Xiaomi says it doesn't sell your personal information, but the app that controls your air purifier contains advertising trackers from TikTok's parent company (ByteDance), Facebook, Tencent, and Google. These trackers collect your usage data and feed it into advertising networks. Your air quality and home environment data flows through an app designed to serve you ads. Your air purifier works perfectly fine without connecting to Xiaomi's servers — hackers have proven this by replacing the Wi-Fi chip's software. But Xiaomi forces you to create an account and connect to their cloud to use the device, including a server specifically for advertising. They chose to require cloud connectivity to collect your data, not because the purifier needs it to clean your air.
What they claim: Xiaomi IoT privacy whitepaper states Mi Home needs location permission only "when scanning and connecting to Bluetooth and Wi-Fi smart IoT devices" and will "only ask users for location permissions when using such scanning or connecting functions." The privacy policy frames data collection as necessary for device functionality.
What we found: Exodus Privacy analysis of Xiaomi Home app (com.xiaomi.smarthome v11.2.700) reveals 52 permissions including CAMERA, RECORD_AUDIO, READ_PHONE_STATE, READ_PRIVILEGED_PHONE_STATE, GET_ACCOUNTS, NFC, TRANSMIT_IR, and AD_ID. An air purifier has no camera, no microphone, no phone-call capability, and no NFC function. These permissions enable data collection far beyond what is needed to control fan speed and read PM2.5 levels.
What they claim: Xiaomi's privacy policy discusses data collection for individual device functionality but does not address the aggregation of data across multiple Xiaomi IoT devices under a single account.
What we found: The Xiaomi Home app (com.xiaomi.smarthome) manages all Xiaomi IoT devices from a single account — cameras, smart bands, door locks, smart plugs, air purifiers, and more. Air purifier environmental data combined with: Smart Band 8 biometric data (heart rate, sleep, location via spec-086), Mi 360 Camera video feeds (spec-088), and smart plug usage patterns (spec-020) creates an intimate portrait: who is in which room, what they're doing, their health status, and their daily routines. The app's 8 trackers (including ByteDance Pangle and Facebook Analytics) receive behavioral data from interactions with ALL devices, not just the purifier.
What they claim: Xiaomi's privacy policy states "we do not sell any personal information to third parties" and frames data sharing as limited to service providers necessary for operations.
What we found: Exodus Privacy found 8 trackers embedded in the Xiaomi Home app: Bugly (Tencent crash reporting), Facebook Analytics, Facebook Login, Facebook Share, Google Firebase Analytics, JiGuang Aurora Mobile JPush (Chinese push notification + analytics), Pangle (ByteDance/TikTok advertising SDK), and Tencent Stats. Pangle is specifically an advertising SDK owned by ByteDance that monetizes user data for ad targeting. The AD_ID permission confirms advertising identifier collection. These trackers transmit user behavior data to Tencent, Facebook/Meta, ByteDance, and Google — four of the world's largest advertising companies.
What they claim: The Air Purifier 4's ESP32 firmware connects to sdkconfig.ad.xiaomi.com — Xiaomi's advertising SDK configuration server — and tracking.miui.com (Xiaomi's telemetry/tracking server). These are hardcoded endpoints in the device firmware, not the companion app.
What we found: Xiaomi's privacy policy does not disclose that the air purifier hardware itself connects to advertising infrastructure. The policy frames advertising as an app-level concern. However, the device firmware contains hardcoded connections to ad configuration servers, meaning even if users disable personalized advertising in the app, the hardware-level connection to ad infrastructure persists. Xiaomi's HyperOS/MIUI ecosystem is documented to use MSA (Mobile System Ads) for integrated advertising — the air purifier's ad endpoint suggests this extends to IoT device firmware.
What they claim: Xiaomi's Mi Home privacy policy mentions sharing data with "legal/government entities via court orders" as a standard legal compliance provision but does not specifically address obligations under Chinese law.
What we found: Jamestown Foundation research documents Xiaomi's strong links with the PRC government via Party-aligned internal structures. Under China's National Security Law (2015 Art. 77), Cybersecurity Law (2017 Art. 28), and PIPL (2021), Xiaomi is legally required to: provide technical support and assistance to public security organs, store data within China for critical information infrastructure, and cooperate with national security investigations. Xiaomi's Beijing data center processes IoT telemetry. The privacy policy's generic "court orders" language obscures the reality that Chinese authorities can compel access without a court order under the National Security Law. Air purifier environmental data revealing home occupancy patterns is accessible under these provisions.
What they claim: The Air Purifier 4 collects PM2.5 particulate readings, temperature, humidity, fan speed, power state changes, and usage schedules. These readings are transmitted continuously to Xiaomi's cloud servers via the MIoT protocol.
What we found: Xiaomi's privacy policy discloses data centers in Beijing, US, Russia, Singapore, and Germany. Under China's National Security Law, Cybersecurity Law, and PIPL, Chinese authorities can compel access to data held in Beijing data centers. Environmental sensor data reveals: when rooms are occupied (CO2/PM2.5 spikes from breathing/cooking), how many people are present (magnitude of changes), sleep schedules (night mode activation, low PM2.5 overnight), cooking activity (sharp PM2.5 spikes), and window/door openings (sudden humidity/temperature changes). Combined with Xiaomi's other IoT devices (cameras, smart bands, locks), this creates a comprehensive occupancy map of the home accessible to Chinese authorities.
What they claim: Xiaomi's Mi Home privacy policy states data is retained "as long as it is still needed for the purposes we obtained it" and allows extended retention "for archiving purposes in the public interest." No specific retention period is defined for IoT device telemetry.
What we found: The Air Purifier 4 transmits environmental readings (PM2.5, temperature, humidity) continuously while operating — potentially 24/7 for years. GDPR Article 5(1)(e) requires data minimization and storage limitation with specific retention periods. CCPA requires disclosure of retention categories. Xiaomi's vague retention language means years of continuous home environmental data could be stored indefinitely, building an ever-growing profile of household patterns. The privacy policy's "archiving purposes in the public interest" exception could theoretically apply to environmental monitoring data under Chinese data laws.
What they claim: The Air Purifier 4 communicates with 10+ Xiaomi cloud endpoints including account.xiaomi.com, api.io.mi.com, tracking.miui.com, sdkconfig.ad.xiaomi.com, and regional IoT endpoints (de.ot.io.mi.com, sg.ot.io.mi.com, us.ot.io.mi.com). The device requires Xiaomi account creation and cloud registration for initial setup via the Mi Home app.
What we found: The device uses a dual-MCU architecture where the ESP32-WROOM-32D handles Wi-Fi/cloud and the STM32F4 controls device functions independently. Community firmware projects (ESPHome/mipurifier-esphome) have proven the air purifier operates fully without any cloud connection — replacing only the ESP32 firmware enables complete local control via Home Assistant. This proves Xiaomi's cloud requirement is a business choice for data collection, not a technical necessity. The endpoint sdkconfig.ad.xiaomi.com specifically serves advertising configuration.
What they claim: CVE-2024-45352 (CVSS 8.8) allows code execution in the Xiaomi Home app via improper input validation. CVE-2024-45347 (CVSS 9.6) allows unauthorized device access via authentication bypass in Mi Connect Service — attackers on the same network can control devices without user interaction.
What we found: The Xiaomi Home app manages all IoT devices under a single account with 52 permissions including CAMERA, RECORD_AUDIO, READ_PHONE_STATE, and GET_ACCOUNTS. A code execution vulnerability in this app gives attackers access to all these permissions AND control over all connected devices — not just the air purifier but cameras, locks, and sensors. The authentication bypass (CVE-2024-45347) means an attacker on your Wi-Fi network could silently take control of your entire Xiaomi smart home ecosystem. Xiaomi's privacy policy makes no mention of these security risks.
What they claim: Xiaomi's privacy policy states data is stored on "secure servers and protected in controlled facilities" and claims compliance with global privacy standards including ISO/IEC 27001 and ISO/IEC 27701.
What we found: In January 2020, a cache update in Xiaomi's cloud caused cross-feed exposure where users saw still images from other users' Mijia cameras on their Google Nest Hub. Google disabled Xiaomi integration entirely. In May 2020, Forbes found Xiaomi phones collecting browsing data in incognito mode and transmitting it to servers in Singapore and Russia. Xiaomi initially denied both incidents before acknowledging them. All Xiaomi IoT devices share the same cloud backend — a vulnerability in camera infrastructure directly implies the same risk for air purifier data. The pattern of deny-then-acknowledge undermines trust in Xiaomi's privacy commitments.