Health Data Collection and Non-Sale Commitment

What it is

Strava promises not to sell health data it receives from connected devices like Garmin or Apple Health, and says it will not use that data for advertising, but it can still use it for other purposes described in the policy including AI development.

Why it matters (compliance & governance perspective)

This commitment offers meaningful protection for sensitive health metrics like heart rate and VO2max collected from wearables, but the carve-out for 'specific purposes described in this Policy' means AI training and service improvement uses may still apply.

Consumer impact (what this means for users)

Your heart rate, HRV, sleep, and VO2max data from connected devices will not be sold or used for ads, but the policy reserves the right to use this data for AI model training and service improvement purposes described elsewhere in the document.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages GDPR Article 9 (special categories of personal data, including health data), CCPA's sensitive personal information provisions, and Washington State's My Health MY Data Act, which imposes heightened consent requirements for collection and use of consumer health data. The FTC Act is also relevant given the specific commitments made. Enforcement authority includes the FTC, state attorneys general, and the Washington State AG under MHMD. GOVERNANCE EXPOSURE: Medium. The non-sale and non-advertising commitment is explicit, but the qualifier 'specific purposes described in this Policy' creates ambiguity because the policy separately authorizes AI development using health and location data. Compliance teams need to map whether AI training uses of connected-device health data fall within or outside this commitment, as an inconsistency could constitute a deceptive practice under FTC Act standards. JURISDICTION FLAGS: Washington State's My Health MY Data Act creates the highest exposure, as it imposes opt-in consent requirements for collection and sharing of consumer health data that go beyond CCPA. EEA users benefit from GDPR Article 9 protections requiring explicit consent for processing special category health data. California's CPRA sensitive personal information provisions also apply. Illinois and other states with emerging health data frameworks should be monitored. CONTRACT AND VENDOR IMPLICATIONS: Service providers who receive health data from Strava for AI training or analytics purposes must be assessed against this commitment. Data processing agreements with these vendors should reflect the non-sale and non-advertising restriction and include appropriate use limitations and audit rights. COMPLIANCE CONSIDERATIONS: Compliance teams should map all downstream uses of connected-device health data to verify they fall within the stated non-sale and non-advertising commitment. Consent mechanisms for Washington State users should be reviewed against MHMD opt-in requirements. Data retention policies for health data collected via integrations should be reviewed and documented.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• AI and Machine Learning Model Training Using Personal Data medium
• Global Heatmap Aggregation of GPS Activity Data medium
• Targeted Advertising Using Personal Information medium
• Precise GPS Location Data Collection medium
• International Data Transfers via Standard Contractual Clauses medium
• User Rights for US State Residents medium

Related Analysis

• Netflix Updated Terms Authorize Voice Data Collection: April 2026

  Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.

• What Google Actually Knows About You

  Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.