Ainode Privacy Glossary · Auditor: Tomás Maria Vaz de Noronha
Most wearables collect personal data — heart rate, sleep stages, activity, sometimes voice and location. The moment that data leaves your phone and goes to a server, GDPR Article 44 applies. If the server is in the EU/EEA: fine. If it is in an adequate-country (UK, Switzerland, Japan, South Korea, etc.): also fine, with caveats. If it is in a non-adequate country (China, Russia, India, most of Africa and Southeast Asia): Article 44 requires explicit safeguards that 95% of consumer-electronics manufacturers do not implement.
Our 3-pass methodology captures every outbound packet from the wearable + companion app over 72 hours of typical usage. We resolve every destination IP to its hosting country, identify the data classes flowing to each, and flag any transfer of personal data to a non-adequate country without GDPR-required safeguards. See /methodology for the full process.
Across the 8 wearables we have audited so far, 4 fail GDPR Article 44: Aurafit Titan smartwatch (voice → China), Nexa 2 smartwatch (voice → China), AI Glasses 8MP (location → China), AI Glasses 1200W (voice/image → China). Each rejection is documented with PCAP evidence at /reviews.
For wearables sold in the EU, look for: (1) data residency disclosure showing EU/EEA servers, (2) a published independent forensic audit (not just a privacy policy), (3) explicit Article 49 derogations or SCCs disclosed to the buyer if data leaves the EU. If a vendor cannot show all three, the device is at material risk of being non-compliant under Article 44.