Strava promises not to sell health data it receives from connected devices like Garmin or Apple Health, and says it will not use that data for advertising, but it can still use it for other purposes described in the policy including AI development.
This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This commitment offers meaningful protection for sensitive health metrics like heart rate and VO2max collected from wearables, but the carve-out for 'specific purposes described in this Policy' means AI training and service improvement uses may still apply.
Interpretive note: The interaction between the health data non-sale commitment and the broader AI development authorization elsewhere in the policy creates ambiguity about which uses of connected-device health data are permitted under this specific commitment.
Your heart rate, HRV, sleep, and VO2max data from connected devices will not be sold or used for ads, but the policy reserves the right to use this data for AI model training and service improvement purposes described elsewhere in the document.
How other platforms handle this
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Strava has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.— Excerpt from Strava's Strava Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 9 (special categories of personal data, including health data), CCPA's sensitive personal information provisions, and Washington State's My Health MY Data Act, which imposes heightened consent requirements for collection and use of consumer health data. The FTC Act is also relevant given the specific commitments made. Enforcement authority includes the FTC, state attorneys general, and the Washington State AG under MHMD. GOVERNANCE EXPOSURE: Medium. The non-sale and non-advertising commitment is explicit, but the qualifier 'specific purposes described in this Policy' creates ambiguity because the policy separately authorizes AI development using health and location data. Compliance teams need to map whether AI training uses of connected-device health data fall within or outside this commitment, as an inconsistency could constitute a deceptive practice under FTC Act standards. JURISDICTION FLAGS: Washington State's My Health MY Data Act creates the highest exposure, as it imposes opt-in consent requirements for collection and sharing of consumer health data that go beyond CCPA. EEA users benefit from GDPR Article 9 protections requiring explicit consent for processing special category health data. California's CPRA sensitive personal information provisions also apply. Illinois and other states with emerging health data frameworks should be monitored. CONTRACT AND VENDOR IMPLICATIONS: Service providers who receive health data from Strava for AI training or analytics purposes must be assessed against this commitment. Data processing agreements with these vendors should reflect the non-sale and non-advertising restriction and include appropriate use limitations and audit rights. COMPLIANCE CONSIDERATIONS: Compliance teams should map all downstream uses of connected-device health data to verify they fall within the stated non-sale and non-advertising commitment. Consent mechanisms for Washington State users should be reviewed against MHMD opt-in requirements. Data retention policies for health data collected via integrations should be reviewed and documented.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This commitment offers meaningful protection for sensitive health metrics like heart rate and VO2max collected from wearables, but the carve-out for 'specific purposes described in this Policy' means AI training and service improvement uses may still apply.
Your heart rate, HRV, sleep, and VO2max data from connected devices will not be sold or used for ads, but the policy reserves the right to use this data for AI model training and service improvement purposes described elsewhere in the document.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.