Your Rights and Our Legal Bases
Effective Date: July 7, 2021
European Economic Area Member Rights
Your Rights and How to Exercise Them
If you are habitually located in the European Economic Area ("EEA") or the United Kingdom ("UK"), you have the right to access, rectify, download or erase your information, as well as the right to restrict and object to certain processing of your information. While some of these rights apply generally, certain rights apply only in certain limited circumstances. We describe these rights below:
Where we process your information based on our legitimate interests explained below, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.
Access and Porting
You can access much of your information by logging into your account. If you require additional access or if you are not a Strava member, contact us at https://support.strava.com. Click here to download a copy of your data.
Rectify, Restrict, Limit, Delete
You can also rectify, restrict, limit or delete much of your information by logging into your account, such as to edit your profile, delete photos you have posted, remove individual activities from view, or delete your account. If you are unable to do this, please contact us at https://support.strava.com.
Where you have previously provided your consent, such as to permit us to process health-related data about you, you have the right to withdraw your consent to the processing of your information at any time. For example, you can withdraw your consent by updating your settings. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
Should you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority. Strava’s lead supervisory authority is the Data Protection Commission of Ireland.
European Economic Area Members: Our Legal Bases for Processing Your Information
Data protection law (for example, in the EEA or Brazil) requires organizations to have legal bases to collect, use, share and otherwise process information about you. While some of your rights apply generally, certain rights only apply depending on the legal bases we rely on to process data. We’ve explained these legal bases and your rights below.
To provide the Strava Services
As described in the Terms of Service, the core Strava Services cannot be provided, and the Terms of Service cannot be performed, without Strava processing data including for the following purposes:
- Create your account and provide you with access to the Services.
- Record your activities, including your location data.
- Help you analyze your performance. For example, to compare your past efforts and analyze your training.
- Help you manage your training. For example, to set goals and use your training dashboard.
- Process your Strava subscription.
- Respond to your support requests and comments.
Since we process data you provide to us which is necessary to perform our contract with you, you have the right to port or transfer that data if you are habitually resident in the EEA or the UK.
With your consent
We ask for your permission to process your information for certain purposes and you have the right to withdraw your consent at any time. We ask for your consent to:
- Collect or infer health information which may include information inferred from sources such as heart rate or other indicators. We use your health information to provide helpful statistics and visualizations.
- Send you marketing communications.
- Collect and process information from third-party products and services, such as Facebook or Google, or devices and apps, such as your Garmin watch or Peloton account, which you connect to Strava.
- Access photos, location, and contacts information through your device-based settings so we can provide the services described when you enable the settings.
Legal obligation or for the establishment, exercise or defence of legal claims
To protect vital interests
We process data where it is necessary to protect an interest which is essential to someone’s life or protect any person from serious bodily injury. This includes processing information to combat harmful conduct both on and off of our Services.
Carrying out a task in the public interest
Where laid down by EU law or the law in an EU Member State, we may process your data to perform processing in the public interest. This may include protecting against harm and undertaking research for social good. You have the right to object to, and seek restriction of, our processing of your personal data when we process data using this legal basis.
In furtherance of legitimate interests
We process your information for our legitimate interests, and those of third parties, while applying appropriate safeguards that protect your privacy, rights and interests. We do this to:
- Market the Services, activities on Strava and other commercial products or services. For example, our partners may pay us to promote their products and services on Strava. This is one of the ways we are able to provide the Services on a sustainable basis.
- Maintain our business by conducting research and continuously improving the Services so as to offer innovative and customised offerings to our members and partners.
- Convert your information into aggregated form for use by us and our partners. Our partners may use this information to improve infrastructure, such as with Strava Metro, or for other commercial purposes including developing useful insights. We also aggregate information to generate our Global Heatmap.
- Keep the Services safe and secure by using information to prevent or detect violations of our Terms of Service or Community Standards, fraud or abuse, and other harmful or illegal conduct. We may also share information with third parties, including law enforcement agencies for this purpose.
- Promote the Services, including email and in-product marketing campaigns to inform you about our Services.
- Enable you to find new ways to interact by using the Services. For example, to compete on segments, participate in clubs, challenges, or events, follow other athletes, and use features that help athletes interact with one another, such as group activities or flyby.
- Enable you to visualize your activities in new ways. For example, by creating personal heatmaps or using your training log.
- Customize the Services for you. We may suggest segments, routes, challenges, or clubs that may interest you, athletes that you may want to follow, or new features that you may want to try. We rely on our legitimate interest in retaining members when ensuring that we offer new opportunities, such as showing routes or segments of interest to our community, and we may use location information when suggesting such opportunities.
Brazil Member Rights
A Brazilian Data Protection Authority ("DPA") will be established and will provide guidelines on how to interpret and implement the LGPD’s requirements. As those guidelines are not yet established, our approach is subject to change.
If you are habitually located in Brazil, you have rights under the Lei Geral de Proteção de Dados ("LGPD"), including the right to access, rectify, download or erase your information, as well as the right to restrict and object to certain processing of your information. You can find more information about how to exercise these rights in the section above entitled European Economic Area Member Rights.
If you have questions about your rights, you may contact us at DPO@strava.com.
The LGPD requires us to have legal bases to collect, use, share and otherwise process information about you. You can find a description of the legal bases we rely on by reviewing the above section entitled European Economic Area Members: Our Legal Bases for Processing Your Information.
Germany Member Rights
If you reside in Germany, you have a right to report content that you believe is unlawful under the Network Enforcement Act ("NetzDG"). To submit a report, please email email@example.com.
Please note that Strava separately maintains Community Standards that prohibit certain types of content, including hate speech. You can report content which you believe violates our Community Standards by using our reporting or flagging tools in our app or on our website, or by visiting the Strava Support Center.
California Member Rights
If you are a California resident, as defined in the California Code of Regulations, you have rights under the California Consumer Privacy Act of 2018 ("the CCPA"). Below, we provide a description of your rights and disclosures about your personal information.
Your Rights and How to Exercise Them
Right to know about the personal information we collect and share
The CCPA gives you the right to request that we disclose the specific pieces of personal information we have collected about you, which we do after we receive and validate your request.
Strava does not sell your personal information. However, we may disclose certain personal information for a business purpose. When you make a request to download your personal information, we will include a list of the categories of personal information that we may have disclosed about you, as well as the categories of third parties to whom your personal information may have been disclosed.
How to make a disclosure request
You may request the disclosures described above by clicking here to download a copy of your data.
You have the right to make a free request two times in any 12-month period. We will make the disclosure within 45 days of receiving your request, unless we request an extension. In the event that we reasonably need a 45-day extension, we will notify you of the extension within the initial 45-day period.
Right of deletion
You have the right to request that we delete your personal information, subject to certain exceptions. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information, unless an exception applies. Click here to delete your data.
Right to non-discrimination
You have the right not to receive discriminatory treatment for the exercise of your privacy rights under the CCPA.
Disclosures About Your Personal Information
Categories of information we collect and disclose for a business purpose
We collect the following categories of personal information from you in connection with the Services, as defined in the CCPA. In addition, during the past twelve months, we have disclosed these categories of personal information for a business purpose:
- Identifiers, such as your real name, athlete ID, Internet Protocol address, email address, and other similar identifiers.
- Personal information categories listed in the California Customer Records provisions, including physical characteristics, such as weight, and payment information, such as your credit card number.
- Characteristics of protected classifications under California or federal law, such as your gender and age.
- Commercial information, such as the record of purchase of your Summit membership.
- Biometric information, such as your exercise data.
- Internet or other electronic network activity information, such as session logs.
- Geolocation data, such as the physical location of your recorded activity.
- Electronic, visual, or similar information, such as photos.
- Inferences drawn from any of the above information to create a profile reflecting your preferences, characteristics, behavior, abilities, and aptitudes, such as Relative Effort.
- Publicly available information from government records.
- De-identified or aggregated consumer information.
Other disclosures about your personal information
How to contact us
If you have questions about your rights or our disclosures under the CCPA, you may reach us at DPO@strava.com.
Nevada Member Rights
We do not sell your covered information, as defined by Section 1.6 of Chapter 603A of the Nevada Revised Statutes. If you reside in Nevada, you have the right to submit a request to our designated request address DPO@strava.com regarding the sale of covered information.
Changes to This Information
We reserve the right to modify this information at any time. Please review it occasionally. If Strava makes changes to this information, the updated page will be posted on the Services in a timely manner.
Questions or comments about this information may be submitted by mail to the address below or via https://support.strava.com.
208 Utah Street
San Francisco, CA 94103
© 2020 Strava