Blog
Privacy Engineering
DeepSeek App: A Closer Look at Its Privacy Posture

DeepSeek App: A Closer Look at Its Privacy Posture

January 29, 2025
5
 mins read
Vaibhav Portrait
Vaibhav Antil
CEO & Co-Founder

On January 10, 2025, a Chinese developer launched DeepSeek, an AI app quickly gaining popularity. In just a few days, it dethroned ChatGPT on the Google Play Store and Apple’s App Store, becoming the top AI app on the platform.

However, alongside its rise, privacy experts have flagged some serious concerns. They’re worried about how much data DeepSeek gathers and whether it shares that data with servers in China. Beyond these privacy issues, there are questions about how the app handles alignment and censorship.

This post is the first of a two-part series. In this post, we will dig into DeepSeek’s Android app privacy posture. In part two, we will compare it with three other well-known AI apps: ChatGPT, Claude, and Perplexity. We’ll use Privado’s Mobile App Scanning product to analyze each app (APK or xAPK) to determine which SDKs they use, which permissions they require, and where user data actually goes during normal app usage.

Our main goal is to look beyond the privacy policy and discover what’s happening under the hood. From experience, we know that privacy policies can be worded too generally, covering almost anything that might happen in the future, or too narrowly, omitting actual data sharing that occurs. To avoid any guesswork, we rely on real-world evidence rather than policy statements alone.

How We Rate a Mobile App’s Privacy Posture

We’ll measure each app’s privacy posture based on the following criteria:

  1. Permissions
    Which permissions does the app request (e.g., location, microphone, camera), and what does that let the app do?
  2. SDKs
    Which third-party software kits (e.g., analytics or advertising SDKs) are built into the app, and what data do they typically collect?
  3. Data Collected
    What actual user or device data is the app sending—whether it’s personal info, usage patterns, or location data?
  4. Third Parties
    Which other entities (e.g., ad networks, analytics providers) receive user data, as seen in the app’s network traffic?
  5. Cross-Border Flows
    Does the app send data to countries outside the user’s home region? (This matters for compliance and regulatory concerns.)
  6. Privacy Policy Disclosure Mismatch
    Does the privacy policy match what we observe in real life? Are there any gaps or surprises between the policy and actual data practices?

DeepSeek App

DeepSeek’s privacy policy is broadly written and covers all possible data collection, including sensitive data types like keystrokes. In reality, we found that DeepSeek actually collects less data than is declared in their privacy policy; however, there are clear data flows to China. 

The app asks for eight permissions, including a sensitive permission for Camera. It collects data like unique IDs (iid, aid), device details (model, OS), location (time zone), language, and user inputs like prompts or chat history. This data is shared with big players like Google (US) and ByteDance (China). The app also uses SDKs from Google, Tencent, and ByteDance for authentication, analytics, and marketing purposes

Permissions

  • Total permissions: 8
  • Sensitive permissions: 1
Data Types Permissions Sensitive Permissions Description
Photos and Videos android.permission.CAMERA android.permission.CAMERA Allows the app to capture photos or videos using the device’s camera.
Device or Other IDs com.asus.msa.SupplementaryDID.ACCESS (None) Potentially grants access to unique device identifiers on certain ASUS devices.
App Info & Performance android.permission.FOREGROUND_SERVICE, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.INTERNET, com.android.vending.CHECK_LICENSE, com.deepseek.chat.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION (None) These permissions allow the app to run tasks in the foreground, check or use network connections, and verify licenses. While they do not directly collect personal data, they can facilitate background processes and data transfers.

SDKs

DeepSeek app embeds SDKs from Google, Tencent, Bytedance and transfers data to third parties based out of China.

SDK Third Party Location Purpose Description (Lawyer-Friendly)
com.deepseek.chat.wxapi.WXEntryActivity WeChat (Tencent) China Authentication Integrates WeChat social login. Not available while testing from the USA.
com.google.android.gms.common.api.GoogleApiActivity Google United States Developer/Framework Part of Google Play Services. Supports various Google APIs for app functionality and updates.
com.google.android.gms.auth.api.signin.internal.SignInHubActivity Google United States Authentication Google Play Services SDK for user sign-in.
com.google.android.gms.auth.api.signin.RevocationBoundService Google United States Authentication Manages revocation of user sign-in tokens. Involves account data processed through Google servers.
com.bytedance.applog.migrate.MigrateDetectorActivity Volcengine (ByteDance) China Marketing / Growth / Analytics Bytedance AppLog SDK, which can collect user engagement or behavioral data.
com.bytedance.apm6.traffic.TrafficTransportService Volcengine (ByteDance) China Unknown / Possibly Analytics Unknown
com.bytedance.applog.collector.Collector Volcengine (ByteDance) China Marketing / Growth / Analytics Collects usage and performance data. May be used for user segmentation, marketing optimization, or analytics.
com.bytedance.frameworks.core.apm.contentprovider.MonitorContentProvider Volcengine (ByteDance) China Unknown / Possibly Monitoring Unknown
com.google.android.play.core.common.PlayCoreDialogWrapperActivity Google United States Developer/Framework Google Play Core Library. Typically handles in-app updates and user prompts. Minimal direct user data collection.

Data Collected

Deep Seek collects unique identifiers, device identifiers, device details(model name, OS), user input - prompts, text, audio, image data which is transferred to China both internally and to third parties. 

Data Type Variables/Values Shared with
Unique Identifiers Iid, aid, x-rangers-id, chat_session_id volces.com (China, Bytedance), deepseek.com (China), googleapis.com (US), fengkongcloud.com (China)
Device Information User-Agent, Device Model, OS, Android Version volces.com (China, Bytedance), deepseek.com (China), googleapis.com (US), fengkongcloud.com (China), gvt2.com (US)
Location - State America/Los_Angeles googleapis.com (US)
Language en-us deepseek.com (China), googleapis.com (US)
User Input - prompt, text, audio, file upload, image prompt, file-id, chat-session-id deepseek.com (China)

Third Parties

DeepSeek integrates with 4 third parties including volces.com(Volcengine by Bytedance) and fengkongcloud.com(by ishumei.com) where data is shared to China.

Third Party Location Data Type Shared
volces.com - Volcengine by Bytedance China Unique Identifiers (Device ID), Device Information
gvt2.com US Device Information
googleapis.com US Unique Identifiers, Device Information, Language, Location - State
fengkongcloud.com China Unique Identifiers, Device Information

In the network traffic analysis of the DeepSeek app, you can see some profiling related to calls:

  1. https://chat.deepseek.com/api/v0/ip_to_country_code - Possible Coarse Location detection
  2. https://apmplus.volces.com/monitor/collect/c/cloudcontrol/get?sdk_version=400&update_version_code=38&uid={redacted}&device_id={redacted}&os=Android&os_api=35&version_code=38&channel=release_envOnline&device_platform=android&aid={redacted} - Telemetry
  3. https://fp-it.fengkongcloud.com/deviceprofile/v4 - Device profiling
Possible Coarse Location detection
Telemetry data including device ids
Device Profile API

Privacy Policy Disclosure Mismatch

Category Evidence Found Privacy Policy Disclosure Observation
Unique Identifiers unique_identifier, aid, device_id, chat_session_id Disclosed broadly under "Automatically Collected Information" as unique device identifiers, user IDs, and related data. Aligned: The policy broadly covers unique identifiers.
Device Information device_info (e.g., model, OS version) Disclosed broadly under "Technical Information" as device model, operating system, and related technical details. Aligned: Policy covers device information comprehensively, matching our tests.
Network Data IP address, request headers (e.g., Content-Type, Authorization, User-Agent), and API calls. Disclosed broadly under "Technical Information". Aligned.
Keystroke Data Not Found in Evidence Disclosed under "Technical Information" as keystroke patterns or rhythms. Overdisclosed: Keystroke data was not observed in our tests but is included in the privacy policy, making it broader than the actual data collected.
Location Data Approximate location (e.g., America/Los_Angeles) Disclosed broadly under "Technical Information" and "Permissions" as general location and system language. Aligned: General location data is covered, but the policy is broader, suggesting more granular location data could be collected (e.g., GPS or geolocation).
User Input Chat prompts, uploaded files, chat history Disclosed under "User Input" as content provided by users, including text, files, and history. Aligned: Policy matches evidence provided.
Error and Debug Data Debugging details such as status_code (429) and server_ip (192.178.130.102). Disclosed broadly under "Service-Related Data" as diagnostic and performance information, including crash reports. Partially Aligned: Policy broadly covers debugging information, but specific data like status_code and server_ip are not explicitly mentioned.
Application Metadata sdk_version, os_api, channel, version_code Disclosed under "Technical Information" as app and device metadata. Aligned: Policy matches evidence provided.
Payment Data Not Found in Evidence Disclosed under "Payment Information" as order and transaction history for paid services. Not tested.
Advertising Data Not Found in Evidence Disclosed under "Advertising and Analytics Partners" as advertising identifiers, hashed email addresses, and cookies. Overdisclosed: Advertising data is disclosed but not present in our tests.

The main privacy concerns with DeepSeek are data flows to China - both to their own servers and third-party SDKs integrated into the application. At this point, the privacy policy is broadly written, and the concerns around keystrokes were not found in our tests. Having said that, as more features are added, there is a possibility that excessive data collection can happen in the future.

Methodology

Privado's Mobile App Scanning product simulates a user’s journey on the app from multiple locations. To test DeepSeek, all tests were conducted from California, and the latest app on Playstore as of Jan 27, 2025, was installed on the phone. The analysis was done purely for research purposes to uncover privacy practices of DeepSeek app.

Industry insights you won’t delete. Delivered to your inbox.

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.
Vaibhav Antil
Vaibhav Antil
CEO & Co-Founder
IN THIS ARTICLE
Text Link
January 29, 2025
5
 mins read

Get regular updates from Privado.ai

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Version 2 -->