Wyze says they never sell your data, but in the same document admits that what they do with your data might legally count as selling it under California law. They share your activity data with advertising companies to show you targeted ads — which is exactly what most people would consider "selling" their information. Wyze uses your home security camera footage to train their AI systems. They bury this in the fine print while their marketing emphasizes security and privacy. Meanwhile, security flaws left your camera footage accessible to hackers for almost three years before being fixed.
What they claim: Wyze security trust page states: "Your data is never sold. We do not sell your personal information in the conventional sense (i.e., for money)." The same page claims: "we may disclose certain data points about you such as your activities on our website or app to services that allow us to show you interest-based advertisements, or to our business partners. Making this information available to these companies may be considered a sale under the California Consumer Privacy Act."
What we found: Wyze simultaneously claims they never sell data while admitting their data sharing practices "may be considered a sale" under California law (CCPA). The privacy policy confirms data is shared with advertising partners for "targeted advertising." The app includes AD_ID, ACCESS_ADSERVICES_AD_ID, and ACCESS_ADSERVICES_ATTRIBUTION permissions, confirming active ad tracking infrastructure.
What they claim: Wyze security trust page states: "Your data is never sold" and emphasizes user privacy as a core value.
What we found: The Wyze app includes AD_ID, ACCESS_ADSERVICES_AD_ID, and ACCESS_ADSERVICES_ATTRIBUTION permissions — Google's advertising identifier system specifically designed to track users across apps for targeted advertising. The app also includes Google Firebase Analytics tracker. The privacy policy admits sharing data with "advertising partners" for "interest-based advertisements" and states this "may be considered a sale" under CCPA. The app's ad tracking infrastructure contradicts the "never sold" marketing claim.
What they claim: Wyze Cam v3 is a 2.4GHz Wi-Fi camera with no Bluetooth capability (FCC filing confirms only 2412-2462 MHz operation).
What we found: The Wyze app requests BLUETOOTH, BLUETOOTH_ADMIN, BLUETOOTH_ADVERTISE, BLUETOOTH_CONNECT, and BLUETOOTH_SCAN permissions. While some Wyze products use Bluetooth for setup, the Cam v3 specifically does not have Bluetooth hardware per its FCC filing (2AUIUWYZEC3). The app's monolithic design bundles permissions for all Wyze products (cameras, scales, watches, locks, plugs) into a single app, meaning installing the app for a camera grants it access to Bluetooth, health data, SMS, call logs, and other capabilities unrelated to the camera.
What they claim: Wyze cam supplemental terms state: "Wyze may analyze, process, and use your User Recordings using automated technologies and machine learning to build and improve its products and services." The security trust page claims video encryption and secure handling.
What we found: Wyze reserves the right to use customer video recordings — from security cameras pointed inside people's homes — to train machine learning models. This is disclosed in the supplemental terms but not prominently featured on the security trust page. CVE-2019-9564 and CVE-2019-12266 demonstrated that video recordings could be accessed by attackers due to authentication bypass and buffer overflow vulnerabilities that Wyze left unpatched for nearly 3 years.
What they claim: Wyze marketed the Cam v3 as a reliable home security camera with encrypted video streaming.
What we found: Bitdefender reported critical vulnerabilities CVE-2019-9564 (authentication bypass, CVSS critical) and CVE-2019-12266 (remote code execution via buffer overflow) to Wyze on March 6, 2019. Wyze did not respond until November 2020 — 20 months of silence. Final fixes deployed January 2022, nearly 3 years later. Wyze Cam v1 was NEVER patched and remains permanently vulnerable. Consumer Reports highlighted this as a major delayed CVE disclosure case. During this 3-year window, attackers could bypass authentication and access camera feeds and SD card recordings.
What they claim: Wyze cam supplemental terms state that "videos and/or the live streams from your Security Cameras are not shared with any Wyze employees or third parties."
What we found: The February 2024 breach exposed camera feeds from approximately 13,000 users to other Wyze customers — a direct contradiction of the claim that video is not shared. About 1,500 users actively viewed footage from strangers' cameras, including indoor home cameras. A similar incident occurred in September 2023. While these were described as "bugs" rather than intentional sharing, the repeated failures demonstrate that Wyze's technical controls do not match their policy promises about video isolation.
What they claim: Wyze promotes secure, private home camera monitoring
What we found: In February 2024, approximately 13,000 Wyze users received thumbnail images from other people's cameras due to a caching bug in a third-party library. Some users could view video feeds from strangers' homes. Wyze initially told users only 14 people were affected, then revised to 13,000. This was the third major security incident in two years.
What they claim: Wyze security trust page describes encrypted video streaming and secure data handling.
What we found: In 2024, Bitdefender disclosed three new vulnerabilities in Wyze Cam v3 specifically: CVE-2023-6322 (stack buffer overflow in motion detection IOCTL, enabling root access), CVE-2023-6323 (AuthKey leak via P2P server impersonation), and CVE-2023-6324 (DTLS pre-shared key inference). These three can be chained for full root access from the local network. The vulnerabilities exist in the ThroughTek Kalay (TUTK) P2P framework that Wyze relies on for all device-to-cloud communication. This is the SECOND time Bitdefender has found critical flaws in Wyze cameras.
What they claim: Wyze privacy policy states users can request deletion of personal data and manage their privacy choices.
What we found: Despite privacy policy promises, the 2019 data breach demonstrated Wyze failed to implement basic security controls — production data was copied to an unsecured Elasticsearch instance by an employee without security protocols. Alexa tokens were exposed, potentially giving attackers access to users' Amazon accounts. The privacy policy's data protection promises were not backed by adequate technical controls. The data sharing opt-out page (wyze.com/pages/data-sharing-opt-out) implies data sharing is the default — users must actively opt out.
What they claim: Wyze security trust page states: "Since the founding of Wyze, we have existed for our users" and emphasizes security commitment.
What we found: In December 2019, Wyze exposed an Elasticsearch database containing personal data of 2.4 million customers for 23 days. Exposed data included email addresses, Wi-Fi SSIDs, body metrics, camera nicknames (revealing camera locations like "Bedroom" or "Baby Room"), and Alexa tokens. A class action lawsuit was filed (Schoolfield v. Wyze Labs). In February 2024, approximately 13,000 users were shown thumbnails and video from other users' cameras due to a caching error — with 1,500 users actively viewing footage from strangers' home cameras. A similar incident occurred in September 2023.
What they claim: Wyze privacy policy states data collection is limited to what is necessary for product functionality. The Wyze app is marketed as a companion for smart home cameras, plugs, locks, and sensors.
What we found: The Wyze app (com.hualai v3.9.0.739) requests 76 permissions including 20 health/fitness data permissions: READ_HEART_RATE, READ_BODY_FAT, READ_BONE_MASS, READ_BODY_WATER_MASS, READ_HYDRATION, READ_LEAN_BODY_MASS, READ_WEIGHT, WRITE_HEART_RATE, WRITE_BODY_FAT, WRITE_BONE_MASS, WRITE_SLEEP, WRITE_STEPS, WRITE_TOTAL_CALORIES_BURNED, and more. It also requests READ_SMS, RECEIVE_SMS, READ_CALL_LOG, CALL_PHONE, ANSWER_PHONE_CALLS, READ_CONTACTS, and MODIFY_PHONE_STATE — permissions that far exceed what a security camera or smart home controller requires.