Strava uses GPS data from user activities to build its publicly visible Global Heatmap, which shows aggregated movement patterns across all users.
This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Even aggregated or deidentified GPS data, particularly from users who regularly follow distinct routes, can in some cases be re-identified or used to infer sensitive location patterns; this feature has attracted national security and privacy scrutiny in the past.
Interpretive note: The policy does not specify the deidentification methodology applied to Global Heatmap data or whether users can opt out of contributing to it specifically, leaving the adequacy of the anonymization assertion uncertain.
Your GPS workout routes may contribute to a publicly accessible heatmap that shows movement patterns globally, which in sensitive locations or for users with distinctive routes could present privacy or safety considerations.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Strava has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may also use your activities to generate our Global Heatmap and other community-powered features such as Points of Interest and Start Points. We may also share aggregated or deidentified information, such as usage or demographics.— Excerpt from Strava's Strava Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR requirements for deidentification adequacy and the requirement that aggregation genuinely eliminates the risk of re-identification before data can be treated as anonymous. The FTC's guidance on deidentification and the CCPA's standards for deidentified data are also relevant. National security implications have previously attracted attention from defense and intelligence oversight bodies in multiple countries. GOVERNANCE EXPOSURE: Medium. The policy asserts that data contributed to the Global Heatmap is aggregated or deidentified but does not specify the technical standard or methodology applied. Under GDPR, anonymization must be genuinely irreversible; if aggregated route data retains re-identification risk, it may not qualify as anonymous data and would remain subject to GDPR requirements. The policy does not describe whether users can opt out of contributing to the Global Heatmap specifically. JURISDICTION FLAGS: EEA users face exposure under GDPR if deidentification methodology does not meet the irreversibility standard required for data to be treated as anonymous. Users in sensitive locations, including military or government personnel, face heightened risk if their routine GPS patterns contribute to a public heatmap. Some jurisdictions may require explicit disclosure of whether users can opt out of this specific aggregation use. CONTRACT AND VENDOR IMPLICATIONS: If third parties access or license the Global Heatmap data, vendor agreements should specify permitted downstream uses and re-identification prohibitions. The policy does not address whether commercial licensing of heatmap data occurs. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether the deidentification standard applied to Global Heatmap data meets the threshold for anonymous data under GDPR and applicable US state laws, and document that assessment. Privacy impact assessments for heatmap data processing should be reviewed. Clear opt-out mechanisms specifically for Global Heatmap contribution should be evaluated for adequacy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Even aggregated or deidentified GPS data, particularly from users who regularly follow distinct routes, can in some cases be re-identified or used to infer sensitive location patterns; this feature has attracted national security and privacy scrutiny in the past.
Your GPS workout routes may contribute to a publicly accessible heatmap that shows movement patterns globally, which in sensitive locations or for users with distinctive routes could present privacy or safety considerations.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.