When you buy a cheap smart plug or light switch from a brand you've never heard of, there's a good chance it's actually powered by a Chinese company called Tuya. Your data goes to Tuya's servers, but the product packaging and app never tell you this. Over 116 million devices across thousands of brands hide this relationship. Tuya says you can choose where your data is stored — US, Europe, or elsewhere. But researchers found that Tuya devices secretly send data to Chinese servers no matter what region you pick. The fine print even admits they can't guarantee your data stays where you chose.
What they claim: Tuya's FCC modular transmitter approval (2ANDL-WB3S) means the Tuya module appears inside 5,000+ branded products across 220+ countries. The FCC filing is under 'Hangzhou Tuya Information Technology Co., Ltd' — the end product carries only the OEM brand name.
What we found: Tuya's privacy policy (tuya.com) discloses extensive data collection including device identifiers, MAC addresses, IP addresses, usage patterns, location data, camera images, health data, and voice recordings. But consumers buying a branded smart plug from a retailer see only the OEM brand's privacy policy — they have no idea Tuya exists, let alone that their data flows to Tuya's cloud infrastructure on Alibaba Cloud, AWS, Azure, and Tencent Cloud.
What they claim: The Tuya platform controls a vast range of simple devices — smart plugs, light switches, LED strips, and basic sensors — that have no camera or microphone hardware.
What we found: The Tuya Smart app requests CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, and ACCESS_BACKGROUND_LOCATION permissions for ALL devices including simple smart plugs using the BK7231T or ESP8266 chipset (which have no camera or microphone capability). The same app with the same permissions bundle controls every Tuya device regardless of whether the hardware has these sensors.
What they claim: Tuya's privacy policy describes collecting 'usage patterns' and 'sensor readings' from IoT devices, but does not disclose collection of high-frequency phone sensor data.
What we found: The Tuya Smart app requests the HIGH_SAMPLING_RATE_SENSORS Android permission, which enables access to the phone's accelerometer and gyroscope at maximum sampling rate (up to 400-800Hz). This level of sensor access can be used for keystroke inference, gait analysis, and continuous motion tracking. This permission is completely unnecessary for controlling smart plugs, lights, and switches.
What they claim: Tuya's privacy policy states users can 'choose their data center region' for data storage, implying user control over where data resides.
What we found: Firmware analysis reveals hardcoded endpoints to Chinese servers (m1.tuyacn.com, a1.tuyacn.com, h1.tuyacn.com) alongside US and EU endpoints. Security research by the tuya-cloudcutter project confirmed that stock Tuya firmware phones home to Chinese cloud endpoints even when the user selects a non-China data center. The policy itself admits it 'does not guarantee data stays in the selected region'.
What they claim: Tuya's privacy policy lists categories of third-party service providers but does not specifically name Pangle or ByteDance as a data recipient.
What we found: Exodus Privacy analysis of the Tuya Smart app (v7.2.6) identifies Pangle — ByteDance's (TikTok parent company) advertising SDK — as an embedded tracker. Pangle collects device identifiers, usage data, and serves targeted advertising. The privacy policy generically refers to 'service providers' without naming them, hiding the fact that IoT device usage data flows to TikTok's parent company.
What they claim: Tuya's privacy policy provides CCPA rights for California residents and GDPR-style rights for EU users, implying strong privacy protections and user control over data.
What we found: Tuya Inc. is headquartered in Hangzhou, China, and is subject to China's Data Security Law (June 2021) which requires Chinese enterprises to 'support, assist and cooperate with law enforcement' on data concerning national security. VOA investigation found that Dark Cubed tested 10 Tuya devices and every one connected to servers in China. Tuya is backed by Tencent, which has documented ties to Beijing. The CCPA deletion rights are meaningless if Chinese law simultaneously requires data retention and disclosure.
What they claim: Tuya's data privacy center promotes security certifications and compliance with international standards including SOC 2, ISO 27001, and GDPR.
What we found: Dark Cubed cybersecurity firm examined 10 Tuya-powered home devices and found: every device had at least one network connection to servers in China, all failed basic security checks, and provided complete visibility into private images to anyone on the network. This directly contradicts Tuya's marketing of security certifications and their privacy center's claims of robust data protection.
What they claim: Tuya's data privacy center promotes 'end-to-end encryption' and security certifications for its IoT platform.
What we found: A&O IT Group discovered that Tuya-powered smart plugs transmit Wi-Fi SSID and password in plaintext during device setup. The default access point password is '12345678' as documented in the user manual. Security researcher rb9.nl found that the BK7231T/BK7231N SDK's AP configuration handler has an out-of-bounds memory write via UDP port 6669 that allows overwriting factory-burned secrets (UUID, auth key, PSK) with no authentication.
What they claim: Tuya's FCC modular approval and platform approach means identical firmware runs on 116+ million devices across 5,000+ brands.
What we found: CVE-2026-28519 (heap-based buffer overflow in DnsServer, CVSS 8.7) and CVE-2026-28520 (off-by-one buffer overflow in WiFiMulti, CVSS 8.6) affect the arduino-TuyaOpen SDK used across the entire Tuya ecosystem. CVE-2024-32268 allows remote denial of service without authentication. Because Tuya provides the firmware SDK to all OEM manufacturers, a single vulnerability affects every branded device simultaneously. Most consumers don't know their device is Tuya-based, so they have no way to find or apply security patches.
What they claim: Tuya is marketed as a smart home IoT platform for controlling lights, plugs, switches, and sensors. The privacy policy mentions health data collection but does not explain why a smart home app needs it.
What we found: The Tuya Smart app (com.tuya.smart v7.2.6) requests 27 health-related Android permissions including READ_BLOOD_PRESSURE, READ_HEART_RATE, READ_OXYGEN_SATURATION, READ_SLEEP, READ_STEPS, WRITE_BODY_FAT, WRITE_BODY_TEMPERATURE, WRITE_BONE_MASS, and WRITE_EXERCISE_ROUTE. These are extreme permissions for an app whose primary function is turning lights on and off. The same app controls all Tuya devices regardless of category.