such as the name of your employer or entity that you represent, your job title, names of your supervisors or those who you supervise, and other information you voluntarily provide to us regarding your professional life. Service providers that manage vendor information, contract management, and payment processing.
Audio, electronic, and visual information, including information provided telephonically to our customer service representatives; identifying information included in comments provided by users in emails sent to us, messages or comments on our blogs, social media accounts, or our message boards; photographic images. Service providers that manage customer information and provide customer service (including through our call center or emails), provide cloud-based data storage services, and with regards to the information you published on our social media accounts, with the social media platform.

Additionally, we may share your Personal Information to a third party in the following situations:

1) In an acquisition of MyHeritage: in the event that MyHeritage, or substantially all of its assets or stock are acquired, personal information will as a matter of course be one of the transferred assets. In such event, your information would remain subject to the promises made in the pre-existing Privacy Policy prior to the event. Note that this situation is not unique to MyHeritage and applies to most companies.

2) In legal or privacy circumstances:
if required of us by law or during legal proceedings, or to prevent fraud and cybercrime. We will not provide information to law enforcement unless required by a valid court order or subpoena for genetic information.

Children’s Personal Information
Our Services are not directed to minors under the age of 13.

Additional Information
For additional information about our privacy practices, how to manage your privacy, delete information about yourself or your family, security measures etc., see our general Privacy Policy.

Changes to This Notice
We may update this Notice from time to time, and when we do so, we will update the date. If the changes are material, we will notify you by email or on our Website.

Use of the Website or the Service following any changes constitutes your acceptance of the revised Notice then in effect.

State Data Privacy Rights
Laws in certain US states give residents of those states specific rights with respect to the personal information collected about them. See below for more information.

CALIFORNIA

Your Right to Request Disclosure of Information We Collect and Share About You

If you are a California resident, the California Consumer Privacy Act (“CCPA”) grants you the right to request certain information about our practices with respect to your personal information. In particular, you have the right to request that we disclose any or all of the following information to you about our processing of your personal information during the 12 month period prior to our receipt of your request:

We Do Not Sell Your Personal Information

As defined in the CCPA, we have not sold the personal information of California residents in the 12 months prior to the date of this Privacy Notice, and we do not and will not sell California residents’ personal information to third parties.

Your Right To Request The Deletion Of Personal Information We Have Collected From You

Upon your request, we will delete the personal information we have collected from you, except for situations when that information is necessary for us to: provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; comply with or exercise rights provided by the law; or use the information internally in ways that are compatible with the context in which you provided the information to us, or that are reasonably aligned with your expectations based on your relationship with us.

Children’s Personal Information

We do not sell the personal information of minors under 16.

Other California Privacy Rights

California residents are entitled to ask us for a notice describing what categories of personal customer information we share with third parties or corporate affiliates for those third parties or corporate affiliates’ direct marketing purposes. We do not share your personal information with third parties or corporate affiliates for their direct marketing purposes.

How We Respond to Do Not Track Signals

We make use of browser cookies and similar automated means of data collection technologies to enhance your experience of using the Website, and for our own marketing purposes.

Although we do our best to honor your privacy preferences, we do not currently respond to Do-Not-Track signals from your browser because a uniform technological standard has not yet been developed.

We do not sell personal information, so do not recognize Global Privacy Control signals.

For more information about our use of cookies and similar automated means of data collection, and how you can choose to disable or delete cookies, see our Cookie Policy.

Exercising Your Rights

To exercise any of the rights described in this Notice, email privacy@myheritage.com, call us at +1-844-994-1888 (toll-free number in the USA) or complete this form for the right to request deletion or this form for the right to request information we collect and share about you. All requesters will be required to authenticate themselves before we respond to their request.

California residents can lodge a complaint for violation of the California Genetic Information Privacy Act with any of the following California prosecutorial entities: the California Attorney General’s Office, a district attorney, authorized county counsel, a city attorney or an authorized city prosecutor.

Authorized Agents
You may designate an agent to submit requests on your behalf. If you do so, we will require your written authorization to release your personal information to your agent. The agent must be a natural person or a business entity that is registered with the California Secretary of State. The agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.

Verification Process

If you have an account with us, you will be asked to log in to your account. If you do not have an account with us, you may be asked to provide us with personal information to be matched with information we already have. The number and scope of such personal information will depend on the sensitivity of the personal information involved and the risk of harm due to any unlawful disclosure or deletion of such personal information. Such information may include your date of birth, place of birth, and information relating to the family tree you appear in. If we do not have a reasonable method by which we can verify your identity to the degree of certainty required, then your request may be denied.

Response Timeline and Additional Information

For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know.

We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

If you wish to receive further information or have any questions or concerns, email us at privacy@myheritage.com.

Right to Non-Discrimination

If you exercise any of the rights explained in this Notice, we will continue to treat you fairly. Consumers who exercise their rights under this Notice will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than other Consumers.

NEVADA

Pursuant to Nevada law, you may direct a commercial operator of a website not to sell certain personal information a business has collected or will collect about you. MyHeritage does not sell personal information as it is described in Nevada law. For more information about how we handle and share your personal information or your rights under Nevada law, contact us at privacy@myheritage.com.

VIRGINIA

If you are a Virginia resident, the Virginia Consumer Data Privacy Act (“VCDPA”) grants you the following rights with respect to the personal data we collect about you:

To exercise any of the rights described in this Notice, or for additional information about how to exercise your rights, email privacy@myheritage.com, call us at +1-844-994-1888 (toll-free number in the USA) or complete this form for the right to request deletion or this form for the right to request information we collect and share about you. All requesters will be required to authenticate themselves before we respond to their request.

We Do Not Sell Your Personal Information

As defined in the VCDPA, we do not and will not sell personal information of Virginia residents to third parties.

Targeted Advertising and Profiling In Furtherance of Legal or Similar Decisions

We do not process the personal information of Virginia residents for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.

Verification Process

If you have an account with us, you will be asked to log in to your account. If you do not have an account with us, you may be asked to provide us with personal data to be matched with data we already have. The number and scope of such personal data will depend on the sensitivity of personal data involved and the risk of harm due to any unlawful disclosure or deletion of such personal data. Such information may include your date of birth, place of birth, and information relating to the family tree you appear in. If we do not have a reasonable method by which we can verify your identity to the degree of certainty required, then your request may be denied.

Response Timeline and Additional Information

For requests to know, delete or correct personal data, we will provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know.

We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

If you wish to receive further information or have any questions or concerns, email us at privacy@myheritage.com.

When We Do Not Act on a Request – Appeal Process
In some cases, we may not act on your requests (e.g., if we cannot do so under other laws that apply). When this is the case, we will explain our reasons for not providing you with the information or taking the action (e.g., correcting data) you requested.

Additionally, you have the right to appeal our decision by contacting us at privacy@myheritage.com within 30 days after your receipt of our decision. Please provide us with an email address to identify your original request. We will respond to your appeal within 60 days of our receipt of the request.