This is Strava's 2026 privacy policy, which explains how the fitness tracking app collects and uses your GPS routes, workout data, heart rate, and other health metrics. The most important thing to know is that Strava uses your precise location and health data — including routes you run or cycle — to train AI models and power community features like the Global Heatmap, which can reveal where you live or exercise. You should review your Strava privacy controls to set your activities to 'Only Me,' disable the Flyby feature, and enable the Heatmap opt-out to reduce public exposure of your movement data.
Strava's 2026 Privacy Policy (effective January 1, 2026) governs the collection, processing, and sharing of personal information across Strava's fitness tracking platform, with Strava acting as data controller or 'business' under applicable law, citing GDPR, CCPA/CPRA, and a suite of US state privacy statutes as the operative legal frameworks. The policy creates significant obligations for Strava around health and location data handling, including a specific commitment not to sell health data from connected devices or use it for advertising, while simultaneously reserving broad rights to use GPS, location, activity, and biometric-adjacent data for AI/ML model training and community features such as the Global Heatmap. Notably, the policy permits use of personal information including health and location data for AI Features and model training — a provision that deviates from more restrictive industry practice and creates elevated risk given the sensitivity of fitness and health data processed at scale. The policy engages GDPR (Arts. 6, 9, 13, 17, 20), CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), Washington My Health MY Data Act, and analogous state statutes including Connecticut, Colorado, Virginia, and Texas; material compliance considerations include the adequacy of consent mechanisms for sensitive health data processed via AI pipelines, the lawfulness of the Global Heatmap using individual GPS data, and cross-border data transfer mechanisms for EU/EEA users.
(1) REGULATORY EXPOSURE: This policy directly engages GDPR Arts. 6(1)(a)/(f), 9(2)(a) (special category health data), 13 (transparency), 17 (erasure), and 20 (portability), enforced by EU/EEA supervi…
(1) REGULATORY EXPOSURE: This policy directly engages GDPR Arts. 6(1)(a)/(f), 9(2)(a) (special category health data), 13 (transparency), 17 (erasure), and 20 (portability), enforced by EU/EEA supervisory authorities (lead authority likely Irish DPC); CCPA/CPRA Cal. Civ. Code §1798.100, §1798.121 (s…
Compliance intelligence locked
Regulatory exposure, material risk, and due diligence action items.