On-device vs the cloud: where your health data is safest

Updated June 2026

Health data privacy

Why health and genetic data is uniquely sensitive

Most personal data is replaceable. Health and genetic data is not.

Your DNA is permanent. The variants you carry today are the same ones you'll carry in fifty years, so a genome that leaks now is exposed for the rest of your life — and beyond. Genetic data is also shared by relatives: your file reveals probabilistic information about your siblings, parents, and children, none of whom agreed to anything.

The same permanence applies to the rest of your health record. A timeline of lab results, resting heart rate, sleep, weight, and conditions paints an unusually intimate portrait. It can hint at things you'd never volunteer — pregnancy, mental health, substance use, a diagnosis you haven't told anyone about. That's why regulators treat it as a special category, and why you should too.

The real risks of cloud and upload models

Uploading isn't automatically reckless, and reputable companies invest heavily in security. But when you upload, you trade direct control for a promise. Three risks are worth understanding clearly.

Data breaches. Any server that stores data is a target, and large genetic and health databases are especially attractive ones. Encryption and good practice reduce the odds, but no remote system is breach-proof. The more copies of your genome that exist on the internet, the larger your exposure — and you can't recall a copy once it's out.

The company being sold — or going bankrupt. This is the risk people underestimate most. When you upload data, you're trusting not just today's company but every future owner of it. Customer databases are frequently treated as business assets that transfer in an acquisition or bankruptcy. The clearest recent example is 23andMe, which filed for bankruptcy in 2025; its database of millions of customers' genetic information became part of the bankruptcy proceedings and a question of who would acquire it. The privacy policy you agreed to was written by a company that may no longer be the one holding your data. "Uploaded forever" means subject to decisions you'll never get to make.

Law-enforcement and subpoena access. Data on a third-party server can be requested through legal process — subpoenas, warrants, or court orders — regardless of how the company feels about it. Some genetic databases have been searched in criminal investigations, including for relatives of the person who actually uploaded a sample. Data that physically lives on your device, by contrast, isn't something a third party can quietly hand over, because they don't have it.

None of this means cloud services are bad. It means uploading sensitive, permanent data is a decision that deserves the same weight as any other irreversible one.

What on-device (local) processing actually means

On-device — or local — processing means the analysis happens on hardware you control: your phone or computer reads and interprets the file directly, instead of shipping it to a remote server.

Concretely, when you point an on-device tool at your DNA file or connect your health metrics, the parsing and interpretation run inside the app. The raw data is read into the device's memory, turned into plain-language insights, and the file itself never crosses the network to a company's database. There's no server-side copy to breach, sell, or subpoena, because there's no server-side copy at all.

This matters because it changes the failure modes. With an upload model, you're protected only as long as the company — and all its future owners — keep their promises. With a true on-device model, your privacy doesn't depend on anyone's promise: the data simply isn't there to lose. Modern phones are more than powerful enough to do this kind of analysis locally, so the convenience tradeoff that once justified uploading has largely disappeared.

This is the same upload-risk principle we cover in our guides on downloading your 23andMe raw data and the best tools to interpret 23andMe raw data — the safest tool is the one that never asks you to hand over the file.

What "private by design" should look like in a health app

"Private by design" is more than a tagline. A health app that genuinely respects your data tends to share a few traits:

• Local parsing. Your raw DNA file and health data are read on the device, not uploaded to be processed elsewhere.
• Data minimization. It collects only what it needs to function, and stores as little as possible off-device.
• You hold the keys. Your sensitive data lives in your control, ideally encrypted, with you able to delete it completely and instantly.
• No quiet sharing. No selling, no sharing with advertisers or data brokers, and no "research partners" buried in the terms.
• Plain-language transparency. The privacy policy explains what happens to your data in words a normal person can understand — not legalese designed to permit everything.

Quanome is built on this principle: your DNA, Apple Health data, labs, and body metrics are unified into one timeline on your device, with raw files parsed locally and never uploaded.

Practical questions to ask before you upload anything

Before you hand any health or genetic file to a service, get clear answers to these:

1. Does this happen on my device, or is my file uploaded to a server? If it's uploaded, everything below applies.
2. Where is my data stored, and for how long? Look for a real retention policy, not "indefinitely."
3. Can I delete it completely — and how do I confirm it's gone? A one-click, verifiable delete is a good sign.
4. What happens to my data if the company is acquired or shuts down? The answer is often in the fine print, as 23andMe's customers learned.
5. Is my data ever sold, shared, or used for research? Read this clause specifically, including any default opt-ins.
6. How would the company respond to a law-enforcement request? Transparency reports tell you whether they've thought about it.

If a service can't answer these plainly, that's information too.

The bottom line

Cloud services aren't the enemy, and uploading isn't always wrong. But health and genetic data is permanent, revealing, and shared with the people you're related to — so the default should lean toward keeping it close. When a tool can do the same job on your device, that's almost always the safer choice, because the strongest privacy guarantee is the one that doesn't depend on anyone keeping a promise. Your genome is yours for life. Treat where it lives like the lasting decision it is.

Frequently asked questions

Is it safe to upload your DNA to a website for analysis?

It can be, but it is a one-way decision. Once your genome is on someone else's server it is subject to their security, their policies, and whatever happens to the company later. On-device analysis avoids that risk entirely because the file never leaves your phone.

What does on-device DNA analysis mean?

It means your raw data file is read and interpreted locally on your own phone or computer, rather than being sent to a remote server. The analysis happens in the app, so the genetic data stays with you.

Why is genetic data considered more sensitive than other personal data?

You can change a password or cancel a credit card, but you cannot change your genome. Genetic data also reveals information about your blood relatives, who never consented to share it. That permanence is why uploading it deserves extra caution.

What happens to my DNA data if a genetics company is sold or goes bankrupt?

Customer data is often treated as a business asset that can transfer to a new owner. When 23andMe entered bankruptcy in 2025, its database of customer genetic information became part of the proceedings, which is why keeping your own copy and limiting uploads matters.