Dyson calls it 'performance data' but their purifiers actually run environmental sensors 24 hours a day, 7 days a week — even when the purifier itself is turned off and in 'monitoring mode.' The device continuously measures temperature, humidity, air particles, and gases in your home. This is not measuring how well the purifier works — it is building a round-the-clock profile of your home environment that can reveal when you are home, when you cook, whether you smoke, and even your health conditions. Dyson says they never sell your data, but their app contains marketing and advertising trackers from Salesforce and Amplitude that profile your behavior for targeted campaigns. The app also requests advertising ID permissions specifically designed to track you across apps for ad targeting. While this may not technically be 'selling' data, it enables third-party companies to build advertising profiles from your usage of a home appliance app.
What they claim: MyDyson app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and ACCESS_COARSE_LOCATION permissions, enabling continuous GPS tracking of the user's phone even when the app is not in use.
What we found: Dyson Smart Machines notice states location is captured 'so it can show you when air quality is poor in your area' — presenting location tracking as a helpful feature for air quality alerts.
What they claim: MyDyson app requests CAMERA permission for a device that is an air purifier with no camera or visual functionality.
What we found: Dyson HP07 hardware contains air quality sensors (PM2.5, PM10, VOC, NO2), temperature/humidity sensors, and WiFi/BLE connectivity. No camera module exists in the device. The CAMERA permission is not required for any purifier function.
What they claim: Dyson privacy policy states data is shared with 'Amazon Web Services and Google Cloud' for 'secure storage of account information and login credentials.'
What we found: MyDyson app embeds Salesforce Marketing Cloud tracker (enterprise marketing automation platform for targeted campaigns, email marketing, and customer journey mapping) and Amplitude tracker (behavioral analytics for user profiling and conversion optimization). These are marketing platforms, not storage providers, and are not mentioned in the privacy policy.
What they claim: Dyson Connected Products page states: 'Performance data is automatically collected and sent to Dyson. But none of this data is used for anything other than improving our technology.'
What we found: Dyson purifiers continuously collect environmental data including temperature, humidity, PM2.5, PM10, VOC, and NO2 levels via MQTT protocol. Data published locally on port 1883 and forwarded to Dyson cloud (appapi.cp.dyson.com). Sensors run 24/7 including in 'monitoring-only' mode when not actively purifying — the device monitors your home environment even when you think it is idle.
What they claim: Dyson privacy policy states: 'We will never sell your personal data and only share it as outlined in our privacy policy or when you ask us to.'
What we found: MyDyson app (v6.4.25501) contains 7 embedded trackers including Salesforce Marketing Cloud (targeted marketing platform), Amplitude (behavioral analytics profiling), and Google Analytics. The app also requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION permissions for advertising attribution tracking.
What they claim: Dyson purifiers use MQTT v3 on port 1883 (unencrypted) for local device communication. MQTT credentials are static per device and derivable from WiFi setup credentials printed on a physical sticker on each device.
What we found: Dyson operates a HackerOne bug bounty program for security vulnerabilities, yet no public CVEs have been assigned to any Dyson consumer product. The MQTT security weakness (static credentials derivable from device sticker, unencrypted protocol) remains unpatched and publicly documented by multiple security researchers.
What they claim: Dyson Smart Machines notice describes data collection as 'product performance data' that is 'automatically collected and sent to Dyson' and states 'none of this data is used for anything other than improving our technology.'
What we found: Dyson's Global Connected Air Quality Data project analyzed over half a trillion data points from 2.5 million connected purifiers (2022-2023), studying indoor air quality patterns including PM2.5, VOCs, temperature, and humidity across homes worldwide. Results published in press releases and media coverage to promote Dyson products.
What they claim: Dyson HP07 uses glued construction throughout, making the WiFi PCB module non-serviceable. Dyson's own service manual states WiFi PCB failure requires full unit exchange.
What we found: FCC modular certification QVHDBWIFIBLE01 treats the WiFi module as a separable component. The modular approval suggests the module was designed as a replaceable part, yet Dyson's manufacturing process glues it in permanently, creating artificial dependency on Dyson for any connectivity repair.
What they claim: Dyson states data retention is 'as long as needed to use it for the stated reasons, and for as long as required by law' with no specific retention period disclosed for environmental sensor data.
What we found: Dyson's Global Connected Air Quality Data project used sensor data spanning 2022-2023 from 2.5 million devices, producing 'half a trillion data points.' This scale of historical data retention demonstrates Dyson retains granular environmental sensor data for years, not just for immediate device operation.
What they claim: MyDyson app requests REQUEST_COMPANION_RUN_IN_BACKGROUND and FOREGROUND_SERVICE_DATA_SYNC permissions, allowing persistent background data synchronization between the purifier and Dyson's cloud even when the user is not actively using the app.
What we found: Dyson Connected Products page frames data collection as 'Performance data is automatically collected and sent to Dyson' — understating that the app actively maintains background services for continuous data sync using special Android permissions.