If you give Strava access to your phone or social media contacts, it will continuously access and store that contact list to suggest connections, not just a one-time sync.
This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes a continuous data access mechanism rather than a one-time collection event. Regular access authorization means contact data syncing occurs repeatedly throughout the user's relationship with the service, not only upon initial import.
Granting Strava access to your contacts means your friends' and colleagues' names and contact details are stored by Strava even if those individuals are not Strava users, and this access is ongoing rather than a single import.
How other platforms handle this
Your use of the Services is also governed by our Privacy Policy, which is incorporated into these Terms by reference. By using the Services, you consent to the data collection and use practices described in the Privacy Policy. Roblox collects information you provide directly, information collected a...
We collect information about you in a variety of ways depending on how you interact with us and our products and services. This includes information you provide directly, information we collect automatically when you use our services, and information we receive from third parties. We may collect ide...
Tabnine may collect and use technical data and related information, including but not limited to technical information about your device, system and application software, and usage data regarding your use of the Services (including code completion statistics and plugin interaction data), to facilita...
Monitoring
Strava has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You can choose to share contacts from your mobile device or social networking accounts. If you share this information, we will regularly access and store it to help you connect with Strava users you may know.— Excerpt from Strava's Strava Privacy Policy
REGULATORY LANDSCAPE: The collection and storage of contact data belonging to individuals who have not consented to Strava's data processing raises questions under GDPR, specifically regarding the lawful basis for processing non-user personal data and whether such individuals' rights can be honored. CCPA may apply if contacts include California residents. The FTC Act applies to the adequacy of disclosure about ongoing contact access. GOVERNANCE EXPOSURE: Medium. The phrase 'regularly access and store' indicates persistent rather than one-time data collection, which expands the scope of data held by Strava beyond its own user base. GDPR's accountability principle requires that Strava identify a lawful basis and respond to rights requests from non-user contacts whose data is held, which creates operational complexity. JURISDICTION FLAGS: EEA users whose contacts include non-consenting individuals present GDPR exposure. Illinois users may face considerations under BIPA if contact data includes biometric identifiers, though this is unlikely in typical contact sync scenarios. California users granting contact access implicate CCPA for California-resident contacts who are not Strava users. CONTRACT AND VENDOR IMPLICATIONS: Contact data should be treated with the same data protection standards as directly collected user data. Service providers accessing contact data for matching or suggestion features must be covered by appropriate data processing agreements. COMPLIANCE CONSIDERATIONS: The legal basis for processing contact data of non-users should be documented and reviewed, particularly for EEA users. Retention periods for contact data should be clearly defined. Users should be informed of how to revoke contact access and whether previously stored contacts are deleted upon revocation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes a continuous data access mechanism rather than a one-time collection event. Regular access authorization means contact data syncing occurs repeatedly throughout the user's relationship with the service, not only upon initial import.
Granting Strava access to your contacts means your friends' and colleagues' names and contact details are stored by Strava even if those individuals are not Strava users, and this access is ongoing rather than a single import.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.