Roborock's privacy policy says the camera is just for scanning QR codes. In reality, the vacuum has an always-on camera that photographs your home's interior every time it cleans — and the privacy policy never mentions this. Roborock says your data is stored in different countries depending on where you live, but your home's floor plans and cleaning data are sent to Chinese companies Tencent and Xiaomi. Chinese law can force these companies to hand over your data to the government — and Roborock doesn't clearly explain which of your data ends up in China.
What they claim: Roborock privacy policy describes camera access as "optional" and limited to "scan QR codes for easier WiFi connection."
What we found: The S7 MaxV hardware includes a front-facing RGB camera with structured light sensor (3D ToF) that powers the ReactiveAI 2.0 obstacle avoidance system. This camera runs continuously during every cleaning cycle to identify and avoid obstacles. The privacy policy only mentions camera use for QR code scanning, completely omitting the always-active camera system that captures images of your home interior during operation.
What they claim: Roborock claims to be "the first robot vacuum company to obtain TÜV Rheinland Protected Privacy IoT Service certification" covering 13 critical privacy areas.
What we found: Despite this certification, the Tuya IoT cloud vulnerability disclosure revealed the device-side library used an insecure random number generator when negotiating communication channels, undermining security of all transmitted user data including maps, cleaning data, and settings. KTH security research found partially unencrypted UDP communications and insufficient TLS certificate verification. The AV-Test Institute gave Roborock only 1 of 3 stars for security due to "gross security deficiencies in data transmission."
What they claim: The Roborock app requests RECORD_AUDIO and MODIFY_AUDIO_SETTINGS permissions.
What we found: The privacy policy mentions microphone access only for "sound transmission on remote viewing-enabled devices." The S7 MaxV is primarily marketed as a vacuum cleaner, not a surveillance device. The combination of RECORD_AUDIO with CAMERA and the device's always-on obstacle avoidance camera creates a potential surveillance platform. The policy's vague reference to "remote viewing-enabled devices" does not clearly explain to users that their vacuum cleaner can record audio.
What they claim: Roborock Trust Center promotes device security and TÜV Rheinland certification.
What we found: The device has a documented history of security issues: Tuya IoT cloud vulnerability with insecure random number generator affecting data encryption, KTH research finding DHCP starvation vulnerability and unencrypted UDP communications, insufficient TLS certificate verification allowing man-in-the-middle attacks, and the device running Android internally being classified as "nearly unrootable" (ARTHRP-2ex method) by Dennis Giese — implying security-through-obscurity rather than robust security design. AV-Test gave only 1/3 stars for security.
What they claim: Roborock privacy policy states data is stored in "data centers located in China, Germany, Russia, and the United States" based on registration location, with EU users' data going to Germany.
What we found: Regulatory investigation by Asia Business Daily (2025) found Roborock can share personal information with affiliates and third parties without consumer consent. Map data and device logs are transferred to Tencent Cloud and Xiaomi Inc. — both Chinese companies subject to China's Personal Information Protection Law (PIPL) and national security laws that can compel data access. Beijing Roborock Technology is headquartered in China. The policy does not clearly state which specific data stays in which jurisdiction, creating ambiguity about whether LIDAR floor plans of users' homes end up in Chinese data centers.
What they claim: Roborock CEO Richard Chang claims: "All images that are captured for obstacle recognition are processed on board the robot vacuum immediately, and are not sent out through the cloud to any servers."
What we found: Firmware analysis shows hardcoded endpoints including graph.facebook.com (Facebook Graph API), app-measurement.com (Google Analytics), and awsusor0.fds.api.xiaomi.com (Xiaomi cloud storage). The app includes Facebook Analytics, Facebook Login, and Facebook Share trackers with 5 total trackers embedded. While these may not transmit camera images directly, the presence of data pipelines to Facebook and Xiaomi contradicts the narrative that the device operates in a privacy-respecting manner with on-device-only processing.
What they claim: Roborock privacy policy states: "We do not sell any personal information to third parties."
What we found: The Roborock app (v4.59.08) contains 5 embedded trackers: Facebook Analytics, Facebook Login, Facebook Share, Google CrashLytics, and Google Firebase Analytics. The app requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_CUSTOM_AUDIENCE, and ACCESS_ADSERVICES_TOPICS permissions — all related to advertising tracking and audience targeting. The combination of Facebook trackers and ad services permissions enables user profiling and targeted advertising, which functions as monetization of user data even if not technically a "sale."
What they claim: The S7 MaxV creates detailed LIDAR floor plans of users' homes during every cleaning cycle.
What we found: The device uses a dedicated LIDAR module to create precise room maps including room dimensions, furniture placement, and home layout. The privacy policy mentions "offline maps and device logs" but does not specifically address: how long LIDAR data is retained, whether floor plans are used for purposes beyond cleaning, whether floor plan data can be deleted, or whether floor plans are included in data shared with Tencent Cloud and Xiaomi. For a device that essentially creates a blueprint of your home, this is a significant omission.
What they claim: Competitors Ecovacs, Samsung, and LG require customer consent when sharing personal information with third parties.
What we found: Asia Business Daily investigation (2025) confirmed Roborock's terms allow personal information to be provided to affiliates and third parties without consumer consent, stating it can collect and use personal information "within the scope permitted by data protection laws." The privacy policy does not specifically disclose which affiliates and third-party service providers receive personal information. This is particularly concerning for a device with LIDAR mapping and camera capabilities that captures intimate details of users' homes.
What they claim: Roborock privacy policy does not prominently disclose ongoing data sharing with Xiaomi ecosystem.
What we found: Firmware endpoints include awsusor0.fds.api.xiaomi.com (Xiaomi cloud storage). Regulatory filings show map data and device logs are transferred to Xiaomi Inc. Roborock was originally a Xiaomi ecosystem company and the devices remain compatible with Xiaomi Mi Home app. The privacy policy mentions Xiaomi only in the South Korean data recipients list, not in the main global privacy policy sections, leaving most users unaware that their vacuum's data flows to Xiaomi.