Dyson says the robot vacuum's camera never sends pictures of your home to them. But the camera creates a detailed map of your house — room sizes, furniture layout, everything — and THAT data IS sent to Dyson's servers through the app. Saying "we don't send the photos" while sending the map made from those photos is misleading. Dyson says they never sell your data and are careful about what they collect. But their app contains Rakuten — a marketing tracker that shares your behaviour with advertising networks. Having an ad tracker in an app that controls your home robot vacuum doesn't match "deliberately lean with data.".
What they claim: Dyson privacy policy states: "We protect that information carefully and handle it with discretion" and references "appropriate technical and organisational measures, including encryption."
What we found: Dyson filed a data breach notification with the California Attorney General (PINC2020.78) confirming their cloud infrastructure was compromised. Separately, reverse engineering by Brenton Baker revealed Dyson connected products use MQTT protocol with static per-device credentials that can be captured by sniffing app traffic, and MQTT topics based on device serial numbers (438/[serial]/command). The community projects libdyson and ha-dyson have fully reverse engineered the Dyson API. Static MQTT credentials mean that anyone who intercepts one credential exchange has permanent access to that device.
What they claim: The MyDyson app requests the CAMERA permission on the user's phone.
What we found: The 360 Vis Nav already has its own built-in 360-degree camera for navigation. The phone CAMERA permission is likely used for QR code scanning during device setup. However, the permission grants the app full access to the phone's camera at any time, not just during setup. Combined with WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE, the app has the technical capability to capture photos via the phone camera and store them. For an app that controls a device already mapping your home with its own camera, the additional phone camera access creates a second visual data collection vector.
What they claim: The 360 Vis Nav captures 30fps 1080p video through a 360-degree camera for on-device SLAM navigation.
What we found: Despite housing a full 1080p camera capable of capturing detailed imagery of home interiors, Dyson has zero publicly disclosed security audits or vulnerability reports on HackerOne. Dennis Giese — the leading robot vacuum security researcher who has demonstrated camera/microphone hijacking on Ecovacs, Roborock, iRobot, and Shark devices — has not publicly tested Dyson models. The 2024 real-world attacks on Ecovacs Deebot X2 (where hackers accessed cameras and microphones through compromised robots) demonstrate what can happen when camera-equipped robot vacuums have security flaws. Without independent security verification, consumers are trusting Dyson's claim that the camera cannot be remotely accessed.
What they claim: Dyson privacy policy states: "images from the camera stay on your machine, and are not accessed by Dyson." Connected Products page states: "The camera does not transmit video or imagery, of you or your home. The only information sent to Dyson is performance data."
What we found: The 360 Vis Nav uses a 360-degree panoramic camera capturing 30fps at 1080p to create detailed geometric floor plan maps of the user's home. While raw camera images may stay on-device, the generated geometric maps — which reveal room count, room size, furniture placement, and home layout — are synced to the MyDyson app via Dyson cloud servers. The policy focuses narrowly on "images" not being transmitted, while the derived spatial data (which is arguably more privacy-invasive for profiling purposes) IS transmitted. This is a distinction without a meaningful difference for consumer privacy.
What they claim: Dyson privacy policy states: "We never sell your personal data to anyone and only share it as outlined in this privacy notice or when you ask us to." Dyson positions itself as a premium, privacy-respecting brand with the tagline "We're deliberately lean with the data we capture."
What we found: The MyDyson app includes Rakuten (affiliate/marketing tracking), Google Tag Manager, and New Relic as embedded trackers. Rakuten is a marketing and advertising platform that tracks user behaviour across apps and websites for ad targeting and attribution. The presence of marketing trackers contradicts the claim of being "deliberately lean with data" — these trackers exist specifically to share user interaction data with third-party advertising networks. While technically not "selling" data, sharing behavioural data with ad networks achieves the same outcome.
What they claim: Dyson Smart Machines Notice states location data is collected so the app "can show you when air quality is poor in your area" — a feature specific to Dyson air purifiers, not robot vacuums.
What we found: The MyDyson app requests both ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION permissions. These permissions apply to ALL devices managed by the app, including the 360 Vis Nav robot vacuum. A robot vacuum has no functional need for the user's GPS location — it navigates using its on-board camera and sensors. The location permission, justified for air quality features on purifiers, means Dyson knows both the user's geographic location AND the detailed floor plan of their home from the robot vacuum, creating a comprehensive spatial profile.
What they claim: Dyson states: "We're open about its use and will always make you aware of the information you're sharing."
What we found: The 360 Vis Nav costs ,499+ and connects to Dyson cloud endpoints (appapi.cp.dyson.com, provisioning.dyson.com, mqtt.dyson.com). At this price point, consumers expect premium privacy. Yet Dyson admits to using data "for profiling and statistical analysis of product popularity, behavior when using apps, or how products are used" — combining data across all Dyson connected products. A consumer who owns both a Dyson purifier and 360 Vis Nav gives Dyson occupancy patterns (when you're home from the purifier) cross-referenced with a detailed home layout (from the vacuum). The policy does not clearly explain this cross-device profiling capability.
What they claim: Dyson privacy policy states data is shared with "analytics companies" and "marketing and advertising agencies" but does not name any of these third parties.
What we found: The Dyson GDPR privacy policy acknowledges sharing data with unnamed analytics and marketing companies. Under GDPR Article 13(1)(e), data controllers must inform data subjects about recipients or categories of recipients of personal data. While Dyson names AWS and Google Cloud as storage providers, the marketing and analytics partners remain unnamed. The HackerOne bug bounty program has zero public disclosures, further limiting transparency. For a device that maps home interiors, the identity of companies receiving this data is material information consumers need to make informed decisions.
What they claim: Dyson Connected Products page states: "The only information sent to Dyson is performance data via the Dyson Link app."
What we found: The 360 Vis Nav has 26 sensors generating 10,000 data points per second, dual-band Wi-Fi (2.4GHz + 5GHz), BLE, and connects to cloud endpoints including appapi.cp.dyson.com, provisioning.dyson.com, and mqtt.dyson.com. The term "performance data" is never defined in any Dyson privacy document. Sensor readings, cleaning duration, dust levels, battery metrics, navigation telemetry, room dimensions, obstacle encounters, and cleaning path data could all be classified as "performance data." The vagueness of this term, combined with the device's extensive sensor suite and cloud connectivity, means consumers have no way to know what is actually being transmitted.
What they claim: Dyson claims to be "deliberately lean with the data we capture" in their privacy commitment.
What we found: The MyDyson app requests RECEIVE_BOOT_COMPLETED (starts automatically when phone turns on), WAKE_LOCK (prevents phone from sleeping), and FOREGROUND_SERVICE (runs continuously in background). These permissions allow the app to maintain a persistent connection to Dyson servers even when the user isn't actively using the vacuum. Combined with fine location tracking, this means the app can continuously report the user's location to Dyson servers. A "lean" data approach would not require an app to start on boot and run continuously for a device that only cleans when scheduled.