Short answer
A consumer microbiome test can involve more than a stool sample and a dashboard. Depending on the company, it may include microbial DNA data, questionnaire answers, diet history, symptoms, location data, app behavior, stored samples, research use, and sharing with vendors or partners. HIPAA may not apply to every consumer testing company.
What data may be collected
Some companies collect the sample itself, the DNA or microbial profile made from it, account details, survey answers, shipping information, symptom logs, device data, and app activity. The privacy question is not just who can see the final report; it is also who can keep the raw data, who can reuse the sample, and whether the company can share de-identified or aggregated data later.
Privacy questions to ask
| Question | Why it matters |
|---|---|
| Who owns or controls the account data? | Some rights may depend on the privacy policy and state law, not a medical-record workflow. |
| Is the physical sample stored, destroyed, or reused? | Storage policies affect future research, retesting, and breach risk. |
| Can data be shared for research or product development? | Research consent may be separate from buying the test. |
| Can I delete my account, raw data, and stored sample? | Deletion may not cover de-identified, aggregated, backup, or already-shared data. |
| Could data be sold or shared after an acquisition? | Business transfers can change who controls long-term data. |
Do not assume HIPAA covers it
HIPAA protects health information held by covered entities and their business associates. Some direct-to-consumer health apps and test companies may fall outside that system. FTC privacy and breach rules, state privacy laws, contracts, and company policies may be the practical protections instead.
What deletion can miss
Deleting an account does not always erase everything the company has already used or shared. Policies may keep backup copies, de-identified data, records needed for legal compliance, or information already sent to research partners or vendors. If deletion matters, read the policy before you buy and look for a real request path rather than a vague promise.
Before buying
- Read the privacy policy, terms, research consent, and sample-storage language before you pay.
- Look for a clear deletion process and a contact path for privacy requests.
- Check whether the company says it shares with research partners, advertisers, affiliates, or vendors.
- Use a strong unique password and two-factor authentication if offered.
- Be cautious about uploading microbiome, genetic, or symptom data to unrelated third-party tools.
Related guides: microbiome testing guide, raw DNA upload privacy risks, and FDA-authorized genetic tests.
FAQ
Does HIPAA automatically protect a microbiome test?
Not always. HIPAA applies to covered entities and their business associates, but some direct-to-consumer test companies and health apps may fall outside that framework.
Can the company keep my sample after I get the report?
Yes, depending on the policy. Some companies store samples for retesting, quality control, research, or future product development unless you opt out or request deletion.
Does deleting my account erase everything?
Not necessarily. Deletion may not reach backup systems, de-identified records, or data already shared with partners, vendors, or researchers.
Can the data be shared with other companies?
It can be, if the privacy policy says so or if the company changes ownership. That is why the policy and consent language matter before you buy.
What should I check before ordering?
Check who can access the data, whether the sample is stored, how deletion works, whether research use is optional, and whether the company uses outside analytics or advertising tools.
Should privacy concerns change my testing choice?
Sometimes. If you would not want the sample, raw data, or app activity stored or shared, a consumer microbiome test may not be the right first step.