Executive Summary
Even Realities markets its G2 smart glasses as the privacy-conscious alternative to Meta Ray-Bans. The core pitch: no camera, no speakers, no visual surveillance. Tech media has accepted this framing without examination. The actual corporate and data architecture tells a different story.
Even Realities is a Chinese-owned company headquartered in Shenzhen, funded entirely by Chinese venture capital, operating through a German shell entity for GDPR purposes. The glasses carry four always-available microphones that capture conversations for real-time AI analysis, translation, and transcription. Audio recordings and voiceprints are sent to unnamed third-party providers. The parent company and its affiliates can access user data under the privacy policy's own terms, and the parent is subject to China's National Intelligence Law.
The company also has corporate credentials circulating on the dark web with plaintext passwords, including an employee using "extremely weak password" across their Zendesk admin portal and Shopify account.
1. Corporate Structure
The Entity Map
| Entity | Location | Role |
|
Shenzhen Yiwen Technology Co., Ltd. (深圳 逸文科技有限公司) |
Nanshan District, Shenzhen, China | Parent company. ~70 employees. 41 patents. HK/Macau/Taiwan-invested LLC. |
| Even Realities GmbH | Friedrichstraße 79, Berlin, Germany | Named as GDPR data controller. Import/export, AI software, wearable R&D. |
|
Wenzhou Yiwen Technology Co., Ltd. |
Wenzhou, China | 100% subsidiary of Shenzhen parent. |
Investors (All Chinese)
-
Beyond Capital (China)
-
China Growth Capital
-
CDH Investments
-
Monolith Management
-
Dinghui Investment
-
Qingshan Capital
The Structure
The privacy policy names Even Realities GmbH (Berlin) as the data controller for EEA and US users. Servers are stated to be in the Netherlands. But the actual parent company is Shenzhen Yiwen Technology, a Chinese entity subject to Chinese law. The German entity exists to provide a GDPR-compliant front for a Chinese operation.
This is the same corporate architecture pattern used by TikTok (ByteDance), where a Western-facing subsidiary handles regulatory compliance while the Chinese parent retains control of the technology, data access rights, and business operations.
2. Data Collection (What the Glasses Actually Capture)
Audio & Biometric Data
-
4 microphones available for Conversate, translation, Even AI, and QuickList
-
Audio recordings captured during all voice-activated features
-
Voiceprints captured and transmitted to third parties
-
Head posture data collected via IMU sensors
Device Fingerprinting (Extensive)
The privacy policy discloses collection of:
-
IMEI, IDFA, Android ID, MAC address, OAID, Advertising ID, Serial Number, IMSI, UAID, ICCID, IDFV, BSSID, SSID
-
Complete installed app list
-
Device manufacturer, model, platform, brand
-
Operating system name and version
-
IP address, Wi-Fi information, base station information, operator information
Permissions Requested
-
Local network access
-
Push notifications
-
Location information
-
Bluetooth
-
Calendar events
-
Clipboard contents
-
Installed application lists
-
Background services
The "Conversate" Feature
This is the core concern. Conversate is an always-listening contextual AI that:
-
Follows what is being said in real time
-
Provides "proactive" suggestions without being asked
-
Analyzes dialogue continuously
-
Generates bios, answers, terminology explanations, meeting summaries, and transcripts
The product page describes it as working "without asking or anyone noticing." This means the microphones are capturing and processing ambient conversation whenever Conversate is active. Unlike Meta's camera (which requires a tap), this is passive audio surveillance by design.
3. Data Processing & Third-Party Sharing
Named Processing
| Data Type | Disclosed Recipient |
| All categories | "Cloud storage services provider and our affiliates" |
| Location information | "Navigation service provider and Weather service provider" |
|
Voiceprints and audio recordings |
"Real-time translation service provider and iOS ASR voice service provider" |
|
Other Interaction Information |
"AI service provider" |
AI Backend
-
Even LLM: Proprietary model. No disclosure of where it runs or who hosts it.
-
ChatGPT (OpenAI): Confirmed for G1, likely for G2 as well.
-
Perplexity: Confirmed for G1.
What Is NOT Disclosed
-
The identity of the "Real-time translation service provider"
-
The identity of the "iOS ASR voice service provider"
-
The identity of the "AI service provider"
-
Where Even LLM is hosted
-
Whether any of these providers are Chinese entities
-
Whether audio data is processed through servers in China at any point
Cross-Border Transfer Provisions
From the privacy policy (Section 5): "Due to the international nature of our business, your personal data may also be accessed by our affiliates or be transferred to third-party service providers and business partners, in connection with the purposes set out in this Policy."
"Affiliates" includes Shenzhen Yiwen Technology. This is the backdoor. Even if servers sit in Netherlands, the Chinese parent company can access the data under the policy's own terms.
4. China Intelligence Law Exposure
Article 7, National Intelligence Law (2017)
"All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of any national intelligence work they are aware of."
Article 14
National intelligence work agencies "may require relevant organs, organizations and citizens to provide necessary support, assistance and cooperation."
Application to Even Realities
Shenzhen Yiwen Technology is a Chinese organization. Under Article 7, it is legally required to cooperate with Chinese intelligence work. The privacy policy grants affiliates access to user data. The combination means:
-
Chinese intelligence agencies can compel Shenzhen Yiwen Technology to cooperate
-
Shenzhen Yiwen Technology has legitimate access to user data through the affiliate access provisions
-
The data includes audio recordings, voiceprints, location, installed apps, and device fingerprints
-
Even if the German entity controls the servers, the parent company's access rights are codified in the privacy policy itself
This is not a hypothetical risk. It is the legal architecture as documented in Even Realities' own privacy policy and Chinese law.
5. Dark Web Intelligence (BitSight CTI)
Credential Exposure
12 credential entries found for evenrealities.com across dark web sources.
Compromised Employees:
| Employee | Password | Hash Type | Services Compromised |
| ***********@evenrealities.com |
************* |
PLAIN | Zendesk admin, Zendesk support, Shopify |
| ************@evenrealities.com | ************ | PLAIN | freesitemapgenerator.com |
Sources (6+ breach databases):
-
Fehu_30M_ULP.txt (Telegram, March 2025)
-
@Xavion_Log [DumpULP] (Telegram, December 2025)
-
700GB ULP (DarkForums, August 2025)
-
@alltxtlogs (Telegram, August 2025)
-
@Alternative_Cloud Private (Telegram, April 2025)
First detection: January 2025 Still circulating: January 2026
Assessment
An employee using "e***********" as a plaintext password for the company's Zendesk customer support portal and Shopify e-commerce account demonstrates basic credential hygiene failures. The same password has been circulating across dark web forums and Telegram channels for over a year without being rotated. This is the company asking users to trust them with voiceprints and conversation recordings.
6. Comparison: Even G2 vs. Meta Ray-Ban
| Factor | Meta Ray-Ban | Even G2 |
| Camera | Yes (Tap to activate) | No |
| Microphones | Yes | Yes (4 microphones) |
| Always-listening AI | No (Requires "Hey Meta") | Yes (Conversate is proactive/passive) |
| Data Annotation | Sama (Kenya, named) | Unnamed providers |
| Parent COmpany | Meta Platforms (US, public) | Shenzhen Yiwen Technology (China, private) |
| Investors | Public Shareholders | Chinese VC (All Chinese) |
| Data Servers | US | Netherlands (claimed) |
| Affiliate data access | US Subsidaries | Chinese parent (intelligence law applies) |
| Credential Leaks | Sama 100+ entries | Even Realities: 12 entries |
| Privacy Policy URL | Active | 404 on evenrealities.com/privacy-policy |
| Regulatory Scrutiny | ICO investigation active | None |
| Media Scrutiny | Significant (Swedish investigation) | None (praised as "privacy-first") |
The Trade-Off
Even Realities removed the camera. This genuinely protects bystanders from visual surveillance. That is a real improvement over Meta Ray-Bans.
But they replaced visual surveillance with audio surveillance through a Chinese-owned company. The Conversate feature is more invasive than Meta's camera in one critical way: it operates passively. Meta's camera requires a deliberate tap. Conversate listens to your conversations without prompting and generates real-time analysis.
The question "are these safer?" depends on safer for whom:
-
For bystanders? Yes. No camera means no visual recording of people nearby.
-
For the wearer's conversation privacy? No. Always-listening AI through a Chinese-owned entity with unnamed data processors is a worse architecture than Meta's tap-to-record through a US company with a named (if problematic) contractor.
-
For national security? Significantly worse. Audio recordings, voiceprints, location, device fingerprints, and installed app lists flowing through a company subject to China's intelligence law is a categorically different risk than Meta sending video to a contractor in Kenya.
7. The Media Blind Spot
Every review found (TWICE, PCMag, 513.toys, South China Morning Post, Pandaily) frames Even Realities as "privacy-first" based entirely on the absence of a camera. Not one has examined:
-
The Chinese parent company and its legal obligations under intelligence law
-
The unnamed AI, translation, and ASR providers receiving voiceprints and audio
-
The affiliate access provisions that give the Shenzhen parent data access rights
-
The credential exposure on the dark web
-
The 404 privacy policy on the main website URL
-
The extensive device fingerprinting (installed app list, clipboard, calendar)
CEO Will Wang has been quoted saying "cameras significantly infringe on user privacy." The media accepted this and stopped asking questions. Nobody asked where the audio goes.
8. Missing Information (Outstanding Questions)
-
Who is the "Real-time translation service provider"? Is it a Chinese company?
-
Who is the "iOS ASR voice service provider"?
-
Who is the "AI service provider" receiving "Other Interaction Information"?
-
Where is "Even LLM" hosted? By whom?
-
Does any audio data transit through Chinese servers at any point?
-
Has the Shenzhen parent company received any requests under China's National Intelligence Law?
-
What is the actual data flow architecture between the German entity and the Chinese parent?
-
Why does the main website privacy policy URL return 404?
9. Recommendations
For Commentary/Blog Post
This investigation supports a strong follow-up to the Meta Ray-Ban piece. The angle: "No camera doesn't mean no surveillance." The media has created a false equivalence where camera = privacy risk and no camera = privacy safe. The reality is more nuanced.
For Client Advisory
Any organization that restricts Meta Ray-Bans should apply the same policy to Even Realities glasses. The audio capture capability creates comparable (and in some ways greater) data exfiltration risk, particularly given the Chinese ownership structure.
For Policy Discussion
This case illustrates why "made in China" device security reviews should examine the full data architecture, not just the most visible hardware feature. The absence of a camera is a design choice, not a security guarantee.
.png)
