BYD says they never sell your data, but their car app asks for four different advertising tracking permissions. These permissions let advertising networks track you across apps and build a profile of your behaviour — the exact kind of data monetisation BYD claims not to do. BYD promises your data stays in your country, but the car's computer is programmed to connect to servers in China (global-api.bydauto.com.cn). They also share your data with Chinese companies like iFlytek and AMAP. Your driving data may be flowing to China despite promises it stays local.
What they claim: BYD Vehicle Privacy Statement says "we don't capture your voice record" regarding in-car voice commands.
What we found: The BYD AUTO companion app requests RECORD_AUDIO permission, enabling microphone access. The vehicle privacy statement also discloses voice service providers Cerence and iFlytek process voice data. iFlytek is a Chinese AI company specialising in speech recognition. The combination of RECORD_AUDIO permission in the app and third-party voice processing contradicts the claim of not capturing voice records.
What they claim: BYD privacy policy describes standard vehicle data collection (speed, battery, diagnostics) with no mention of extensive surveillance-grade sensor data from ADAS cameras.
What we found: The BYD Seal has 12 cameras (3 front-view, 5 panoramic, 4 surround-view), 5 millimetre-wave radars, and 12 ultrasonic sensors as part of the DiPilot/God's Eye ADAS system with 100 TOPS of AI processing power. The privacy statement mentions ADAS data briefly but does not disclose: how much visual data is collected, whether camera footage is transmitted to BYD servers, whether ADAS data is used for AI training, or how long raw sensor data is retained. A driver monitoring camera also captures the driver's face continuously.
What they claim: The BYD AUTO app is presented as a car management tool for remote control and vehicle status checking.
What we found: The app requests 44 permissions including CAMERA, READ_CALENDAR, WRITE_CALENDAR, READ_PHONE_STATE, HIGH_SAMPLING_RATE_SENSORS, UWB_RANGING, NFC, NEARBY_WIFI_DEVICES, SYSTEM_ALERT_WINDOW, USE_BIOMETRIC, and READ_MEDIA_IMAGES/VIDEO. Many of these permissions (calendar access, high-rate sensor data, UWB ranging, nearby WiFi scanning) go far beyond what is needed to check your car's battery level or lock the doors. The app can read your calendar, scan nearby WiFi networks, access your phone's camera and photos, and overlay content on other apps.
What they claim: BYD's DiLink infotainment system is presented as a consumer entertainment and navigation platform.
What we found: Four CVEs have been published against BYD DiLink 3.0 (the same system in the Seal): CVE-2024-46442 (authentication bypass enabling brute-force access), CVE-2024-54728 (unauthorised logcat access leaking user data), CVE-2025-28169 (unencrypted cloud communications enabling interception, CVSS 8.1), and CVE-2025-7020 (log dump encryption failure exposing PII). BYD is not registered as a vendor on MITRE's NVD, limiting vulnerability tracking. The DiLink system controls ADAS functions, vehicle access, and personal data — yet has critical security flaws.
What they claim: BYD Vehicle Privacy Statement mentions Child Presence Detection analyses "breathing, body movements, or any other sign of life" but frames this as a safety feature.
What we found: The Child Presence Detection system uses in-cabin sensors to detect human presence through biological signals. This is biometric-adjacent data collection. The privacy policy does not disclose: whether this data is transmitted to BYD servers, how long detection data is retained, whether the system operates when no children are present (monitoring all occupants), or whether this data could be combined with driver monitoring camera footage to create comprehensive occupant behaviour profiles.
What they claim: BYD Vehicle Privacy Statement states "We do not sell your personal data to anyone for any purpose, period" and claims to respect user privacy.
What we found: The BYD AUTO companion app (com.byd.bydautolink) requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_CUSTOM_AUDIENCE, and AD_ID permissions — four separate advertising and tracking permissions that enable user profiling and ad targeting across apps and services. These permissions exist solely to support advertising ecosystems, directly contradicting the claim of not monetising user data.
What they claim: BYD privacy policy claims strong data protection and GDPR compliance, with European head stating data remains in Europe.
What we found: China's National Intelligence Law (2017) Article 7 requires Chinese organisations to "support, assist and cooperate with the state intelligence work." BYD Auto Industry Company Limited is headquartered in Shenzhen, China. The US House Committee on Homeland Security has formally raised national security concerns about BYD. Israel's Ministry of Defence suspended BYD vehicle supply to IDF officers. ASPI calls Chinese EVs "a rolling security threat." The Australian government bans public servants from syncing phones to BYD vehicles. UK MOD placed warning stickers about conversations in vehicles with Chinese components.
What they claim: Exodus Privacy reports zero trackers detected in the BYD AUTO app.
What we found: Despite zero known trackers, the app requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_CUSTOM_AUDIENCE, and AD_ID — four permissions specifically designed for advertising attribution and user tracking. The app may use proprietary or first-party tracking mechanisms not in Exodus's tracker signature database, or may be leveraging Android's built-in ad services rather than third-party SDKs. The presence of ad-related permissions with zero detected trackers suggests tracking occurs through channels that bypass conventional tracker detection.
What they claim: BYD privacy policy states data is stored "within your residential country/district" and European head reassured data "will remain within Europe." Australian statement says data stored on AWS in Australia.
What we found: The DiLink 3.0F infotainment system has hardcoded endpoints including global-api.bydauto.com.cn (a Chinese .cn domain). The system connects to api.byd.com, ota.byd.com, cloud.byd.com, and dilink.byd.com. CVE-2025-28169 confirms unencrypted broadcasts to cloud servers. BYD shares data with iFlytek (Chinese AI company) for voice services and AMAP (Chinese mapping company). The BYD Data Controller is BYD Auto Industry Company Limited in Shenzhen, China.
What they claim: BYD claims users have control over their vehicle data and can request data access under EU Data Act (from September 2025).
What we found: The DiLink system supports OTA (over-the-air) updates, allowing BYD to remotely modify vehicle software and data collection behaviour without owner notification. The firmware connects to ota.byd.com for updates. BYD can change what data is collected, how it's processed, and where it's sent — all without the owner's knowledge or consent. This undermines any data access rights because BYD can alter the data collection scope between the time a user requests their data and receives it.