Phase 1 (B500 + Tuya SDK) validates the product concept. Phase 2 proves the cloud-free path is viable — a custom BLE device triggering an SOS event in the phone app without routing through Tuya Cloud. This removes the PRC jurisdiction, account termination risk, and GDPR Chinese data routing issues identified in the legal review.
Two workstreams run in parallel so neither waits on the other. Both feed the same decision at the end: which hardware path goes to launch.
Hardware: KKM B500 (sent by Aaron)
Stack: Tuya IoT App SDK — Development Edition, registered May 2026
Proves: Full Tuya flow — BLE → Tuya Cloud → app → SOS action. Does the SDK integration work? Is latency acceptable?
Hardware: Seeed Studio XIAO ESP32S3 Sense (~£11)
Stack: Espressif ESP-IDF + phone BLE library. No Tuya SDK. No cloud.
Proves: Direct BLE → phone → SOS without any cloud in the middle. Aaron owns the full stack. Removes every legal flag from the Tuya compliance review.
Amazon UK → · Seeed Studio direct (Germany warehouse)
| Dimensions | 21 × 17.8mm — postage stamp footprint |
| Chip | ESP32-S3 dual-core Xtensa LX7 at 240MHz |
| BLE | Bluetooth 5.0 / Bluetooth Mesh |
| Deep sleep | 14–34 μA — months on a coin cell in sleep |
| Battery | Built-in LiPo charge management (3.7V) |
| Microphone | Built-in digital mic — no external hardware needed for voiceprint |
| AI / NN | Hardware neural network acceleration — runs ESP-Skainet keyword spotting on-device |
| Price | $13.90 / ~£11 · 10+ units: $12.70 each |
| TuyaOpen | Supported (ESP32-S3 board definition in repo) — can run either TuyaOpen or native ESP-IDF |
| Full BOM | + 500mAh LiPo (~£4) + tactile button (~£1) + LED = ~£16 total prototype cost |
The device is a BLE Peripheral — normally in deep sleep, wakes on button interrupt, broadcasts a custom advertisement packet (device ID + event type), then sleeps again. No Wi-Fi, no cloud, no Tuya SDK on the device. The phone is the internet gateway. BLE libraries are mature on both Flutter (flutter_blue_plus) and React Native (react-native-ble-plx).
The XIAO ESP32S3 Sense has a built-in microphone and hardware neural network acceleration. This directly supports the silent keyword trigger Aaron described — and does it in a way that eliminates the Tuya biometric consent requirements entirely.
Why it's cleaner than Tuya's voiceprint: ESP-Skainet runs the keyword detection model on the device itself. The voiceprint never leaves the hardware — no upload to any cloud, no biometric data in transit, no consent flow complexity. GDPR position is simple: the data never exists as a record anywhere.
What to test in Phase 2:
Won't be production-ready in Phase 2, but will confirm whether the feature is viable at this hardware cost point before committing to custom PCB design.
| Test | Pass condition |
|---|---|
| BLE trigger → phone | SOS event received within 3 seconds of button hold completing |
| Battery life | Device runs >30 days on 500mAh LiPo in normal sleep/wake pattern |
| Accidental trigger rejection | Single press (<2s) does not trigger SOS — meets Tuya Compliance §I.4 standard |
| Range | BLE maintained at 10m through one internal wall |
| Keyword detection (stretch) | >85% detection rate in quiet room, <5% false positive rate |
| Track A comparison | Both flows documented — latency, reliability, UX differences noted |
| Item | Source | Price | Delivery |
|---|---|---|---|
| XIAO ESP32S3 Sense | Amazon UK · Seeed Studio (Germany warehouse) | ~£11–14 | 1–5 days |
| 500mAh LiPo battery | Pimoroni / Amazon UK | ~£4 | 1–2 days |
| Tactile button assortment | Amazon UK | ~£3 | 1–2 days |
| Breadboard + jumper wires | Amazon UK / already have | ~£3 | 1–2 days |
| Total | ~£21 |
Also: chase Aaron on B500 dispatch for Track A. Both likely arrive on similar timelines — run in parallel rather than sequentially.
The legal review identified Chinese data routing as the core GDPR risk on the Tuya path — location data, emergency contacts, and SOS events all flowing through Tuya's Chinese cloud infrastructure, with Tuya explicitly disclaiming all liability and PRC law governing any dispute.
The ESP32 native route removes this entirely. The data flow becomes:
[Device] → BLE → [Phone] → [Your backend, hosted in UK/EU] → [Emergency contact]
No Chinese infrastructure touches the data at any point. You choose where the backend lives, you control the data, you write the privacy policy. GDPR compliance becomes a standard exercise — lawful basis for processing location data, a proper privacy policy, UK ICO registration when you cross the threshold. Complex, but manageable. Not the same as trying to justify routing UK users' emergency contact data through servers in China under PRC law.
What disappears from the legal risk register if Track B works:
What remains: standard UK GDPR compliance (lawful basis, privacy policy, ICO notification at commercial scale). This is normal software product compliance, not the exotic Chinese-cloud problem.
⚠ These figures are indicative estimates based on current Chinese manufacturing rates for similar IoT devices. Actual quotes will vary depending on final PCB complexity, component choices, and enclosure spec. Treat as ballpark for planning — not production quotes.
The route: design a PCB → assemble at JLC PCB in China (no minimum order, components sourced from their LCSC warehouse) → off-the-shelf ABS enclosure → battery + ring-pull hardware. No ODM relationship needed at small quantities.
| PCB design (freelancer, Fiverr/Upwork) | £200–400 |
| Custom injection mould (not needed until 500+ units) | ~£2,000 |
| ESP32-C3 module | ~£1.20 |
| Other components + PCB + assembly | ~£1.00 |
| 500mAh LiPo battery | ~£1.30 |
| Enclosure (stock ABS) | ~£0.80 |
| Ring-pull lanyard + jack | ~£0.50 |
| Logo (pad print or vinyl) | ~£0.15 |
| Quantity | Est. run cost | Est. per unit | Notes |
|---|---|---|---|
| 10 units | ~£160 | ~£16 | Setup costs dominate — useful for pre-production testing only |
| 50 units | ~£280 | ~£5.60 | Sweet spot for MVP / investor demo run. Stock enclosure + vinyl logo. |
| 100 units | ~£440 | ~£4.40 | Pad-printed logo viable. Early customer pilots. |
| 500 units | ~£1,400 | ~£2.80 | Custom injection mould now worth it (~£2k tooling, one-time) |
| 1,000 units | ~£2,400 | ~£2.40 | Mould amortised, full custom branding |
| Tuya commercial SDK licence | ~£4,000 | Cloud access only. No hardware. Chinese data routing. Ongoing dependency. |
| 50-unit ESP32 first run (incl. PCB design) | ~£480–680 | 50 physical branded devices. Own the stack. No ongoing fees. Clean GDPR position. |
| 100-unit ESP32 run (PCB design already done) | ~£440 | £4.40/unit. Investor demo quality. Ready for early user testing. |
ESP32-S3 (with mic) or ESP32-C3 (cheaper, no mic) PCB design. Espressif-ecosystem ODM factories — well-trodden path. Target unit cost £3–6 at 1,000+ units. No Tuya dependency. No GDPR exposure from hardware layer.
Fall back to Track A (Tuya SDK) for commercial launch with documented migration plan. Phase 1 legal mitigations still apply — GDPR opinion, account termination contingency, voiceprint consent flow.