AI and Machine Learning Model Training Using Personal Data

What it is

Strava uses your personal information including health data and GPS location to train its AI and machine learning systems, though the extent depends on your in-app privacy settings.

Why it matters (compliance & governance perspective)

This clause authorizes use of sensitive data categories including health metrics and precise location for AI development, which is a broad permission that goes beyond basic service delivery and may not be fully intuitive to users who think of Strava as a workout tracker.

Clause Stability Stable

Consumer impact (what this means for users)

Your location history, heart rate, and other health data may be used to train Strava's AI models, with the scope depending on your privacy controls; users who do not actively adjust these settings may be contributing more data to AI development than they realize.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages GDPR Article 6 (lawful basis for processing) and Article 9 (health data as special category), CCPA and CPRA sensitive personal information provisions, and emerging EU AI Act requirements for AI systems trained on personal data. The FTC's guidance on AI and data practices is also relevant. Enforcement authorities include the European Data Protection Board, national EU supervisory authorities, the California Privacy Protection Agency, and the FTC. GOVERNANCE EXPOSURE: High. The authorization to use personal health and location data for AI training is broad and conditional on privacy controls that many users may not actively manage. Under GDPR, training AI models on special category data such as health information requires a valid legal basis beyond legitimate interests, typically explicit consent. The policy does not clearly specify the legal basis for this processing for EEA users, which represents a material compliance gap. JURISDICTION FLAGS: EEA and UK users face the highest regulatory exposure given GDPR Article 9 requirements for health data processing. California CPRA grants consumers the right to limit use of sensitive personal information, which likely encompasses health and precise location data used for AI training. Washington, Colorado, and Connecticut state privacy laws impose similar restrictions. The EU AI Act may impose additional transparency and documentation requirements depending on how Strava's AI systems are classified. CONTRACT AND VENDOR IMPLICATIONS: Service providers operating AI and ML models on Strava's behalf must be covered by data processing agreements that specify permitted uses, data minimization requirements, and retention limits. Procurement teams should assess whether these vendors have adequate technical controls to enforce the deidentification and aggregation claims made in the policy. COMPLIANCE CONSIDERATIONS: Legal teams should document the specific legal basis asserted for AI training uses of health and location data in each jurisdiction, and verify that consent mechanisms are sufficiently granular to cover this use case. Privacy impact assessments for AI training pipelines involving health data should be conducted or reviewed. Data subject rights processes should be evaluated to determine whether users can effectively exclude their data from AI training without losing core service functionality.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Health Data Collection and Non-Sale Commitment medium
• Global Heatmap Aggregation of GPS Activity Data medium
• Targeted Advertising Using Personal Information medium
• Precise GPS Location Data Collection medium
• International Data Transfers via Standard Contractual Clauses medium
• User Rights for US State Residents medium

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.