Roborock says the camera on your vacuum only identifies obstacles on the floor and processes images locally. But the app has camera AND microphone access, plus sends data to Facebook and Google analytics. Your vacuum has a camera rolling across your home — and the app is wired to share data with advertising companies. Roborock claims your home maps and camera footage stay on the device and are not sent to external servers. Their own privacy policy says the opposite: your maps, home environment data, and device logs are stored on Tencent Cloud in Beijing, China. In 2025, they quietly changed their policy to admit data is processed in China.
What they claim: Roborock privacy policy states camera access is for "scanning QR codes" and "uploading profile pictures and attaching images when providing feedback." The trust center claims images from obstacle avoidance are processed on-device and not uploaded.
What we found: The Roborock app (com.roborock.smart v4.59.08) requests CAMERA and RECORD_AUDIO permissions. The app also includes 5 trackers: Facebook Analytics, Facebook Login, Facebook Share, Google CrashLytics, and Google Firebase Analytics. The privacy policy separately mentions collecting "obstacle images and screenshots" on supported devices and "audio and video you send during remote viewing." The combination of camera+audio permissions with Facebook/Google analytics trackers creates a data pipeline from home interior cameras to third-party ad platforms.
What they claim: Roborock trust center states: "Sensitive data such as video footage and mapping information collected by its robot vacuums is encrypted and stored on the devices themselves, not on external servers."
What we found: The privacy policy contradicts this by disclosing data is stored in "data centers located in China, Germany, Russia, and the United States." Map data and device logs — which include "home environment information, map information, machine behavior" — are transferred to Tencent Cloud Computing (Beijing) Co., Ltd. for cloud storage. The 2025 privacy incident revealed Roborock updated its policy to state data may be processed in China, removing prior references to US data centers for Korean customers. The regulatory filing shows data including DID, device name, room name, IP address, timezone, and device information is shared with Tuya Global Inc. (Hangzhou, China).
What they claim: The S8 MaxV Ultra is a robot vacuum-mop with LiDAR navigation and AI camera for obstacle avoidance — a cleaning appliance. The device has no telephone, video calling, or social media functionality.
What we found: The companion app requests 33 permissions including: ACCESS_FINE_LOCATION (GPS-level tracking), RECORD_AUDIO (microphone access), CAMERA (camera access), 4 ACCESS_ADSERVICES permissions (AD_ID, ATTRIBUTION, CUSTOM_AUDIENCE, TOPICS — full advertising profile), SCHEDULE_EXACT_ALARM, RECEIVE_BOOT_COMPLETED (starts on phone boot), and MODIFY_AUDIO_SETTINGS. The app includes Facebook Analytics, Facebook Login, and Facebook Share SDKs. A vacuum cleaner app has no legitimate need for advertising audience targeting, Facebook social integration, or microphone access beyond the device itself.
What they claim: The S8 MaxV Ultra has hardcoded endpoints including api-cn.roborock.com (China), awsusor0.fds.api.xiaomi.com (Xiaomi cloud), app-measurement.com (Google Analytics), and graph.facebook.com (Facebook). Firmware communicates with Chinese servers by default.
What we found: The LidarPhone research (ACM SenSys 2020) demonstrated that Xiaomi Roborock vacuum LiDAR sensors can be repurposed for acoustic eavesdropping with 91%% digit classification accuracy. The S8 MaxV Ultra adds an RGB camera to the LiDAR, expanding surveillance potential from audio to video. Combined with hardcoded endpoints pointing to Chinese cloud infrastructure (api-cn.roborock.com) and Xiaomi cloud (awsusor0.fds.api.xiaomi.com), and China's Data Security Law requiring companies to cooperate with government data requests, the device creates a persistent surveillance capability inside homes with data flowing to servers subject to Chinese government access.
What they claim: Roborock disclosed a vulnerability in the Tuya IoT cloud integration where an insecure random number generator compromised communication security for cleaning data, maps, and robot settings.
What we found: Despite disclosing this Tuya vulnerability and claiming migration to Roborock's own IoT server "starting April 2021," the 2025 privacy policy still lists Tuya Global Inc. (Hangzhou, China) as a data recipient receiving DID, device name, room name, IP address, timezone, country, and device information. The KTH penetration test also found partially unencrypted UDP transmissions and insufficient TLS certificate verification in Roborock devices. This means the company knew about multiple communication security weaknesses but maintained the vulnerable data sharing relationship.
What they claim: Roborock states it "does not sell any personal information to third parties" and claims data sharing only happens with user consent or as required by law.
What we found: The Asia Business Daily investigation (2025-02-19) found that Roborock's terms allow personal information to be provided to affiliates and third parties WITHOUT consumer consent — unlike competitors Ecovacs, Samsung, and LG which all require explicit customer consent. The privacy policy confirms Roborock can "collect and use personal information without customer consent within the scope permitted by data protection laws." Data recipients include Tuya Global Inc. (Hangzhou), Tencent Cloud (Beijing), Xiaomi Inc., Amazon Web Services, and unnamed "affiliates" — but the policy does not specifically identify which affiliates receive data.
What they claim: Roborock privacy policy describes location data collection as needed "to connect to WiFi" and "find nearby devices ready for connection" — framing it as a functional necessity.
What we found: The app requests both ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. Fine location provides GPS-level precision (within meters). For WiFi connection and BLE device discovery, only coarse location or WiFi state access is needed. The combination of fine location with 4 advertising service permissions (ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_CUSTOM_AUDIENCE, ACCESS_ADSERVICES_TOPICS) reveals the true purpose: building an advertising profile that includes your precise physical location, not just connecting to WiFi.
What they claim: Roborock markets Matter protocol support as a key feature of the S8 MaxV Ultra, listed on product pages and marketing materials as enabling smart home integration.
What we found: The firmware shows BLE capability but no Thread radio (required for full Matter over Thread). As of early 2025 — nearly a year after the product launched — Matter support has not been enabled via firmware update. A user review on Matter Alpha (February 2025) states: "they have yet to enable it and have no ETA." The device was advertised and sold with Matter as a feature but ships without it, with no timeline for delivery.
What they claim: The Roborock app includes Facebook Analytics, Facebook Login, and Facebook Share SDKs — three separate Facebook tracking integrations in a robot vacuum companion app.
What we found: The app communicates with graph.facebook.com (Facebook's API) as a hardcoded endpoint. The privacy policy does not specifically disclose Facebook as a data recipient in its third-party sharing section, listing only Amazon, Google, Apple, Naver, Alibaba, Tencent, and Xiaomi. Facebook's SDK collects device identifiers, app events, and user interactions and sends them to Facebook's advertising platform. For a vacuum cleaner app that maps your home interior, this means Facebook receives signals about your cleaning habits and app usage without being explicitly named in the privacy disclosure.
What they claim: The S8 MaxV Ultra runs Android internally on an Allwinner MR813 SoC with 1GB RAM and 4GB storage — a full computing platform, not a simple embedded device. Security researchers describe Roborock devices as "nearly unrootable."
What we found: The privacy policy describes the device as collecting "offline maps and device logs" but does not disclose that the vacuum runs a full Android operating system capable of running arbitrary software. The 2022 KTH security research found Roborock devices have partially unencrypted UDP transmissions and weak TLS certificate verification. Running Android means the device has a full network stack, is capable of receiving and executing OTA updates, and could theoretically have its behavior changed post-sale — all without user visibility. The "nearly unrootable" characterization means users cannot audit what software runs on their own device.