Strava uses GPS data from user activities to build its publicly visible Global Heatmap, which shows aggregated movement patterns across all users.
This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Even aggregated or deidentified GPS data, particularly from users who regularly follow distinct routes, can in some cases be re-identified or used to infer sensitive location patterns; this feature has attracted national security and privacy scrutiny in the past.
Interpretive note: The policy does not specify the deidentification methodology applied to Global Heatmap data or whether users can opt out of contributing to it specifically, leaving the adequacy of the anonymization assertion uncertain.
Your GPS workout routes may contribute to a publicly accessible heatmap that shows movement patterns globally, which in sensitive locations or for users with distinctive routes could present privacy or safety considerations.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Strava has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may also use your activities to generate our Global Heatmap and other community-powered features such as Points of Interest and Start Points. We may also share aggregated or deidentified information, such as usage or demographics.— Excerpt from Strava's Strava Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR requirements for deidentification adequacy and the requirement that aggregation genuinely eliminates the risk of re-identification before data can be treated as anonymous. The FTC's guidance on deidentification and the CCPA's standards for deidentified data are also relevant. National security implications have previously attracted attention from defense and intelligence oversight bodies in multiple countries. GOVERNANCE EXPOSURE: Medium. The policy asserts that data contributed to the Global Heatmap is aggregated or deidentified but does not specify the technical standard or methodology applied. Under GDPR, anonymization must be genuinely irreversible; if aggregated route data retains re-identification risk, it may not qualify as anonymous data and would remain subject to GDPR requirements. The policy does not describe whether users can opt out of contributing to the Global Heatmap specifically. JURISDICTION FLAGS: EEA users face exposure under GDPR if deidentification methodology does not meet the irreversibility standard required for data to be treated as anonymous. Users in sensitive locations, including military or government personnel, face heightened risk if their routine GPS patterns contribute to a public heatmap. Some jurisdictions may require explicit disclosure of whether users can opt out of this specific aggregation use. CONTRACT AND VENDOR IMPLICATIONS: If third parties access or license the Global Heatmap data, vendor agreements should specify permitted downstream uses and re-identification prohibitions. The policy does not address whether commercial licensing of heatmap data occurs. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether the deidentification standard applied to Global Heatmap data meets the threshold for anonymous data under GDPR and applicable US state laws, and document that assessment. Privacy impact assessments for heatmap data processing should be reviewed. Clear opt-out mechanisms specifically for Global Heatmap contribution should be evaluated for adequacy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Even aggregated or deidentified GPS data, particularly from users who regularly follow distinct routes, can in some cases be re-identified or used to infer sensitive location patterns; this feature has attracted national security and privacy scrutiny in the past.
Your GPS workout routes may contribute to a publicly accessible heatmap that shows movement patterns globally, which in sensitive locations or for users with distinctive routes could present privacy or safety considerations.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.