What a Robot Vacuum Buyout Really Does to Your Privacy

Robot Vacuum Home Security RoboVac iRobot Troubleshooting

Amazon walked away from the iRobot deal on 29 January 2024. The price had already slid from $1.7 billion to $1.4 billion, and the European Commission was about to block it. Owners breathed easier. They shouldn't have stopped reading there. Robot vacuums collect more data than almost any other home device, and the next acquisition (Roborock, Ecovacs, Dreame, take your pick) will eventually go through. The question is whether you'll be ready when the Terms of Service email lands at 3 PM on a Tuesday with a 14-day opt-out window.

Bottom line: A robot vacuum buyout can move your floor maps, camera frames, and run logs to a new controller. Audit the ToS before the deal closes, send a GDPR Article 17 or CCPA deletion request if you want out, and consider moving the device to a local Home Assistant integration so the cloud never has full custody again.

I've run a Roborock S7 and an iRobot j7 in parallel for the last three years. The Roborock map is more detailed (LiDAR plus VSLAM). The j7 map is friendlier in the app. Both store the layout of my flat on a server I do not control. That's the bit that matters when ownership changes, and it's the bit that gets ignored in every "robot vacuum acquisitions are coming" headline.

Why Did the Amazon-iRobot Deal Collapse?

The 2024 collapse mattered for a reason most coverage missed. Amazon already owns Ring (doorbells), Echo (audio), Astro (a home robot), and Alexa skills tied to thousands of devices. Adding iRobot's floor maps would have given one company unmatched indoor data. The FTC statement on the abandoned acquisition called this out: vertical integration concerns plus the obvious data-aggregation risk. The European Commission was further along, with formal objections issued in November 2023.

iRobot survived but bruised. Same-day layoffs hit 31% of staff. The CEO stepped down. For owners, nothing changed in the app, no migration, no new privacy policy. The lesson isn't that data sharing got blocked. It's that the entire process was decided in regulatory rooms, not by users. You're a passenger when this happens.

So what about the next deal? Roborock is publicly listed in Shanghai (688169.SH). Ecovacs trades on Shenzhen. iRobot's market cap is small enough that a US private equity buyer could move in next year. Dreame is privately held and growing fast. Any of these could be acquired in the next 18 months and you'd get a Terms Update email with a polite headline.

What Data Does a Robot Vacuum Send to the Cloud?

Five categories, in roughly the order they matter for privacy:

  • Floor maps: SVG or vector data of every room, with door positions, virtual walls, and (on premium models) furniture footprints. The Roborock map for my 78-square-metre flat is about 240 KB.
  • Run telemetry: timestamps, area cleaned, suction level, error codes, battery curve. Light data but reveals when you're home.
  • Camera frames: low-resolution stills (Roborock S8 MaxV Ultra, iRobot j9+, Ecovacs X2 Omni) tagged with object detection labels. Some brands keep these for 7 days, others 90.
  • Voice command transcripts: only if you've linked Alexa or Google Assistant, but most owners do.
  • Account metadata: email, phone, home Wi-Fi SSID (yes, really), device serial, and firmware version.

Why does the map matter most? Because it's a high-resolution model of where you live. Burglary risk gets cited a lot. The real risk is more mundane: a floor map shared with an ad partner reveals your home size and likely income band better than your postcode does. I haven't seen evidence that brands sell maps directly today, but the Terms of Service often gives them the right to "share with affiliates for product improvement". That phrase covers a lot.

What Changes When a Cleaning Robot Maker Gets Acquired?

Three things move in a typical acquisition. First, the controller changes (in GDPR terms). The new parent company becomes responsible for your data, even if the brand keeps the old name. Second, data may legally move between jurisdictions, EU data can land on US servers under Standard Contractual Clauses, US data can flow to a Chinese parent under different rules. Third, the data can be combined with other datasets the buyer holds. That's the bit that makes regulators nervous.

A practical example: imagine a logistics company buys a robot vacuum brand. The buyer already holds shipping addresses and order patterns for tens of millions of households. Now it adds floor maps and occupancy schedules. The combined dataset is more valuable than either piece alone. The original Terms of Service did not contemplate this. The notice email will say "no material change", because the buyer's lawyers wrote it.

The EU's data protection board has guidance for this exact case. Per the EDPB Guidelines on M&A and data subject rights, the new controller cannot use the data for purposes you didn't originally consent to. In practice, enforcement is slow. Your fastest lever is a deletion request before the new use kicks in.

How Do I Audit a Robot Vacuum's Terms of Service?

Open the privacy policy in the manufacturer's app. Look for five specific clauses. Most policies are 8 to 15 pages and you can skim the rest.

Five Clauses That Really Matter

  1. Assignment: search for "assign" or "successor". This clause confirms the contract transfers to a buyer. Almost every policy has this, the question is whether it requires notice.
  2. Data sharing: search for "affiliates", "service providers", "third parties". The named categories matter more than the list. "For product improvement" is broad. "For targeted advertising" is narrow but explicit.
  3. Retention: search for "delete" or "retain". The window after account deletion is the real signal. iRobot deletes maps within 30 days. Some brands keep aggregated map data for years.
  4. Opt-outs: search for "opt-out" or "settings". A brand that buries opt-outs three menus deep is telling you something.
  5. Notice period: 30 days is industry standard. Less than 14 days is a warning sign. No notice clause at all means they can change terms whenever.

I'd also screenshot the current policy and save it locally. If you ever need to escalate, having a copy of the terms you accepted is worth more than a court order.

What's the Real GDPR and CCPA Playbook?

Under GDPR Article 17 (right to erasure), any EU resident can require deletion of personal data. For a robot vacuum that includes the account, floor maps, camera frames, and run telemetry. The 30-day response clock starts when the controller receives a valid request. Article 20 (data portability) gives you the right to export your data in machine-readable form before deletion.

CCPA gives California residents similar rights with a 45-day clock. You need to verify your identity (usually by logging in to confirm), but the brand cannot charge a fee. Multiple denied or ignored requests can be reported to the California AG's office. UK residents fall under UK GDPR with the ICO as regulator, the rights are functionally identical.

The mechanics that actually work in practice:

  • Send the request to the privacy email listed in the app's policy footer, not to support. Cc your country's data protection authority for the GDPR cases.
  • Include your account email, device serial, and the date you bought the device. This pre-empts identity verification stalling.
  • Request both deletion AND a copy of what's held. Brands sometimes only delete the user-visible data and keep "anonymised" backups. Asking for an export reveals whether anonymisation is real.
  • Set a calendar reminder for day 31 (GDPR) or day 46 (CCPA). Missed deadlines are the easiest grounds for a regulator complaint.

The frustrating part is that none of this is automated. There is no one-click delete-everything button. I sent a GDPR deletion to a vacuum brand last summer (I won't name them publicly) and got the export on day 28. The export contained 18 months of map history I didn't know was retained.

How Do I Keep a Cleaning Robot Working Without the Cloud?

The strongest option is local control. Three paths, in order of effort:

  • Home Assistant native integration. Roborock and Dreame both expose a documented local API. The ETSI EN 303 645 consumer IoT security baseline lists local control as a recommended practice. Install the integration, point it at the robot's local IP, and you keep maps and scheduling without a cloud round-trip. iRobot has a partial integration that works for start/stop but not for mapping.

  • Network isolation. Move the robot to a guest VLAN, block outbound internet on the firewall, allow only local network communication. The robot loses firmware updates and remote start, you keep zone cleaning from inside the LAN. I run this on the iRobot j7. Pi-hole shows zero blocked queries from it in 90 days.

  • Valetudo firmware replacement. Open-source firmware that replaces the manufacturer's stock image on supported Roborock and Dreame models. No cloud client at all. Setup takes about an hour and voids the warranty. Worth it for hardware you've owned for more than 18 months.

Honestly, the right move depends on how much you value app features. If the manufacturer's app is core to your routine, the network isolation route is the lightest touch. If you've already switched to Home Assistant for other devices, the native integration is barely more work.

What Should You Do This Weekend?

Three small tasks. They take maybe 90 minutes total.

First, open your robot's app and find the privacy policy. Read the five clauses I listed above. If anything is unclear, screenshot it.

Second, check whether the brand offers a data export. iRobot, Roborock, and Ecovacs all do under GDPR/CCPA. Triggering an export now gives you a baseline and tells you exactly what's held. You don't need to delete anything yet. Just see what's there.

Third, move the robot to a guest Wi-Fi network if you haven't already. This isolates it from your other devices and gives you a clean firewall point if you ever want to cut the cloud. The change takes 10 minutes in the app and the only thing that breaks is voice control if you'd configured it on the main network.

The next acquisition is coming. The brand might be one you own, might not. Either way, you'll be glad you spent an hour now rather than scrambling on a 14-day notice period later. Real privacy for cleaning robots is mostly about preparation, not panic. Make the calls now and you keep the floors clean and the floor plan yours.

View full version