Strava transfers personal data from the EU, UK, and Switzerland to the United States and other countries, using Standard Contractual Clauses as the legal mechanism to authorize these transfers.
This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU and UK users' data is processed in the United States, which is subject to US surveillance laws; Standard Contractual Clauses are the primary transfer mechanism but their adequacy has been contested, and users should be aware that their data crosses jurisdictional boundaries.
If you are based in the EU, UK, or Switzerland, your personal data including health metrics and GPS location is transferred to and stored in the US under Standard Contractual Clauses, meaning it is subject to US law once transferred.
How other platforms handle this
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
Monitoring
Strava has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Strava is based in the United States, and we process and store information in the United States and other countries. If you are in the EEA, UK, or Switzerland, your personal information may be transferred to, stored, and processed in the United States or other countries outside of your home country. When we transfer personal information outside of the EEA, UK, or Switzerland, we use Standard Contractual Clauses approved by the European Commission, or other appropriate safeguards, as required by applicable law.— Excerpt from Strava's Strava Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (international data transfers), the EU-US Data Privacy Framework, and the UK GDPR equivalent transfer requirements. The use of Standard Contractual Clauses as the stated transfer mechanism is consistent with current regulatory guidance following the Schrems II decision, but requires Strava to conduct Transfer Impact Assessments for transfers to the US. The European Data Protection Board and national supervisory authorities are the primary enforcement bodies. GOVERNANCE EXPOSURE: Medium. SCCs are a recognized transfer mechanism but their use requires documented Transfer Impact Assessments and supplementary measures for high-risk data transfers. Given that Strava processes health and precise location data which qualify as sensitive under GDPR, the adequacy of supplementary measures is particularly important and should be documented. JURISDICTION FLAGS: EEA users in all member states are affected. UK users are subject to UK GDPR and the UK International Data Transfer Agreement framework rather than EU SCCs. Swiss users face requirements under the revised Swiss Federal Act on Data Protection. Heightened scrutiny applies to transfers of special category data such as health information. CONTRACT AND VENDOR IMPLICATIONS: Any sub-processors involved in processing EEA/UK user data in the US must be covered by SCCs or equivalent transfer mechanisms. Data processing agreements with these vendors should specify transfer safeguards and include audit rights. Procurement teams should verify that the SCC chain extends to all relevant sub-processors. COMPLIANCE CONSIDERATIONS: Transfer Impact Assessments should be conducted and maintained for transfers of health and location data to the US. Supplementary technical measures such as encryption and pseudonymization should be documented. The policy's reference to 'other appropriate safeguards' alongside SCCs should be clarified internally to ensure compliance teams can identify which mechanism applies in each transfer scenario.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU and UK users' data is processed in the United States, which is subject to US surveillance laws; Standard Contractual Clauses are the primary transfer mechanism but their adequacy has been contested, and users should be aware that their data crosses jurisdictional boundaries.
If you are based in the EU, UK, or Switzerland, your personal data including health metrics and GPS location is transferred to and stored in the US under Standard Contractual Clauses, meaning it is subject to US law once transferred.
ConductAtlas has identified this type of provision across 11 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.