VIDAA's privacy policy says they don't sell your data or use it for targeted advertising. But through a separate, less visible notice, they reveal they capture what you watch every half-second and give this data exclusively to an advertising company (Nexxen) to sell targeted ads — the exact practice the main privacy policy appears to deny. Hisense is owned by the Chinese government, and Chinese law requires companies to hand over data when the government asks. But Hisense's privacy policy never mentions China, Chinese ownership, or these legal obligations. A Texas court found this so serious it ordered Hisense to stop collecting data from Texans entirely.
What they claim: VIDAA website privacy policy states: "We do not sell Personal Data collected through the Website. We also do not share Personal Data collected through the Website for cross-context behavioral advertising."
What we found: The separate Enhanced Viewing Service uses Nexxen ACR technology to capture audio fingerprints every 500 milliseconds, identifying every show, movie, channel, and advertisement watched. Nexxen has exclusive global access to this data through 2029, with exclusive rights to monetize CTV and native display advertising in North America. The website privacy policy makes no mention of ACR, Nexxen, or the TV-based surveillance — it only covers the vidaa.com website, creating a misleading impression of limited data collection.
What they claim: VIDAA privacy policy makes no mention of China, Chinese ownership, Chinese law obligations, or data transfers to China. EEA transfers use "adequacy decisions by the European Commission" or "standard contractual clauses."
What we found: Hisense Group (海信集团) is a Chinese state-owned enterprise headquartered in Qingdao. China's National Intelligence Law (2017) Article 7 requires all organizations to "support, assist and cooperate with the state intelligence work." Texas AG complaint specifically alleges Hisense "fails to disclose to Texas consumers that under Chinese law, Hisense is required to transfer its collections of Texas consumers' personal data to the People's Republic of China when requested by the PRC." A Texas court found sufficient evidence to issue a TRO stating "the Chinese Communist Party has access to all of the ACR data collected."
What they claim: Hisense Enhanced Viewing Service privacy notice describes ACR as technology that provides "content recommendations" and "automatically optimize your picture quality based on the type of content you are watching." Frames the service as beneficial to consumers.
What we found: Texas AG complaint alleges Hisense uses ACR to "capture every sound and image playing on its TVs every 500 milliseconds without the knowledge and consent of consumers" and sells this data for profit. Nexxen's exclusive partnership documentation confirms the primary purpose is advertising: enabling "personalized ads shown to you on your Smart TV or other linked devices sharing the same IP address, based on audience segmentation created from your viewing habits." The core business model is surveillance advertising, not picture quality optimization.
What they claim: VIDAA privacy policy states: "We also do not share Personal Data collected through the Website for cross-context behavioral advertising."
What we found: Nexxen partnership documentation confirms ACR data is used for cross-device targeting: "VIDAA may allow Nexxen to use household IP addresses to identify other linked devices." Nexxen's "Unified Identity Graph" unifies bidding across multiple device IDs for cross-device frequency and reach controls. The Trade Desk launched its "Ventura Ecosystem" with VIDAA and Nexxen in February 2026, further expanding programmatic advertising reach. ACR-derived analytics explicitly target advertisements on "other devices" sharing a household IP address — the textbook definition of cross-context behavioral advertising.
What they claim: Hisense promotes affordable smart TV entertainment for families
What we found: The Texas Attorney General sued Hisense for ACR surveillance — capturing screenshots of TV content every 500 milliseconds — and obtained the first-ever temporary restraining order against a TV manufacturer. The lawsuit alleges that as a Chinese company, Hisense is subject to laws that could compel data handover to Chinese intelligence. Your TV takes screenshots twice per second and the company is subject to Chinese intelligence law.
What they claim: RemoteNOW (com.universal.remote.ms) is marketed as a TV remote control app for Hisense VIDAA smart TVs, providing basic functions like power, volume, channel changes, and media sharing.
What we found: The app requests RECORD_AUDIO (microphone access), ACCESS_FINE_LOCATION (precise GPS), ACCESS_COARSE_LOCATION, READ_PHONE_STATE (device identifiers), GET_ACCOUNTS (user accounts on device), WRITE_SETTINGS (modify system settings), and MOUNT_UNMOUNT_FILESYSTEMS. A TV remote control app has no legitimate need for continuous microphone access, precise GPS location, access to all accounts on the phone, or the ability to mount/unmount filesystems. The app also uses MIPUSH_RECEIVE (Xiaomi push service), indicating Chinese push notification infrastructure.
What they claim: Hisense markets its VIDAA TVs as affordable alternatives to premium brands, positioned as the budget-friendly choice for price-conscious consumers. Hisense is the world's #2 TV manufacturer by unit volume.
What we found: Hisense's business model subsidizes low TV prices with advertising revenue from ACR surveillance. The Nexxen partnership grants exclusive rights to monetize advertising across tens of millions of VIDAA devices globally. Jamestown Foundation research notes: budget positioning means TVs are placed in price-sensitive households, creating disproportionate privacy impact on lower-income consumers who are least likely to understand or be able to avoid the surveillance. These consumers effectively pay for their TVs with their viewing data, but this trade-off is never made explicit at the point of sale.
What they claim: Hisense Enhanced Viewing Service privacy notice describes collecting "your Device viewing history" and "content" from "your Device," suggesting the monitoring is limited to the TV itself.
What we found: Nexxen's ACR documentation explicitly states it collects "information about programming content (such as TV channels, shows, movies, and advertisements watched) playing on the device, including content from media players, gaming consoles, over-the-air broadcast, or other audiovisual sources." This means the ACR monitors everything displayed on the TV screen, including content from your PlayStation, Nintendo Switch, Blu-ray player, or any HDMI-connected device. The privacy notice's use of "your Device" obscures the fact that it is surveilling all devices connected to the TV, not just the TV's own apps.
What they claim: VIDAA International Operations Inc. is incorporated in Canada. The VIDAA platform is presented as a product of a Canadian technology company.
What we found: VIDAA International Operations Inc. is a wholly-owned subsidiary of Hisense Group (海信集团), a Chinese state-owned enterprise headquartered in Qingdao, China. All Hisense TV hardware is manufactured in China. FCC testing is performed by Audix Technology (Shanghai) Co., Ltd. OTA firmware updates are controlled by teams in PRC jurisdiction. China's National Intelligence Law (2017) applies to the parent company and requires cooperation with state intelligence work. The Canadian subsidiary structure creates a jurisdictional buffer that obscures the Chinese government's ultimate control over the platform and the data it collects.
What they claim: VIDAA privacy policy and Hisense app store listings make no mention of third-party Chinese technology services used in the companion app.
What we found: Exodus Privacy analysis of RemoteNOW (com.universal.remote.ms) v5.01.011 shows the app includes MIPUSH_RECEIVE permission, indicating integration with Xiaomi's MiPush notification service. MiPush routes push notifications through Xiaomi's servers (mi.com), adding another Chinese company's infrastructure to the data flow. The app also requests C2D_MESSAGE (cloud-to-device messaging). Neither the VIDAA privacy policy nor the Hisense privacy policy discloses the use of Xiaomi push infrastructure or the data that flows through it.
What they claim: Hisense has a Vulnerability Disclosure Policy at hisense-usa.com/compliance that accepts security reports. No CVE IDs have been assigned to Hisense TV products in public vulnerability databases.
What we found: Security researcher documented critical vulnerabilities in Hisense VIDAA TVs (A7100F model): arbitrary file reading via file:/// handler exposing WiFi passwords and credentials, silent application installation via Hisense_installApp() JavaScript API, and arbitrary file writing via custom File API. Hisense did not respond to the researcher's disclosure attempts. UNSW research found Hisense vulnerable to EvilScreen attacks enabling Wi-Fi credential theft, credit card capture, and display hijacking. Zero CVEs assigned despite at least 5 documented vulnerability classes suggests Hisense is not engaging with the security research community.
What they claim: Hisense Vulnerability Disclosure Policy implies the company maintains security standards and accepts vulnerability reports. VIDAA OS is promoted as a secure smart TV platform.
What we found: The VIDAA built-in web browser exposes custom JavaScript APIs including Hisense_installApp() for silent application installation, a File API for reading/writing filesystem data, and file:/// handler access via XMLHttpRequest. Any website visited through the TV browser can: read WiFi passwords and stored credentials from /dev/shm/local/applications/UI, install persistent HTML5 applications that appear in the app menu, and write arbitrary data to writable filesystem locations. These are not bugs — they are intentionally implemented APIs that were exposed to untrusted web content without access controls.