DNA Data Laws in India 2026: Where Is Your Saliva Sample Actually Stored?

Before you completed your DNA test order, you stopped. You started wondering: what actually happens to this data? Can my insurer see it? Can the government pull it? Is my sample sitting in a freezer somewhere? These are not paranoid questions. They are the right questions. Here are the actual answers, specific to India in 2026.

What the DPDP Act 2023 Actually Says About Genetic Data

India's Digital Personal Data Protection Act 2023 is the primary law governing how companies can collect, store, and use your personal data - including genetic data. It came into force after years of debate and, for the first time, gives Indian consumers enforceable rights over their data.

The key principles under the DPDP Act that directly affect DNA testing companies:

• Purpose limitation: A company can only use your data for the specific purpose you consented to. If you consented to ancestry analysis, your DNA cannot then be repurposed for unrelated commercial uses without fresh consent.
• Data minimisation: Companies may only collect data that is actually necessary for the service. Collecting genetic data to build a commercial research database without explicit consent would violate this principle.
• Explicit consent: Genetic data is treated as sensitive personal data requiring informed, unambiguous consent before collection. Consent buried in a 50-page terms document does not meet the standard.
• Right to erasure: You have the right to withdraw your consent and request that your data be deleted at any time. The company must comply.
• Notice before collection: You must be told, in plain language, exactly what data is being collected, why it is being collected, and who it may be shared with - before you provide your sample.

Genetic data is not singled out by name in every clause of the DPDP Act, but it falls squarely within the definition of sensitive personal data because of its uniquely identifying nature and its potential to reveal health information, family relationships, and ancestral origin. Any company processing genetic data in India is bound by these rules.

Can Insurance Companies in India Use Your DNA Data?

This is the question that stops more people from ordering a DNA test than any other. The concern is understandable: if your genetic profile reveals an elevated risk for a particular condition, could your health or life insurer find out and use it against you?

The short answer is no - on two separate grounds.

First, the Insurance Regulatory and Development Authority of India (IRDAI) has made clear that insurers cannot request or use genetic test results for underwriting decisions, premium calculations, or claim denials. This regulatory position is consistent with protections that exist in the UK (under the Concordat and Moratorium on Genetics and Insurance), across the EU, and in the United States under the Genetic Information Nondiscrimination Act (GINA). The global insurance industry has broadly moved away from genetic discrimination because the actuarial evidence does not support it and because the regulatory and reputational risk is substantial.

Second, and more practically: Helixline does not share your data with insurance companies under any circumstances. Even if IRDAI regulations changed tomorrow, your insurer would have no pathway to your data. There is no third-party sharing of any kind. So the two-layer protection here is regulatory prohibition plus zero data sharing - not regulatory prohibition alone.

What if your insurer simply asks you whether you have ever taken a DNA test? That is a different question, and one you should review with your policy documents. But the results themselves are not accessible to any insurer through Helixline.

Can the Government Access Your Genetic Data?

Government access to personal data in India is governed by the same DPDP Act 2023, with specific carve-outs. Under these provisions:

• Government access to data held by a private company requires either a court order or an invocation of a national security exception under applicable law.
• Consumer DNA test data - the kind used for ancestry and wellness analysis - is not connected to any government registry or national database. There is no Central Identities Data Authority equivalent for genetic information.
• Your Helixline test result sits on Helixline's encrypted servers. It is not indexed in Aadhaar, it is not reported to any ministry, and it is not shared with law enforcement as part of routine operations.

It is worth drawing a clear distinction here between forensic DNA databases (which are maintained by law enforcement and contain profiles from crime scenes and convicted offenders) and consumer ancestry databases (which are privately held and legally distinct). When you take an ancestry DNA test, your profile does not enter any forensic database. These are entirely separate systems, and there is no legal mechanism in India that connects the two.

Where Is the Physical Sample Processed - and What Happens to It?

This is a question that rarely gets a direct answer, so here it is: your saliva sample is processed at a laboratory in India. It does not leave the country.

The processing workflow is standard across accredited genetic laboratories:

1. Your cheek swab arrives at the lab, barcoded and de-identified - meaning lab technicians work with a random code, not your name.
2. DNA is extracted from the cells in your sample using standard chemical processes.
3. The extracted DNA is run on a genotyping microarray that reads approximately 700,000 specific positions (SNPs) in your genome.
4. Once the genotyping is complete, the physical sample is destroyed. It is not archived. It is not stored in a biobank. It is not kept in a freezer for future use.
5. The resulting digital genotype data - a text file of your SNP calls - is encrypted and stored on Helixline's Indian servers.

This matters because even if you were worried about your physical DNA being accessible in perpetuity, it is not. The sample that could theoretically be re-processed for any purpose no longer exists after your test is complete. What remains is derived genotype data: a list of approximately 700,000 data points. That data is protected by encryption and governed by the DPDP Act.

What Helixline Specifically Commits To

Beyond what the law requires, here is what Helixline's data practices actually look like in 2026:

• No third-party data sharing: Your genetic data is not sold to pharmaceutical companies, not licensed to research institutions, not included in external databases of any kind. The only way your data could ever be used in a research programme is through a separate, explicit opt-in that is entirely distinct from your test purchase.
• AES-256 encryption: Your data is encrypted at rest and in transit using AES-256 - the same encryption standard used by banks and government agencies for classified data.
• Deletion on request: Request deletion at any time by contacting support@helixline.in. All genetic data is permanently removed within 30 days of a confirmed deletion request.
• Results go only to your registered email: Your report is never sent to a third party. It is accessible only through your password-protected account and delivered to the email address you registered with.
• Indian data residency: Your data is stored on servers located in India, subject to Indian law. It is not transferred to foreign jurisdictions.
• DPDP Act compliance: Helixline operates as a Data Fiduciary under the DPDP Act framework, meeting all obligations for consent, notice, purpose limitation, and data subject rights.

The One Scenario Worth Knowing About: Research Opt-Ins

Some DNA testing companies - particularly larger international ones like 23andMe before its acquisition - built secondary revenue streams by inviting customers to opt into anonymised research programmes. In several cases, this consent was buried in default settings, effectively enrolling people who had not actively considered the implications.

If Helixline ever offers a research participation programme, it will be structured as a separate, clearly disclosed opt-in with its own consent flow - not bundled into the test purchase and not turned on by default. The test you purchase is for your ancestry and health reports. That is the only purpose for which your data is used unless you affirmatively choose otherwise.

Anonymised, aggregated population-level research - for example, understanding the genetic diversity of different South Asian communities - can be valuable for science. But that value does not justify using individual data without explicit, informed consent. These are not in tension if the consent process is designed honestly.

The Practical Picture, Summarised

If you have specific worries, here is where things actually stand:

• Your insurer will never see your results. IRDAI prohibits genetic underwriting, and Helixline shares nothing with insurers. There is no pathway.
• Your employer has no access. Results are delivered only to your registered email. No employer reporting exists.
• The government does not have a consumer DNA database in India. Ancestry testing data is private and legally distinct from forensic databases.
• Your physical sample is destroyed after processing. No one is holding your biological material.
• You can delete everything. Contact support@helixline.in and it is gone within 30 days.

If you have a specific concern that is not covered here - something about your professional situation, a particular health condition, or a family circumstance that makes you want to understand the privacy picture in more detail - email contact@helixline.in. These are exactly the questions worth getting specific answers to before you order.

Frequently Asked Questions

Does Helixline sell genetic data to pharmaceutical companies?

No. Helixline's business model is kit sales and report subscriptions, not data monetisation. Genetic data is not sold, licensed, or shared with pharmaceutical companies, research institutions, or any third party. If a research programme is ever offered, it will be an explicit separate opt-in, not part of the standard test.

What happens to my physical saliva sample after the lab processes it?

After DNA extraction is complete, the physical saliva sample is destroyed as part of standard laboratory protocol. It is not stored, not archived, and not accessible after processing. Only the derived genetic data (SNP genotype data) is retained in your account.

Can my health insurer in India increase my premium if they find out I took a DNA test?

No. IRDAI regulations prohibit Indian insurers from using genetic test results in underwriting decisions. Additionally, Helixline never shares data with insurance companies under any circumstances. There is no mechanism by which your insurer can access your results.

If I want to delete my data, how long does it take?

Deletion requests are processed within 30 days. After deletion, your genetic data is permanently removed from Helixline's servers. To request deletion, contact support@helixline.in with your registered email address.

Is it safe to take a DNA test in India given the new DPDP Act?

Yes. The DPDP Act 2023 actually strengthens your protections compared to the previous framework. It gives you explicit rights: to know what your data is used for, to withdraw consent, and to request erasure. A DPDP-compliant DNA testing company like Helixline is operating under India's strongest-ever data protection regime.