Strava uses your recorded activity routes to contribute to a publicly visible Global Heatmap that shows where people are exercising around the world.
Even aggregated or 'deidentified' location data has been shown to expose sensitive locations such as military bases or private residences, creating real-world safety and privacy risks.
The aggregation of GPS data into public-facing products raises concerns under GDPR recital 26 regarding the adequacy of anonymisation, and may create liability if deidentification is reversed; risk teams should assess whether opt-out mechanisms are sufficient.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Strava collects highly sensitive personal data including precise GPS location history, health metrics (heart rate, HRV, VO2max), and biometric data, which is used for AI training, advertising personalization, and aggregated into publicly visible features like the Global Heatmap. Your activity data may be shared with third-party advertising partners, though Strava commits not to use health data for advertising. You can adjust your data sharing and visibility settings by navigating to Privacy Controls in the Strava app settings, and can request data deletion by visiting strava.com/athlete/delete_your_account.