What can I do about this clause?

{'method': 'IN_APP', 'recipient': 'Strava App > Settings > Privacy Controls', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'Open Strava, go to Settings > Privacy Controls, review each setting including activity visibility, Flyby, and Group Activities, and set each to your preferred level; note that Heatmap opt-out may require a separate support request.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has enforcement authority over dark patterns and deceptive privacy control designs under FTC Act Section 5, including cases where complex layered opt-outs obscure the full scope of data use.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this User Privacy Controls and Default Visibility Settings clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

User Privacy Controls and Default Visibility Settings — Strava

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Strava Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Strava provides privacy controls allowing users to set who can see their activities and data, including options for 'Everyone,' 'Followers,' or 'Only Me' — but the policy notes that some features like the Global Heatmap and Flyby use data from activities regardless of these settings unless separately opted out.

ⓘ

This analysis describes what Strava's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes the baseline visibility configuration for user-generated content, requiring users to affirmatively adjust privacy settings to restrict visibility beyond the default public setting. The clause clarifies that default visibility extends to search engine indexing and non-registered viewers, not only authenticated Strava users.

Consumer impact (what this means for users)

Setting your Strava activities to 'Only Me' does not fully protect your data — separate opt-outs are required for the Global Heatmap, Flyby, and other features that use your GPS data regardless of your activity visibility setting.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Open Strava, go to Settings > Privacy Controls, review each setting including activity visibility, Flyby, and Group Activities, and set each to your preferred level; note that Heatmap opt-out may require a separate support request.

How other platforms handle this

Headspace Medium

Depending on where you live, you may have certain rights regarding your personal information. These may include the right to access, correct, or delete your personal information; the right to restrict or object to our processing of your personal information; the right to data portability; and the ri...

Grindr Medium

Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...

Shein Medium

enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }

See all platforms with this clause type →

Monitoring

Strava has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
If you are 18 years or older, certain information, including your profile and your activities, is set by default to be viewable by "Everyone." "Everyone" includes Strava users and the public, including search engine results. Subject to your privacy controls, your information, including parts of your profile, username, photos/videos, information and content you share may be viewable on Strava or to non-registered users.

— Excerpt from Strava's Strava Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY FRAMEWORK: Privacy control design implicates GDPR Art. 25 (data protection by design and by default — controls must be set to the most privacy-protective setting by default), GDPR Art. 7 (consent must be freely given, specific, informed, and unambiguous — complex layered opt-outs may not satisfy this standard), CCPA/CPRA §1798.121 (right to limit use of sensitive personal information), and FTC guidance on dark patterns in privacy control design (FTC Report: Bringing Dark Patterns to Light, 2022). (2)

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has enforcement authority over dark patterns and deceptive privacy control designs under FTC Act Section 5, including cases where complex layered opt-outs obscure the full scope of data use.
File a complaint →

Applicable regulations

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

HIPAA

United States Federal

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

UK GDPR

United Kingdom

Universal Opt-Out Mechanism Expansion 2026

Provision details

Document information

Document

Strava Privacy Policy

Entity

Strava

Document last updated

May 5, 2026

Tracking information

First tracked

April 1, 2026

Last verified

April 1, 2026

Record ID

CA-P-001436

Document ID

CA-D-00272

Evidence Provenance

Source URL

https://www.strava.com/legal/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

e06a34dfa42e1d94055f19b53ac2aaa4928a0edaacc3e46388b431c9a71ed342

Analysis generated

April 1, 2026 14:09 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Strava
Document: Strava Privacy Policy
Record ID: CA-P-001436
Captured: 2026-04-01 14:09:14 UTC
SHA-256: e06a34dfa42e1d94…
URL: https://conductatlas.com/platform/strava/strava-privacy-policy/user-privacy-controls-and-default-visibility-settings/
Accessed: June 10, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Strava's User Privacy Controls and Default Visibility Settings clause do?

How does this clause affect you?

Is ConductAtlas affiliated with Strava?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Strava.