Dear Aqara Privacy Team,
I have read your Privacy Policy, including the part that states that you may disclose personal data to authorities. For reference, this is the wording I found on your website:
“We may process your personal information to comply with our legal obligation in certain circumstances including but not limited to:
To law enforcement authorities, government or public agencies or officials, regulators, and/or any other person or entity with appropriate legal authority or justification for receipt of such information, if required or permitted to do so by law or legal process;
…
Disclosures to Protect Us or Others: We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal processes, such as a court order or subpoena; protect your, our, or other individuals rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.” [web:1][web:5]
I would like to clearly understand what this means in practice, and I kindly ask you to answer the following questions as precisely as possible:
-
Under what exact circumstances do you disclose user data to external parties (law‑enforcement, intelligence agencies, other state authorities, or international organizations)? Please describe the typical legal basis (for example: court order, subpoena, mutual legal assistance request, national‑security law, etc.). [web:1][web:5]
-
What categories of data can be disclosed in such cases?
- Account‑level data (name, email, phone number, address, IP logs, device identifiers, etc.)
- Device and sensor data (event history, automation rules, scenes, video/audio streams, etc.)
- Any encryption keys or technical means that would allow third parties to take control of or disable devices remotely.
Please specify clearly which of these categories you may provide and which you never provide. [web:1][web:5]
-
Is it technically or legally possible for a government or intelligence agency, with your cooperation, to:
- Disable or “neutralize” Aqara devices remotely without leaving traces for the user?
- Remotely control or manipulate Aqara devices (for example, cameras, locks, sensors, switches)?
If yes, please explain under what conditions this is allowed and how you log and audit such actions. If no, please explain what technical or legal safeguards prevent this. [web:7]
-
Does the behavior of your data‑disclosure policy depend on which region I select in the Aqara Home app (for example: EU, US, Other, China Mainland)? In particular:
- Which legal entity and which jurisdiction apply to my data for each region setting?
- Does choosing “China Mainland” mean my data is subject to Chinese laws such as the Personal Information Protection Law (PIPL) and relevant national‑security or intelligence laws? [web:7][web:11]
- When I choose EU or EEA as the region, is all my personal data processed exclusively under GDPR, and stored only on EU‑based servers? [web:3][web:4][web:5]
-
Is there any region option in the Aqara app under which you will not disclose any user data to authorities at all, under any circumstances? If not, please confirm clearly that in every region you may disclose user data if required or permitted by applicable law. [web:1][web:3][web:5]
-
Could you provide a detailed overview (or a link to public documentation) of:
- Your data‑storage locations and main server regions,
- How region settings in the app map to those server locations,
- How cross‑border data transfers are handled (for example, from the EU to other countries), and how this affects which authorities can request access to user data. [web:3][web:5][web:6]
Please answer these questions in detail, in writing, and indicate which specific privacy policy (URL and version/date) your answers refer to.